MIME-Version: 1.0
In-Reply-To: <87r3ebad6w.fsf@x220.int.ebiederm.org>
References: <878u0s3orx.fsf_-_@x220.int.ebiederm.org>
	<1459819769-30387-1-git-send-email-ebiederm@xmission.com>
	<CA+55aFwv7d8XfeN8KvYaVcSs7V9XoHtS-1cqtkG4gF4yJwB5nA@mail.gmail.com>
	<87twjcorwg.fsf@x220.int.ebiederm.org>
	<20160409140909.42315e6d@lxorguk.ukuu.org.uk>
	<83FE8CD2-C0A2-4ADB-AEBD-8DD89AD4F88A@zytor.com>
	<87bn5ij0x1.fsf@x220.int.ebiederm.org>
	<78205895-E11D-417F-91DC-4BCA0B61A122@zytor.com>
	<CA+55aFyB7y8TfQ=_EvMAFONS6oSPs=uY88f+S6n_QWh4MkKTHg@mail.gmail.com>
	<FC521A3F-4BEB-427E-AE8E-CA54C0128AA3@zytor.com>
	<CA+55aFw62q5bjNiK7Q9dEQQEDZs5fbUxNPxDq376OZJ6JKT=Rg@mail.gmail.com>
	<CALCETrUZ=QVZbTCr3gvhSd2-j_U4R02y5fCxbddG_HsQdnuBkw@mail.gmail.com>
	<CA+55aFzs00iDkYhvFCq=AZMVcNL0+oZT4SeimTeVurJq=5ZS3A@mail.gmail.com>
	<87ziszd7uv.fsf@x220.int.ebiederm.org>
	<CA+55aFwW5Bb1BwEcqkQOUOh6yLbbiZ_9Anx2h200STTmts6wSQ@mail.gmail.com>
	<87r3ebad6w.fsf@x220.int.ebiederm.org>
Date: Mon, 11 Apr 2016 17:50:49 -0700
Message-ID: <CA+55aFzyo=pxBAt0FutjPQ4EkgAddE19DyQe7jD5Fz_WxcE-ug@mail.gmail.com>
Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated
 devpts via path lookup
From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@amacapital.net>, security@debian.org,
        "security@kernel.org" <security@kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        "security@ubuntu.com >> security" <security@ubuntu.com>,
        Peter Hurley <peter@hurleysoftware.com>,
        Serge Hallyn <serge.hallyn@ubuntu.com>, Willy Tarreau <w@1wt.eu>,
        Aurelien Jarno <aurelien@aurel32.net>,
        One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
        Jann Horn <jann@thejh.net>, Greg KH <greg@kroah.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Jiri Slaby <jslaby@suse.com>, Florian Weimer <fw@deneb.enyo.de>,
        "H. Peter Anvin" <hpa@zytor.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1871
Lines: 48

On Mon, Apr 11, 2016 at 5:22 PM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
>
> I meant the one where I conceded that the only think that it could
> possible protect against was a denial of service attack, from which we
> probably don't care.

Yeah, that's the same email I was talking about, I was just quoting
another part.

> As I agreed with you that it was unnecessary I was just puzzled why you
> called what was essentially agreement with you deafening silence.

The "deafening silence" was about _why_ this all would be a problem,
and why the security checks would be needed.

Basically, I think that if /dev/pts/ is accessible, we should just say
"ok, you can open a pty on it".

The fact that you could open a pty by bind-mounting it somewhere else,
and then adding a "ptmx" node to the same directory is not a security
issue: it's simply how devpts works.

In no actual sane and relevant situation is that a problem, for the
simple fact that there will *already* be a ptmx node that is
world-accessible in the same directory that has that /dev/pts/ mount.

Anything else is insane and irrelevant. This is *literally* what POSIX
says. Sure, POSIX also has that whole language about "posix_openpt()",
but that's just BS and irrelevant. The very page that mentions
"posix_openpt()" also says

  "On implementations supporting the /dev/ptmx clone device, opening
the master device of a pseudo-terminal is simply:

        mfdp = open("/dev/ptmx", oflag );
        if (mfdp < 0)
            return -1;"

and Linux unquestionably falls in that "supports /dev/ptmx" camp.

So I claim that the _only_ sane use of devpts is to already have a
world-accessible ptmx node there, and nothing else makes sense.

And if you want to be private, you had better make the whole /dev/
subdirectory private (which also takes care of any bind mount issues)

            Linus