Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753054AbcDJApG (ORCPT ); Sat, 9 Apr 2016 20:45:06 -0400 Received: from mail-ob0-f181.google.com ([209.85.214.181]:33087 "EHLO mail-ob0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751013AbcDJApE (ORCPT ); Sat, 9 Apr 2016 20:45:04 -0400 MIME-Version: 1.0 In-Reply-To: References: <878u0s3orx.fsf_-_@x220.int.ebiederm.org> <1459819769-30387-1-git-send-email-ebiederm@xmission.com> <87twjcorwg.fsf@x220.int.ebiederm.org> <20160409140909.42315e6d@lxorguk.ukuu.org.uk> <83FE8CD2-C0A2-4ADB-AEBD-8DD89AD4F88A@zytor.com> <87bn5ij0x1.fsf@x220.int.ebiederm.org> <78205895-E11D-417F-91DC-4BCA0B61A122@zytor.com> From: Andy Lutomirski Date: Sat, 9 Apr 2016 17:44:42 -0700 Message-ID: Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup To: Linus Torvalds Cc: "H. Peter Anvin" , "Eric W. Biederman" , One Thousand Gnomes , Peter Hurley , Greg KH , Jiri Slaby , Aurelien Jarno , Florian Weimer , Al Viro , Serge Hallyn , Jann Horn , "security@kernel.org" , "security@ubuntu.com >> security" , security@debian.org, Willy Tarreau , Linux Kernel Mailing List Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2592 Lines: 66 On Sat, Apr 9, 2016 at 5:16 PM, Linus Torvalds wrote: > On Sat, Apr 9, 2016 at 5:06 PM, H. Peter Anvin wrote: >> >> Fixing the default permissions is trivial, of course. The intent from the beginning was to make a ptmx -> pts/ptmx, but user space never did... > > That wasn't my point. > > Because the permissions have never been usable, I pretty much > guarantee that no current user space uses /dev/pts/ptmx. > > So that node is almost entirely irrelevant. Us fixing the permissions > at this point isn't going to make it any more relevant, we might as > well ignore it. > > Which all means that the way forward really is to just make /dev/ptmx > work. It's not going away, and it _is_ fairly easy to fix. > > But I don't think the fix should care about permissions - and we might > as well leave the existing pts/ptmx node with broken permissions. > Because we've never been actually interested in looking up > /dev/pts/ptmx - all we actually care about is to look up which devpts > instance it is. > > And that's not about the ptmx node, that's really about the > mount-point. So the right thing to do - conceptually - is *literally* > to just say "ok, what is mounted at 'pts'". Note how at no point do we > want to _open_ anything. > > That's why I said that conceptually we could just open /proc/mounts. > Because *that* is really the operation we care about. We don't care > about lookup, and we don't care about permissions on the ptmx node. > Those are completely and utterly irrelevant to what we're actually > after. > > So I think the permission thing is not just extra code with more > failure points. I think it's conceptually entirely the wrong thing to > do, and just confuses people into thinking that we're doing something > that we aren't. What we *do* want to do, though, is to prevent the following: Root (or a container manager or whatever) does: mknod /foo/ptmx c 5 2 chmod 600 /foo/ptmx chmod 666 /dev/ptmx mount -t devpts -o newinstance none /foo/pts Evil user does: $ unshare -urm # mount --bind /dev /mnt/foo # mount --bind /foo/pts /mnt/foo/pts # open /mnt/foo/ptmx The issue is that the evil user has the ability to open /mnt/foo/ptmx (because it's 666), and the relative path 'pts' points to /foo/pts, which the evil user should *not* be able to access. IOW, with a naive implementation, we can match up the ptmx node with the wrong devpts instance because the evil user unshared their mount namespace and screwed around. I don't immediately see how to fix this without playing permission games. --Andy