Package: screen
Version: 4.0.3-14
From /etc/init.d/screen-cleanup:
# If the local admin has used dpkg-statoverride to install the screen
# binary with different set[ug]id bits, change the permissions of
# $SCREENDIR accordingly
BINARYPERM=`stat -c%a /usr/bin/screen`
if [ "$BINARYPERM" -ge 4000 ]; then
chmod 0755 $SCREENDIR
elif [ "$BINARYPERM" -ge 2000 ]; then
chmod 0775 $SCREENDIR
else
chmod 0777 $SCREENDIR
fi
In the last case when /usr/bin/screen is neither setuid nor setgid,
/var/run/screen is given insecure permissions 0777. This allows any user
to rename any other user’s screen socket directory, effectively destroying
their running screens.
This would be solved by turning on the sticky bit (1777 instead of 0777),
as is used for /tmp.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
