screen is a very useful tool. It enables you to run tasks in the background without actually sending them to the background.
What this means it that you do not have the annoying side-effects of sending a process to the background using myterriblylongrunningprogram &, but you get a complete session that you can disconnect from and it will keep happily working away.

Now the problem with screen is that it opens the possibility to circumvent authentication.
Here’s an example:

Let’s say I want to run some process that I know takes a long time, and for some reason I want/have to run this process as root.
So I fire up screen, because I don’t want to keep that shell open for the whole time the process is running, type su, followed by my root password and kick off the process.
Then I disconnect from screen and do whatever I feel like doing.

The problem with this approach is that inside the screen session I am root, and anybody who now gains access to my account can easily resume that screen session and thus become root, without any additional authentication.

Therefore it generally is not a good idea to elevate your permissions inside a screen session. If you need a session with elevated permissions elevate first and then open screen. That way screen will run as root, or whichever user you need to use, and therefore not bypass any security mechanisms which usually are required to get these permissions.

You can escalate the level of stupidity in this example by skipping even more logins. Open a screen session, ssh into a server and there su to root. Anybody who then gets access to your screen session will automatically become root on the remote server.

In conclusion I have to say that screen is a very useful tool that enables you to run processes in the background, while still having them available whenever you may want to check on them. On the other hand it can open the door for security problems resulting from improper use or laziness (yes, nobody likes to type in passwords all the time).

So, please know what permissions you will need before you start your screen session. You don’t want a bunch of customers call you up because somebody took over your session and locked out everybody else. 😉

Thank you!
Dennis Wronka

Advertisements