> Do you mean this https://github.com/tmux/tmux? That is the source for the portable version of tmux, wrapping the native kqueue version developed for OpenBSD with libevent.
Tmux is part of the OpenBSD base system.
Tmux is not an officially developed program by the OpenBSD community.
It was imported June 1 2009.
Here is Theo de Raadt's post:
> By Theo de Raadt () on 2009-07-07 04:37
> The most impressive thing about tmux, in my view, is how frustrating the code audit was. In 2 hours, I found only one or two nits that had very minor security consequences.
> It was not accepted into the tree based on license alone. It is high quality code.
FWIW, libevent was originally written by an OpenBSD contributor who wished to write portable programs which could make use of kqueue on BSD and select/poll elsewhere. At the time Linux didn't yet have epoll.
In any event, tmux on OpenBSD also uses libevent as libevent is, naturally, part of the base system. libevent as most people know it was originally a portability fork of OpenBSD's version, similar to the portable versions of tmux, OpenSSH, etc, though unlike those projects core libevent development eventually switched to the portable version and OpenBSD stopped (AFAICT) backporting changes wholesale.
As best I can tell, tmux is developed primarily by Nicholas Marriott for OpenBSD and made portable with libevent. The original paper uses OpenBSD, and here[1] he says: “I preferred to work on it in base: I felt tmux would be improved by being part of OpenBSD.”
The author developed tmux on OpenBSD because that is what he used, but it was never part of the OpenBSD Project. It was a port prior to being included in the base install. This is no different that how FreeBSD includes software in its base install, yet this doesn't make the code part of the FreeBSD Project.
The tmux GitHub repo is the reference implementation. As an example, OpenSSH is developed internally to OpenBSD and the project creates a separate portable version. tmux is the opposite, it is developed independently of OpenBSD and the project maintains its own implementation.
I don't see how doas would mitigate this thing at all. It doesn't really matter how the window with root shell was originally elevated (sudo, su, doas etc).
Tmux is part of the OpenBSD base system.
Tmux is not an officially developed program by the OpenBSD community.
It was imported June 1 2009.
Here is Theo de Raadt's post:
> By Theo de Raadt () on 2009-07-07 04:37
> The most impressive thing about tmux, in my view, is how frustrating the code audit was. In 2 hours, I found only one or two nits that had very minor security consequences.
> It was not accepted into the tree based on license alone. It is high quality code.
[1] https://en.wikipedia.org/wiki/OpenBSD#Subprojects
[2] https://undeadly.org/cgi?action=article&sid=20090707041154