Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 27 Feb 2016 18:34:20 +0100
From: Jakub Wilk <jwilk@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Access to /dev/pts devices via pt_chown and user
 namespaces

* Simon McVittie <smcv@...ian.org>, 2016-02-24, 07:01:
>>>Just for the record, pt_chown is not enabled by default in upstream 
>>>glibc starting with glibc-2.18, one has to specify --enable-pt_chown 
>>>configure option explicitly to build pt_chown.
>>
>>Thanks for that information. So for pt_chown, this could hopefully be 
>>just an Ubuntu issue.
>
>And Debian 8 (but not the future Debian 9, at least on Linux kernels), 
>and probably other distributions where backward compat was a concern.
>
><https://bugs.debian.org/717544> has some interesting background. The 
>Debian and Ubuntu glibc maintainers tried turning off pt_chown in 2014, 
>but had to turn it back on because it caused too many regressions: in 
>particular "mount -t devpts devpts-foo chroot-foo/dev/pts" apparently 
>alters the mount options for the "real" /dev/pts, not just the one 
>being mounted in the chroot (presumably losing the noexec,nosuid,gid=5 
>and mode=620 or mode=600 options that are expected in Debian). I don't 
>know whether the default mount options were subsequently altered in 
>util-linux and/or the kernel as suggested on that bug, or whether 
>manually mounting devpts is just not going to be a supported action in 
>Debian 9.

grantpt() was fixed so that it works even when /dev/pts mount options 
are "wrong":
https://sourceware.org/ml/libc-alpha/2015-12/msg00151.html

This is going to be backported to Debian 8 (jessie):
https://bugs.debian.org/816023

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ