lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Apr 2016 17:50:49 -0700 From: Linus Torvalds <torvalds@...ux-foundation.org> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Andy Lutomirski <luto@...capital.net>, security@...ian.org, "security@...nel.org" <security@...nel.org>, Al Viro <viro@...iv.linux.org.uk>, "security@...ntu.com >> security" <security@...ntu.com>, Peter Hurley <peter@...leysoftware.com>, Serge Hallyn <serge.hallyn@...ntu.com>, Willy Tarreau <w@....eu>, Aurelien Jarno <aurelien@...el32.net>, One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>, Jann Horn <jann@...jh.net>, Greg KH <greg@...ah.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Jiri Slaby <jslaby@...e.com>, Florian Weimer <fw@...eb.enyo.de>, "H. Peter Anvin" <hpa@...or.com> Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup On Mon, Apr 11, 2016 at 5:22 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: > > I meant the one where I conceded that the only think that it could > possible protect against was a denial of service attack, from which we > probably don't care. Yeah, that's the same email I was talking about, I was just quoting another part. > As I agreed with you that it was unnecessary I was just puzzled why you > called what was essentially agreement with you deafening silence. The "deafening silence" was about _why_ this all would be a problem, and why the security checks would be needed. Basically, I think that if /dev/pts/ is accessible, we should just say "ok, you can open a pty on it". The fact that you could open a pty by bind-mounting it somewhere else, and then adding a "ptmx" node to the same directory is not a security issue: it's simply how devpts works. In no actual sane and relevant situation is that a problem, for the simple fact that there will *already* be a ptmx node that is world-accessible in the same directory that has that /dev/pts/ mount. Anything else is insane and irrelevant. This is *literally* what POSIX says. Sure, POSIX also has that whole language about "posix_openpt()", but that's just BS and irrelevant. The very page that mentions "posix_openpt()" also says "On implementations supporting the /dev/ptmx clone device, opening the master device of a pseudo-terminal is simply: mfdp = open("/dev/ptmx", oflag ); if (mfdp < 0) return -1;" and Linux unquestionably falls in that "supports /dev/ptmx" camp. So I claim that the _only_ sane use of devpts is to already have a world-accessible ptmx node there, and nothing else makes sense. And if you want to be private, you had better make the whole /dev/ subdirectory private (which also takes care of any bind mount issues) Linus
Powered by blists - more mailing lists