Open unixfox opened 7 years ago
My assumption is that it would occur since the effective GID of the user is changed when using tmux or screen. "uid=0(root) gid=729911652 egid=43(utmp) groups=43(utmp),0(root)" is the output that 'id' gives when in a screen session. And so, the effective GID of the screen/tmux process != the magic GID. I'll see if there's a solution to this, but as far as I can tell this is outside of vlany's control. I could prevent screen/tmux from changing the effective GID, but that might break some requirements of both terminals. For now, avoid using screen or tmux. I'll see what I can do.
Problem fixed. The screen process is now completely hidden from process viewers.
Alright, so screen is responsible for making FIFOs, which are basically the screen sessions. The call that does this is mkfifo(). I can hook this and make the call automatically hide the new FIFO file with vlany's special extended attribute strings should the current user be the backdoor user. This shouldn't be a problem. But why would anyone kitting a box want to have resumable screen sessions in their backdoor?
I'll push a fix tomorrow. 😃
Discard everything I said that has a strike through it. FIFO files can't have extended attributes applied to them. But they can however, like everything else, have group IDs applied. I'll work something out.
Screen is great for launching process in the background and being able to interact with it any time. If you've a better alternative I'm interested.
@mempodippy Thank you for trying :) but your modification isn't working:
[root@vlany:~/test]$ screen -S test
mkfifo /var/run/screen/S-root/10851.test failed
I do actually have a mkfifo hook that redirects the fifo file and makes a symlink, but it doesn't work for some reason. It creates the fifo file in a different location and creates the symlink fine, but when trying to hide the link, mkfifo (or screen) throws an error. I'll push what I have right now and I'll add some commentary so that my intentions are somewhat clearer. I think screen might be throwing the error because the new file isn't actually a fifo file. Gimme a sec. Edit: Hook commented and pushed. In the meantime, avoid using multiplexers or anything similar. Their behavior is a nuisance.
When I run the screen command, the owner of the machine (logged as root) can view the running command inside
top
/htop
and can join the screen session. I've the almost same behavior with tmux but the tmux running command isn't listed inside the "top"/"htop" command.Is there a way to hide completely a screen/tmux session or does exist a multiplexer terminal program that doesn't allow other users to join the session?