Date: Sat, 27 Feb 2016 18:34:20 +0100 From: Jakub Wilk <jwilk@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Access to /dev/pts devices via pt_chown and user namespaces * Simon McVittie <smcv@...ian.org>, 2016-02-24, 07:01: >>>Just for the record, pt_chown is not enabled by default in upstream >>>glibc starting with glibc-2.18, one has to specify --enable-pt_chown >>>configure option explicitly to build pt_chown. >> >>Thanks for that information. So for pt_chown, this could hopefully be >>just an Ubuntu issue. > >And Debian 8 (but not the future Debian 9, at least on Linux kernels), >and probably other distributions where backward compat was a concern. > ><https://bugs.debian.org/717544> has some interesting background. The >Debian and Ubuntu glibc maintainers tried turning off pt_chown in 2014, >but had to turn it back on because it caused too many regressions: in >particular "mount -t devpts devpts-foo chroot-foo/dev/pts" apparently >alters the mount options for the "real" /dev/pts, not just the one >being mounted in the chroot (presumably losing the noexec,nosuid,gid=5 >and mode=620 or mode=600 options that are expected in Debian). I don't >know whether the default mount options were subsequently altered in >util-linux and/or the kernel as suggested on that bug, or whether >manually mounting devpts is just not going to be a supported action in >Debian 9. grantpt() was fixed so that it works even when /dev/pts mount options are "wrong": https://sourceware.org/ml/libc-alpha/2015-12/msg00151.html This is going to be backported to Debian 8 (jessie): https://bugs.debian.org/816023 -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ