Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752520AbdHPQn7 convert rfc822-to-8bit (ORCPT ); Wed, 16 Aug 2017 12:43:59 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:51584 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752491AbdHPQnz (ORCPT ); Wed, 16 Aug 2017 12:43:55 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: "Michael Kerrisk \(man-pages\)" Cc: Aleksa Sarai , linux-man@vger.kernel.org, Greg Kroah-Hartman , containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Jiri Slaby , Christian Brauner References: <20170609170147.32311-1-asarai@suse.de> <11706e49-8271-ed8c-3747-19b3e8f2850d@gmail.com> Date: Wed, 16 Aug 2017 11:43:39 -0500 In-Reply-To: <11706e49-8271-ed8c-3747-19b3e8f2850d@gmail.com> (Michael Kerrisk's message of "Tue, 15 Aug 2017 21:27:33 +0200") Message-ID: <878tijwjic.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=1di1Q3-0002nz-CM;;;mid=<878tijwjic.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.200.44;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18BACqIBy8b3l9OkFQfSkP9ft2hp4YPHCg= X-SA-Exim-Connect-IP: 67.3.200.44 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa05 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject * 0.1 XMSolicitRefs_0 Weightloss drug X-Spam-DCC: XMission; sa05 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;"Michael Kerrisk \(man-pages\)" X-Spam-Relay-Country: X-Spam-Timing: total 5567 ms - load_scoreonly_sql: 0.54 (0.0%), signal_user_changed: 5 (0.1%), b_tie_ro: 3.5 (0.1%), parse: 1.61 (0.0%), extract_message_metadata: 29 (0.5%), get_uri_detail_list: 4.0 (0.1%), tests_pri_-1000: 14 (0.3%), tests_pri_-950: 2.8 (0.1%), tests_pri_-900: 2.0 (0.0%), tests_pri_-400: 35 (0.6%), check_bayes: 33 (0.6%), b_tokenize: 12 (0.2%), b_tok_get_all: 9 (0.2%), b_comp_prob: 4.1 (0.1%), b_tok_touch_all: 3.2 (0.1%), b_finish: 0.94 (0.0%), tests_pri_0: 372 (6.7%), check_dkim_signature: 0.89 (0.0%), check_dkim_adsp: 5 (0.1%), tests_pri_500: 5099 (91.6%), poll_dns_idle: 5087 (91.4%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3102 Lines: 66 "Michael Kerrisk (man-pages)" writes: > On 06/09/2017 07:01 PM, Aleksa Sarai wrote: >> The feature this patch references has currently only been accepted into >> tty-testing, but Greg told me to kick this down to man-pages. As a >> result, I can't reference upstream commit id's because the code isn't in >> Linus' tree yet -- should I resend this once it lands in tty-next or >> Linus' tree? >> >> Also obviously the release version is a bit of a lie. > > Hello Aleksa, > > I've applied this patch, and then tweaked the wording a little. Could > you please check the following text: > > TIOCGPTPEER int flags > (since Linux 4.13) Given a file descriptor in fd that > refers to a pseudoterminal master, open (with the given > open(2)-style flags) and return a new file descriptor that > refers to the peer pseudoterminal slave device. This oper‐ > ation can be performed regardless of whether the pathname > of the slave device is accessible through the calling > process's mount namespaces. > > Security-conscious programs interacting with namespaces may > wish to use this operation rather than open(2) with the > pathname returned by ptsname(3), and similar library func‐ > tions that have insecure APIs. > > I also have a question on the last sentence: what are the "similar library > functions that have insecure APIs"? It's not clear to me what you are > referring to here. A couple of things to note on the bigger picture. The glibc library on all distributions has been changed to not have a setuid binary pt_chown, that uses ptsname. This was the primary fix for the security issue. The behavior of opening /dev/ptmx has been changed to perform a path lookup relative to the location of /dev/ptmx of ./pts/ptmx and open it it is a devpts filesystem and to fail otherwise. This further makes it hard to confuse userspace this way as /dev/ptmx always corresponds to /dev/pts/ptmx. Even in chroots and in other mount namespaces. Both of these changes largely makes glibc's use of these features secure. /dev/ptmx always corresponds to /dev/pts and there no readily available suid root applications too fool. That makes TIOCGPTPEER a very nice addition, but not something people have to scramble to use to ensure their system is secure. As a hostile environment now has to work very hard to confuse the existing mechanisms. >> This is an ioctl(2) recently added by myself, to allow for container >> runtimes and other programs that interact with (potentially hostile) >> Linux namespaces to safely create {master,slave} pseudoterminal pairs >> without needing to open potentially unsafe /dev/pts/... filenames that >> may be malicious mountpoints or similar in an untrusted namespace >> (avoiding the endless issues with ptsname(3) and similar approaches). >> >> Cc: >> Signed-off-by: Aleksa Sarai Eric