| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120124220247.GA26353@hallyn.com> Date: Tue, 24 Jan 2012 22:02:47 +0000 From: "Serge E. Hallyn" <serge@...lyn.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Al Viro <viro@...IV.linux.org.uk>, containers@...ts.linux-foundation.org, Dave Hansen <haveblue@...ibm.com>, linux-kernel@...r.kernel.org, Andy Whitcroft <apw@...onical.com>, sukadev@...ux.vnet.ibm.com, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [RFC] fix devpts mount behavior Quoting Eric W. Biederman (ebiederm@...ssion.com): > Al Viro <viro@...IV.linux.org.uk> writes: > > > On Mon, Jan 23, 2012 at 04:41:25PM -0800, Linus Torvalds wrote: > > > >> Right. I think the opportunity for problems should be pretty small. > >> > >> And it's not like the pty itself wouldn't continue to work - it's just > >> that programs like /usr/bin/tty wouldn't be able to *find* it. > >> > >> Although who knows - maybe there is some other subtle interaction. > > > > FWIW, the subtle and nasty part in all that is that you can mknod /dev/ptmx > > and it *will* work, refering to the "initial" instance. That's what > > concerns me about the chroot scenarios - > > mknod /jail/dev/ptmx c 5 2 > > mkdir /jail/dev/pts > > mount -t devpts /jail/dev/pts > > chroot /jail > > works fine right now, but with that change behaviour will be all wrong - > > opening /dev/ptmx inside of jail will grab you a pts, all right, but > > it will *not* show up in (jail) /dev/pts/* as it does with the current > > kernel. > > > > Note that if you replace that mknod with symlink pts/ptmx /jail/dev/ptmx > > the things will keep working. However, that will _only_ work for kernels > > with DEVPTS_MULTIPLE_INSTANCES - without it you won't get ptmx inside > > devpts (which is arguably wrong, BTW) > > For testing I would recommend looking at the distro chroot build cases. Do you have a specific example in mind? I would expect build chroots generally don't mount a devpts. > It looks like relatively recent udev still creates /dev/ptmx and does Boy, it does, and it's stubborn about it. Removing the /lib/udev/rules.d entry doesn't stop it. (this is after I've had an init job replace the devtmpfs-created ptmx entry with a symlink) So current distros (well, Ubuntu and Fedora at least) would need to at least (a) fix udev, (b) change the default devpts mount (done from initramfs) to add ptmxmode=666, (c) (if not done in udev) create the /dev/ptmx symlink. For safety I'd recommend creating /dev/pts/ptmx with DEVPTS_MULTIPLE_INSTANCES=n (or dropping that support), and by default setting ptmxmode to 666 as that's what udev does. > not create the symlink. So we might get into the awkward situation of > /dev/ptmx not matching /dev/pts/ptmx with something as simple as > initramfs mounting /dev/pts and then initscripts mounting /dev/pts. That shouldn't matter with a symlink, though it is sloppy. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists