| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 08 Apr 2016 18:03:11 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Andy Lutomirski <luto@...capital.net>, security@...ian.org, "security\@kernel.org" <security@...nel.org>, Al Viro <viro@...iv.linux.org.uk>, "security\@ubuntu.com \>\> security" <security@...ntu.com>, Peter Hurley <peter@...leysoftware.com>, Serge Hallyn <serge.hallyn@...ntu.com>, Willy Tarreau <w@....eu>, Aurelien Jarno <aurelien@...el32.net>, Jann Horn <jann@...jh.net>, Greg KH <greg@...ah.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Jiri Slaby <jslaby@...e.com>, Florian Weimer <fw@...eb.enyo.de>, "H. Peter Anvin" <hpa@...or.com> Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Linus Torvalds <torvalds@...ux-foundation.org> writes: > But more fundamentally I still don't actually understand why you even > really care. At this point I care because there is a failure of communication. Until this email no one has ever said: "Ok that actually could happen but we don't actually care." Right now I am a bit paranoid because I have seen a few too many cases where some little detail was glossed over and someone clever turned it into a great big CVE they could drive a truck through. So I am once bitten twice shy and all of that. > We get the wrong pts case *today*. We'd get a different wrong pts > namespace when somebody tries to do odd things. Why would we care? It > would be a _better_ guess. > > I don't see the security issue. If you do tricks to get pty's in > another group, what's the problem? You have to do it consciously, and > I don't see what the downside is. You get what you ask for, and I > don't see a new attack surface. > > The whole "somebody used chmod on /dev/pts/" argument sounds bogus. > That's an insane thing to do. If you want a private namespace, you > make *all* of /dev private, you don't go "oh, I'll just make the pts > subdirectory private". Oh I pretty much agree it is an insane thing to do. At the same time I know that people can make a lot of little sane decisions that can lead to an insane situation, so just because it is insane I can't rule it out automatically. The actual sane thing to do, and what I think most of userspace does at this point is to create it's own mount namespace so nothing is visible to outsiders. > In other words, your whole scenario sounds totally made up to begin > with. And even if it happens, I don't see what would be so disastrous > about it. In general I agree. The scenario is made up. I would be surprised if it happens. > I mean, right now, /dev/ptmx is world read-write in the root container > and everybody gets access to the same underlying set of ptys. And > that's not some horrible security issue. It's how things are > *supposed* to work. I agree. > So I really don't see the argument. You guys are just making shit up. I don't see why we have the linux extension of supporting anything except mode 0666 on /dev/ptmx or /dev/pts/ptmx. This is really about not breaking that linux extension by overlooking some little detail. On the attack analysis front the worst thing I can see happening is a denial of service attack. I see two possible denial of service attacks. One possible attack creates a pty and prevents devpts from being unmounted. Another possible attack creates all possible ptys on a devpts instance, and prevents legitimate tty creations from happening. At the end of the day as you say it would be a pretty crazy person who isolated a mount of devpts with just the permissions of /dev/pts/ptmx. So if we don't want to care knowing those stupid attacks above are possible I am happy not to care. They don't look all that serious to me. Eric
Powered by blists - more mailing lists