Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752233AbdHPQyN (ORCPT <rfc822;w@1wt.eu>);
        Wed, 16 Aug 2017 12:54:13 -0400
Received: from mx2.suse.de ([195.135.220.15]:47819 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751638AbdHPQyM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 Aug 2017 12:54:12 -0400
Subject: Re: [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation
To: "Eric W. Biederman" <ebiederm@xmission.com>,
        "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: linux-man@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
        Jiri Slaby <jslaby@suse.com>,
        Christian Brauner <christian.brauner@ubuntu.com>
References: <20170609170147.32311-1-asarai@suse.de>
 <11706e49-8271-ed8c-3747-19b3e8f2850d@gmail.com>
 <878tijwjic.fsf@xmission.com>
From: Aleksa Sarai <asarai@suse.de>
Message-ID: <a7175aad-645c-8f86-d7cf-51f24f0bc281@suse.de>
Date: Thu, 17 Aug 2017 02:54:03 +1000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <878tijwjic.fsf@xmission.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1571
Lines: 38

> A couple of things to note on the bigger picture.
> 
> The glibc library on all distributions has been changed to not have a
> setuid binary pt_chown, that uses ptsname.  This was the primary fix
> for the security issue.
> 
> The behavior of opening /dev/ptmx has been changed to perform a path
> lookup relative to the location of /dev/ptmx of  ./pts/ptmx and open
> it it is a devpts filesystem and to fail otherwise.    This further
> makes it hard to confuse userspace this way as /dev/ptmx always
> corresponds to /dev/pts/ptmx.  Even in chroots and in other mount
> namespaces.

I have a feeling that there might be a way to trick glibc if you use 
FUSE, but I haven't actually tried to create a PoC for it. Fair point 
though.

> That makes TIOCGPTPEER a very nice addition, but not something people
> have to scramble to use to ensure their system is secure.  As a hostile
> environment now has to work very hard to confuse the existing mechanisms.

There are usecases where you simply need TIOCGPTPEER, and no other 
userspace alternative will do, but maybe if we modified the paragraph to 
read (as suggested):

   Security-conscious programs interacting with namespaces may
   wish  to  use  this  operation rather than open(2) with the
   pathname returned by ptsname(3).

This would clarify that there are usecases where you need this 
particular feature, without saying causing people to panic over 
inaccurate claims of glibc being broken. Does that sound better?

-- 
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/