Multiple security issues in GNU Screen
273 comments
·May 13, 2025RMPR
dooglius
No, tmux uses unix domain sockets. I have no idea why screen chose to take the setuid approach instead here; it seems totally unnecessary to have root privileges.
EDIT: Further down, TFA gives a plausible explanation: the current screen devs are not fully familiar with the code base. If so, the setuid-root approach was probably the easiest way to make the feature work in lieu of such familiarity.
JdeBP
screen has a lot of architectural baggage that can be traced back to its initial 1987 comp.sources.unix/mod.sources versions in some cases. Being set-UID to the superuser is one of them. See the doco for screen as it was posted in volume 10:
Henchman21
I guessed something similar. Screen is from an era where setuid was pretty common!
ngangaga
[flagged]
chasil
In the EPEL versions of screen, I am seeing the setgid bit set only. I am guessing that later versions setuid to root?
$ ll /usr/bin/screen
-rwxr-sr-x. 1 root screen 495816 Feb 3 2022 /usr/bin/screen
$ rpm -q screen
screen-4.8.0-6.el9.x86_64
CVE-2025-46802 can impact earlier releases, but all the other vulnerabilities are for the latest.
gertrunde
The original writeup by the OpenSUSE security team laid this out better:
https://security.opensuse.org/2025/05/12/screen-security-iss...
Different distros built it in different ways, affecting level of vulnerability to the different issues.
account42
This "explanation" only makes it sound worse - why would you even consider setuid if you do not completely understand ever detail of the code base.
fzzzy
screen has used setuid root for multiuser for at least 20 years. Used to use it in multiuser for remote pair programming.
icedchai
I remember installing screen on a SunOS box back in the early 90's. It's been around a longggg time.
null
fullstop
I guess I'm glad that I switched to tmux ages ago.
thanatos519
It's a great feature! I have used it in training sessions by giving each student their own login on my laptop, with the ssh shell restricted to 'screen -x <specific user's window>' - the only window that user could use based on screen's ACLs. Then during exercises I (as the owner of the screen) could switch to each student's screen on the projector so the class could see what they had done.
Not surprised to hear it's full of security holes. :)
cess11
You can get close to the same experience with tmux.
https://superuser.com/questions/188501/is-there-a-way-to-hav...
Use groups instead of chmod 777.
trollied
Yup, screen -x
qwertox
The problem isn't with the use of `screen -x ...` itself, but rather if `ls -l "$(which screen)"` returns something like `-rwsr-xr-x 1 root root ... /usr/bin/screen`, where the `s` in the fourth position indicates the setuid bit is set. That means the screen binary runs with root privileges.
trollied
I am well aware of setuid. I was informing the parent comment of which arg to use for the actual functionality.
null
teddyh
Note: In Debian, GNU screen is not installed with setuid-root privileges.
perlgeek
And the package in Debian Stable (aka bookworm) is too old to be affected by the vulnerabilities in 5.0.0.
I used to hate that Debian always was behind on software versions, but now I use different package sources for the few applications where I really don't want to rely on old software (like browsers), and otherwise doing great with the old stuff :-)
bandrami
Debian stable users missed heartbleed entirely. I think the glacial pace is underrated.
rs_rs_rs_rs_rs
> Debian stable users missed heartbleed entirely
Missed it? Not at all, Debian pioneered that style of bugs years before!
krferriter
Glacial page bedrock of an OS with optional sandboxed more-up-to-date userspace packages and runtimes that can be layered on top of the host system was the dream of flatpak/snap/appimage, right?
mjevans
Related... https://bugzilla.mozilla.org/show_bug.cgi?id=1966096
If you're running Firefox on Debian please make sure you manually update it since the package repo's been down for a while. I filed a 'support' ticket first ( https://support.mozilla.org/en-US/questions/1510388 ) since it seemed to be the proper place, but no one seems to look at those.
sillystuff
The repo appears to be working for installing/updating packages. Mozilla should allow file listing which should fix the 404s, and make this repo behave as expected when manually browsed (Apparently hosted on a Google webserver; maybe Google forbids this?).
apt-get changelog firefox
Get:1 store: firefox 138.0.3~build1 Changelog
Fetched 129 B in 0s (0 B/s)
firefox (138.0.3~build1) UNRELEASED; urgency=medium
* N/A
-- Mozilla <release@mozilla.com> Mon, 12 May 2025 12:40:33 -0000
date
Tue May 13 08:56:09 AM PDT 2025
apt-get install --download-only --reinstall firefoxforesto
This is about Mozilla's builds of Firefox for Debian, not Debian's builds, right? So regular Debian users who run the default Firefox (firefox-esr) would be unaffected.
jmclnx
Slackware 15:
lrwxrwxrwx 1 root root 12 Feb 11 2022 /usr/bin/screen -> screen-4.9.0
-rwxr-xr-x 1 root root 455016 Feb 1 2022 /usr/bin/screen-4.9.0
no suid
jmclnx
FWIW, Slackware 15 was updated to screen to screen-4.9.1.
This update fixes security issues:
* attacher.c - prevent temporary 0666 mode on PTYs.
* avoid file existence test information leaks.
* socket.c - don't send signals with root privileges.
lazide
Damn, Slackware. That’s a name I haven’t heard in a very long time.
jesprenj
Likewise in Gentoo. But in Gentoo it has SETGID for utmp group. Though I'm not sure what the implications are.
JdeBP
If one is in group utmp, one can mess with the login accounting database: the table of currently active logins, the log of log-ons/log-offs, and the table of per-user last logins.
https://jdebp.uk/FGA/unix-login-database.html
The login accounting system that Linux-based operating systems have inherited from Unix really has never reconciled its initial real-terminal-login-only superuser-managed design with the fact that non-superuser programs that allocate pseudo-terminals (e.g. any local terminal emulator, NeoVIM, tmux, screen) want to (over)write entries for those pseudo-terminals in the login accounting database to make the output of the "who" command (and its ilk) more complete.
The best approach I've seen was to re-think the idea; have the pseudo-terminal-using programs run entirely unprivileged and use a client-server model where only the server actually has access to the database files.
Laurent Bercot did this. It fixes many holes, including that the log of log-ons/log-offs is made truly append-only (modulo superuser access to the underlying files). But it has the same architectural problem that any client in the group can overwrite any currently active login record if it knows the record ID, which by design (and the Single Unix Specification) there's an API for enumerating.
* https://skarnet.org/software/utmps/
Both the BSDs and M. Bercot have improved the situation with pututxline(), but it's still not out of the woods yet.
anthk
I set TMPDIR to $HOME/tmp because of that.
ktm5j
Looks like it is in Fedora.
mlichvar
On Fedora it is setgid screen, not root.
znpy
I wonder if there is some selinux policy to reduce the attack surface
JCattheATM
There almost certainly is, pretty sure Fedora has an SELinux policy for all software in base.
tmtvl
Likewise in Arch.
jedimastert
Here's the rendered blog post:
https://security.opensuse.org/2025/05/12/screen-security-iss...
zoobab
I emailed the author of GNU Screen about the lack of proper documentation about the logging to a file feature:
http://www.zoobab.com/screenrc
GNU need a better issue tracking system :-)
CelestialMystic
There was a Q&A with the author of Tmux. He was complaining about the lack of documentation ~16 years ago.
anthk
Tmux has been in OBSD base side several releases and documented since the first one.
CelestialMystic
I know. I suggest you read the Q&A I posted.
amszmidt
It is documented in detail in the GNU screen manual, https://www.gnu.org/software/screen/manual/screen.html#Log
Avamander
> GNU need a better issue tracking system :-)
This is a problem with quite a few older projects, that issues get buried in the endless depths of unindexed mailing lists, if at all. People bemoan Discord (rightfully) for making info like this unaccessible, but IRC (that some projects still use) is basically twice as bad.
I really wish these projects would migrate to Gitea/Forgejo/Codeberg, GitLab or GitHub or anything like that, just to bring these things together and provide vital discoverability.
sundarurfriend
Zellij is a really nice, modern alternative to screen and tmux, and they've done a great job at having good defaults as well as making the UI easily discoverable. I'd highly recommend it to anyone else who felt dubious about the benefit-to-effort ratio of terminal multiplexers.
collinvandyck76
I gave it a shot a couple years ago -- pretty slick. But the latency was noticeable compared to tmux, which I remain using today. I admit that I'm kind of sensitive to it, as at the time I was already on a latent connection.
kstrauser
I personally haven't noticed that, but we all have different sensitivity levels to such things. Have you tried it more recently? A couple years ago is ancient in its lifespan. I'd be curious to see if it still feels sluggish to you.
(Not a dev, just another end user.)
collinvandyck76
No, haven't tried recently, but will make a note to do so. Agree that a couple of years is an eternity :)
afmrak
Last time I looked at Zellij it looked like a great new project in the multiplexer ecosystem, but didn't support a purely keyboard-driven copy/paste mechanism. I use that extensively and couldn't do without. So tmux it is until that gets added.
gitaarik
Yeah, I also use that all the time. I use the terminal because I want to use my keyboard, not the mouse. And copy / pasting is something I do very very often. So I don't understand why people make a terminal multiplexer and don't add this feature.
In screen & tmux you can also use vim shortcuts to navigate the scrollback buffer. That is so convenient and makes me work so fast. I can search for a snippet close to where I want to copy some text, and then navigate more precisely with the vim shortcuts.
So that's the first thing I look for in a terminal multiplexer, because if you're gonna expect that I'm gonna put my right hand off the keyboard and use the MOUSE to awkwardly select some text in a TERMINAL, then you expected wrong.
fergie
Thats nice and all, but I really, really like screen and its commands are burned into my muscle memory. I've been using it for more than 20 years.
gitaarik
I had the same when I was trying out tmux first time. But eventually I configured tmux to very closely match screen's shortcuts. Just a few things are different, but I got back some extra features and plugins from tmux with it.
If you're interested I can share my config.
mmsc
It's surprising that upstream was involved in this. Around 5 years ago, I came to the (sad) conclusion that GNU screen development had completely halted. Is that still not the case?
Does screen have the functionality to add a new window to an existing screen without attaching to the screen yet?
jzb
Upstream requested that the SUSE team take a look at it. It seems that development is understaffed and the upstream may not have the expertise to maintain it properly. Which, if true, is sad -- I know that tmux and others exist, but a lot of people have used Screen for many many years. It sucks when a tool bitrots.
marcosdumay
Looks like a tech-debt ridden large piece of software that new developers just can't understand.
If that's the case, it's not really about it being "understaffed". Instead, it's doomed to rot until it's replaced of rewritten. There's no scenario where more maintainers will help, except for marginally delaying it.
The good news is that there are almost perfect replacements out there, and most of them are leaner.
narag
Instead, it's doomed to rot until it's replaced of rewritten.
I've seen how that mindset has ruined several companies. Not saying that you're wrong about that particular program that is, after all, free software replaced by other free software parts. But for business, it's lethal.
Joel Spolsky had a nice piece about it:
https://www.joelonsoftware.com/2000/04/06/things-you-should-...
That and Fire and Motion seem to be forgotten wisdom already:
https://www.joelonsoftware.com/2002/01/06/fire-and-motion/
I feel old :-)
megous
It's not large:
https://git.savannah.gnu.org/cgit/screen.git/tree/src
A few 2kLOC files and the rest is rather small.
doctoboggan
What are the replacement tools I should be looking at as a casual user of screen?
Trasmatta
> Due to difficulties in the communication with upstream we do not currently have detailed information about bugfixes and releases published on their end.
It sounds like they requested the security review, but have been difficult to keep in touch with? I'm not sure what the whole story is there.
mmsc
Seems like a prime target for Jia Tan.
tecleandor
Yep, from the timeline it looks like lack of communication (and maybe also capabilities/resources/time/will, not sure) [0]
0: https://security.opensuse.org/2025/05/12/screen-security-issues.html#8-timelinecroemer
Involved only insofar as shipping it as setuid-root counts. Distros that configure it like this are vulnerable, others aren't. Very thin involvement I'd say. Distros patch if upstream is too slow.
criddell
It’s not necessarily sad for GNU tool development to stop (other than bug fixes, of course). I would take that as a sign that they are basically complete.
kstrauser
Not quite in this case. Tmux was started by someone who wanted to update screen with new features but wasn’t able to bend the code that far. I say this not out of spite or meanness, as I used screen for many happy years, but I’d say it’s less complete and more abandoned. It still has maintainers but it seems to me that they’re more “keep the lights on” than actively developing it.
Kwpolska
It's not sad if a good Stallman-free alternative exists. Like tmux.
lxgr
Whether constant development is necessary or not largely depends on the surface area of your tool, both in terms of formal APIs it uses and external data formats and services.
dundarious
screen didn't even have vertical splits until maybe 5 or 10 years ago. After tmux was already a solidly reliable replacement with vertical splits for years.
wkat4242
True, this is why I switched to tmux.
immibis
Open source does have a problem with inertia whenever one piece of software ends and another piece is created to replace it, but there's no immediate incentive to switch, because it is a switch, not an update.
Though conversely, when someone buys the trademark for an existing piece of software, and replaces it with something entirely different, like what happened with Audacity, that's also bad. So there's no good solution.
unixplumber
> Though conversely, when someone buys the trademark for an existing piece of software, and replaces it with something entirely different, like what happened with Audacity, that's also bad. So there's no good solution.
I've followed the Audacity situation over the last few years. Before the Muse Group bought the rights to the trademarks and took over development, Audacity development had pretty much stagnated.
The new developers did not replace it with something entirely different. What they did was fix longstanding bugs and add new features/enhancements (and changing the way some things work, for better or worse). Sure, they introduced new bugs here and there with the new features/enhancements, but last I checked they fixed those. And yes, they could have done a better job at marking new versions as "beta" rather than pushing them out as stable releases (old hands know to avoid a new version until a couple minor versions later). That's really my biggest gripe with their development/release process.
immibis
They are completely redesigning the UI to such an extent that it may as well be a completely new project.
Also, how come open source names can even be bought? They should be open, of course, so I think it'd be fair enough if they wanted to call theirs "MuseScore Audacity" or something like that.
3036e4
The good solution is rock-solid, backwards compatible APIs on all levels. That way the work to maintain software would be much lower, making it possible to focus on doing some rare bug-fixing only. In open source in particular this should be a no-brainier, instead of all projects ruining things for each other by ignoring backwards compatibility.
immibis
The rock-solid backwards-compatible API would include, for example, being invoked with the command "screen -x", and being installed with "apt install screen" - at which point it's the same screen project under different management, not a new project.
Wowfunhappy
Isn't this what distros are for? So e.g. Debian could decide to replace screen with tmux, possibly with some sort of compatibility package that takes all the same command line arguments as screen but uses tmux under the hood. (I've used screen very little and have never used tmux so I'm not sure if that would make sense in this context).
layer8
You generally can’t transparently replace a tool by a different one like that, siblings are giving examples of where there would be incompatibilities. There would also be much upheaval among users if a distribution would try to underhandedly perform such a replacement. If anything, a package “tmux-as-screen” could be provided for those who want that.
kevin_thibedeau
Tmux doesn't support serial ports.
rzr
A smooth transition from GNU screen to tmux, will be appreciated for potentially 60K users.
https://qa.debian.org/popcon.php?package=screen
I note that tmux has only 40K users (of debian popcon users)
https://qa.debian.org/popcon.php?package=tmux
I am considering to try the link shared previously:
https://github.com/grml/grml-etc-core/blob/master/etc/tmux.c...
Now I miss a way to translate CLI options and batch files
marcosdumay
You can reconfigure the key-bindings, that I guess would be the largest annoyance for a new user. But there are many fundamental differences between them that you just can't hide.
seethishat
tmux is in OpenBSD base since 4.6 IIRC and is/has been audited. It's a good alternative for those who want something a bit more secure.
j45
Seeing screen popup reminded me of that one time I switched to tmux and forgot to use screen.
dminvs
> The observed behaviour has been present in Screen versions since at least the year 2005.
and it's been an anti-pattern and covered by tools like rkhunter for around least that long, as well
but pretty sure screen was setuid root in the 90s too
lemonwaterlime
1. How many developers run all the most popular open source tools?
2. How much money is in the industries that use those tools?
charcircuit
Setuid binaries existing in 2025 is not acceptable. There needs to a movement to remove all of them as time and time again it's shown that it leads to severe vulnerabilities.
db48x
You can run screen as setgid instead. Fedora sets up a system group called screen and installs screen as setgid so that the multiuser functionality works but cannot be accidentally used to do things as root.
Scene_Cast2
I use byobu (for the keybinds) on top of tmux. But Zellij (modern Rust-based alternative to tmux) has been looking quite interesting for a while.
Nice write-up.
> Screen offers a multi-user mode which allows to attach to Screen sessions owned by other users in the system (given the proper credentials). These multi-user features are only available when Screen is installed with the setuid-root bit set. This configuration of Screen results in highly increased attack surface, because of the complex Screen code that runs with root privileges in this case
I wasn't aware of such a feature but I guess it's what makes stuff like tmate possible. Speaking of which, I wonder if tmux is affected by the same kind of vulnerability.