[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFzo=kJ57pWURnv9NxfQSaKuHP1yMCD9mPcMCu0M7Jf6ag@mail.gmail.com>
Date: Mon, 11 Apr 2016 17:01:47 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: "H. Peter Anvin" <hpa@...or.com>,
Andy Lutomirski <luto@...capital.net>, security@...ian.org,
"security@...nel.org" <security@...nel.org>,
Al Viro <viro@...iv.linux.org.uk>,
"security@...ntu.com >> security" <security@...ntu.com>,
Peter Hurley <peter@...leysoftware.com>,
Serge Hallyn <serge.hallyn@...ntu.com>,
Willy Tarreau <w@....eu>,
Aurelien Jarno <aurelien@...el32.net>,
One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>,
Jann Horn <jann@...jh.net>, Greg KH <greg@...ah.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Jiri Slaby <jslaby@...e.com>, Florian Weimer <fw@...eb.enyo.de>
Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated
devpts via path lookup
On Mon, Apr 11, 2016 at 4:37 PM, Eric W. Biederman
<ebiederm@...ssion.com> wrote:
>
> My practical concern if we worked through the implementation details
> would be how would it interact with people who bind mount /dev/pts/ptmx
> on top of /dev/ptmx. We might get some strange new errors.
Yes, please don't let's play "clever" games. The semantics should be
fairly straightforward.
I still don't understand why people think that you shouldn't be able
to access a 'pts' subsystem that is accessible to others. If you can
bind-mount the pts directory somewhere, then you can damn well already
see that pts mount, claiming that somehow it should be sacred ground
and you shouldn't be able to access it with a ptmx node outside of it
is just insane.
So people have been bringing that up as an issue, but nobody has ever
actually been able to articulate why anybody should ever care.
Now people are just making up random odd semantics. Nobody has ever
explained why the _simple_ "ptmx binds to the pts directory next to
it" is actually problem. Even for a bind mount, you have to be able to
open the point you're mounting, so we know that the "attacker" already
had access to the pts subdirectory.
If somebody wants to keep the pts mount private, they should damn well
keep it _private_. I don't understand peoples "oh, you can access it
but you can't access it".excuses.
Linus
Powered by blists - more mailing lists