| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Apr 2016 17:44:42 -0700 From: Andy Lutomirski <luto@...capital.net> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: "H. Peter Anvin" <hpa@...or.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>, Peter Hurley <peter@...leysoftware.com>, Greg KH <greg@...ah.com>, Jiri Slaby <jslaby@...e.com>, Aurelien Jarno <aurelien@...el32.net>, Florian Weimer <fw@...eb.enyo.de>, Al Viro <viro@...iv.linux.org.uk>, Serge Hallyn <serge.hallyn@...ntu.com>, Jann Horn <jann@...jh.net>, "security@...nel.org" <security@...nel.org>, "security@...ntu.com >> security" <security@...ntu.com>, security@...ian.org, Willy Tarreau <w@....eu>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup On Sat, Apr 9, 2016 at 5:16 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Sat, Apr 9, 2016 at 5:06 PM, H. Peter Anvin <hpa@...or.com> wrote: >> >> Fixing the default permissions is trivial, of course. The intent from the beginning was to make a ptmx -> pts/ptmx, but user space never did... > > That wasn't my point. > > Because the permissions have never been usable, I pretty much > guarantee that no current user space uses /dev/pts/ptmx. > > So that node is almost entirely irrelevant. Us fixing the permissions > at this point isn't going to make it any more relevant, we might as > well ignore it. > > Which all means that the way forward really is to just make /dev/ptmx > work. It's not going away, and it _is_ fairly easy to fix. > > But I don't think the fix should care about permissions - and we might > as well leave the existing pts/ptmx node with broken permissions. > Because we've never been actually interested in looking up > /dev/pts/ptmx - all we actually care about is to look up which devpts > instance it is. > > And that's not about the ptmx node, that's really about the > mount-point. So the right thing to do - conceptually - is *literally* > to just say "ok, what is mounted at 'pts'". Note how at no point do we > want to _open_ anything. > > That's why I said that conceptually we could just open /proc/mounts. > Because *that* is really the operation we care about. We don't care > about lookup, and we don't care about permissions on the ptmx node. > Those are completely and utterly irrelevant to what we're actually > after. > > So I think the permission thing is not just extra code with more > failure points. I think it's conceptually entirely the wrong thing to > do, and just confuses people into thinking that we're doing something > that we aren't. What we *do* want to do, though, is to prevent the following: Root (or a container manager or whatever) does: mknod /foo/ptmx c 5 2 chmod 600 /foo/ptmx chmod 666 /dev/ptmx mount -t devpts -o newinstance none /foo/pts Evil user does: $ unshare -urm # mount --bind /dev /mnt/foo # mount --bind /foo/pts /mnt/foo/pts # open /mnt/foo/ptmx The issue is that the evil user has the ability to open /mnt/foo/ptmx (because it's 666), and the relative path 'pts' points to /foo/pts, which the evil user should *not* be able to access. IOW, with a naive implementation, we can match up the ptmx node with the wrong devpts instance because the evil user unshared their mount namespace and screwed around. I don't immediately see how to fix this without playing permission games. --Andy
Powered by blists - more mailing lists