Hi, I'd like to implement a feature similar to screen's `password' command that "encrypts" a session with a password. If a session (or the whole server) is protected with such a password, attaching a session or sending any command to a session should be prohibited unless the correct password is presented.
The use case should be clear: Unauthorized access to a user account should not instantly lead to root privileges on the local machine because of a left-open root shell nor to privileges on remote hosts that you are connected to via SSH from inside a tmux session. There's an obvious fallacy: If the tmux process runs with user privileges, you can simply attach to it and/or modify the memory to bypass this protection. So this would become a rather small hurdle than a real protection, at least for a skilled attacker. However, if tmux would be installed as setuid root, then simply attaching to the server process is not possible. So, from a theoretical POV, by just installing tmux suid root and adding some simple privilege dropping mechanisms in the right places, the above attack could be made impossible. The setuid thing could be made a compile time option with an appropriate warning, so that the user/admin can decide. How feasable is such an approach? Is the effort warranted at all? And if not: How do you go about protecting open root shells and SSH sessions? Any comments and thoughts appreciated. Thanks, Julius ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ tmux-users mailing list tmux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tmux-users
