kirkland at ubuntu.com
Fri Apr 1 14:43:31 UTC 2011
On Fri, Apr 1, 2011 at 9:22 AM, Serge E. Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Dustin Kirkland (kirkland at ubuntu.com):
>> 2011/4/1 Raphaël Pinson <raphink at gmail.com>:
>> > Also, a few years back, I had begun to work on making screen ACLs
>> > easier in byobu, but had not found the time to finish that part. Since
>> > Ubuntu encourages the use of user accounts vs root, this is a feature
>> > that could be very useful on Ubuntu servers I think.
>> That's a great idea, Raphael. Actually, I was talking with Dave
>> Walker about this recently. Basically, I'm just going to move the
>> screen configuration magic from screenbin into byobu, and I think
>> we'll have almost everything we need.
> Use of acls requires a setuid-root screen binary, though, right? That's
> a huge change.
Correctly I identified, Serge! You have dug into the "almost" in the
"we'll have almost everything we need" statement above :-)
So here's what I'm thinking ...
1) Byobu would ship a profile in /usr/share/byobu/profiles/sharing
that has the relevant configuration bits. Top of my head, that's
mostly this (where the guest user is called "guest"). I'll need to do
some work to make this configurable.
aclumask guest+r guest-w guest-x
aclchg guest +r-w-x '#?'
aclchg guest +x 'prev,next,select,detach'
2) Byobu would add a dialog to the F9:Menu that allows you to choose
the user you want to share the screen with, and select read-only or
read-write. It would also run something like
'/usr/bin/byobu-verify-sharing' and check the exit code and stderr
3) /usr/bin/byobu-verify-sharing would check the permissions on
/usr/bin/screen. If the permissions are incorrect, it would print
some text to the screen that your system administrator would need to
run in order to use screen sharing. Again, top of my head it might
look something like this:
ERROR: byobu screen sharing is not enabled
INFO: (1-2 lines here about setuid binaries, and why screen is not
setuid by default)
INFO: To enable byobu screen sharing, a system administrator must run:
sudo dpkg-statoverride --add root utmp 6755 /usr/bin/screen
sudo chmod 755 /var/run/screen
$ echo $?
4) We could also add a "low" debconf question to the screen (or
byobu) package that asks this question at dpkg-reconfigure time (do
you want to enable screen sharing, setuid bits, on /usr/bin/screen).
Anyway, that's what I'm thinking. Any other ideas?
Ubuntu Core Developer
More information about the ubuntu-server