Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755440AbcDLAuv (ORCPT ); Mon, 11 Apr 2016 20:50:51 -0400 Received: from mail-io0-f195.google.com ([209.85.223.195]:35623 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753521AbcDLAuu (ORCPT ); Mon, 11 Apr 2016 20:50:50 -0400 MIME-Version: 1.0 In-Reply-To: <87r3ebad6w.fsf@x220.int.ebiederm.org> References: <878u0s3orx.fsf_-_@x220.int.ebiederm.org> <1459819769-30387-1-git-send-email-ebiederm@xmission.com> <87twjcorwg.fsf@x220.int.ebiederm.org> <20160409140909.42315e6d@lxorguk.ukuu.org.uk> <83FE8CD2-C0A2-4ADB-AEBD-8DD89AD4F88A@zytor.com> <87bn5ij0x1.fsf@x220.int.ebiederm.org> <78205895-E11D-417F-91DC-4BCA0B61A122@zytor.com> <87ziszd7uv.fsf@x220.int.ebiederm.org> <87r3ebad6w.fsf@x220.int.ebiederm.org> Date: Mon, 11 Apr 2016 17:50:49 -0700 X-Google-Sender-Auth: GzDNbXGUFTTypP6SQ-eEp_Zg1SY Message-ID: Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup From: Linus Torvalds To: "Eric W. Biederman" Cc: Andy Lutomirski , security@debian.org, "security@kernel.org" , Al Viro , "security@ubuntu.com >> security" , Peter Hurley , Serge Hallyn , Willy Tarreau , Aurelien Jarno , One Thousand Gnomes , Jann Horn , Greg KH , Linux Kernel Mailing List , Jiri Slaby , Florian Weimer , "H. Peter Anvin" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1871 Lines: 48 On Mon, Apr 11, 2016 at 5:22 PM, Eric W. Biederman wrote: > > I meant the one where I conceded that the only think that it could > possible protect against was a denial of service attack, from which we > probably don't care. Yeah, that's the same email I was talking about, I was just quoting another part. > As I agreed with you that it was unnecessary I was just puzzled why you > called what was essentially agreement with you deafening silence. The "deafening silence" was about _why_ this all would be a problem, and why the security checks would be needed. Basically, I think that if /dev/pts/ is accessible, we should just say "ok, you can open a pty on it". The fact that you could open a pty by bind-mounting it somewhere else, and then adding a "ptmx" node to the same directory is not a security issue: it's simply how devpts works. In no actual sane and relevant situation is that a problem, for the simple fact that there will *already* be a ptmx node that is world-accessible in the same directory that has that /dev/pts/ mount. Anything else is insane and irrelevant. This is *literally* what POSIX says. Sure, POSIX also has that whole language about "posix_openpt()", but that's just BS and irrelevant. The very page that mentions "posix_openpt()" also says "On implementations supporting the /dev/ptmx clone device, opening the master device of a pseudo-terminal is simply: mfdp = open("/dev/ptmx", oflag ); if (mfdp < 0) return -1;" and Linux unquestionably falls in that "supports /dev/ptmx" camp. So I claim that the _only_ sane use of devpts is to already have a world-accessible ptmx node there, and nothing else makes sense. And if you want to be private, you had better make the whole /dev/ subdirectory private (which also takes care of any bind mount issues) Linus