Received: by 10.223.164.202 with SMTP id h10csp4053772wrb; Mon, 20 Nov 2017 09:07:56 -0800 (PST) X-Google-Smtp-Source: AGs4zMa27ir/owTZndEXVU3S6VCRvnFaORnsxqGrEVNg92of49pQX6nX2HzOKUswsP9eAGAuA7YN X-Received: by 10.84.208.227 with SMTP id c32mr13981825plj.91.1511197676513; Mon, 20 Nov 2017 09:07:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511197676; cv=none; d=google.com; s=arc-20160816; b=w3OVuZJBgOEK9h6Tt1POqkeNCbthHDxkENcObwlZhBDZsXVh9TUHa3zAkyGQvdpsAL cGe1+aZGETBERw9TUn+8BvUaU8ePA5eHG7FzB3oMRBCAT2hATA2nAYVuoIOcU+MZlvLb ru05HHSnBnazA31Q85BTQONyB/c16zmANpIQGbjyB4ajlKkER+oJ35b198htNwfUrz4s BeyOC1kmNJpGs6A0qGLEJaYy1ZBFG3iZCBgF7ZAHAUfD7Ll/95euwZ30H5d4Se1vaDxY mReuegFoTWvR1s0+9zC2c5Q5Hn4XAFUjywkDKbpyhEXoGOROz2Bp2dRc1DnnV7AqDS3O GFSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:content-transfer-encoding :mime-version:user-agent:message-id:in-reply-to:date:references:cc :to:from:arc-authentication-results; bh=Z6nBUn4uTGpZwTJv6+f6CYMJMYVh8CCTxUtwggpOmuY=; b=gi5HQZwBiqGW13qmT5Guf/e5u6qN8D56ZOKmwWthIq3cyLQU2T4CP4X715zUl24INp s20+vhNW6wyWBG3LhcC+uqNICn/kUh1f/JzcReIRZYA16mlhdMgtuMBRpNwT6VFj3kzy YQRbaaCES0VN2+w5Oy7Asi25jaXR//Gp268ETeSlYcnJExhAVB8DOJcXHE9/aPV7a15e qadR57bUh25FYwiYdhFyDwMCNv9nQdkWR7yZPZ3witNvn1jou2VSX3clrDKvOY4Q11Ch La+AfHsjAxGAzfIU3SMGkvbZTxKj+Nui29YGCi07A97ZBa6JDm9Sm791lWsbTHCsyzqx hxYw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2si8700410pge.67.2017.11.20.09.07.46; Mon, 20 Nov 2017 09:07:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751928AbdKTRG6 convert rfc822-to-8bit (ORCPT + 68 others); Mon, 20 Nov 2017 12:06:58 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:43258 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751897AbdKTRGz (ORCPT ); Mon, 20 Nov 2017 12:06:55 -0500 Received: from in01.mta.xmission.com ([166.70.13.51]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1eGpWx-0008CL-98; Mon, 20 Nov 2017 10:06:47 -0700 Received: from 67-3-204-119.omah.qwest.net ([67.3.204.119] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1eGpWq-00056Q-Ih; Mon, 20 Nov 2017 10:06:46 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: "Michael Kerrisk \(man-pages\)" Cc: Aleksa Sarai , linux-man@vger.kernel.org, Greg Kroah-Hartman , containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Jiri Slaby , Christian Brauner References: <20170609170147.32311-1-asarai@suse.de> <11706e49-8271-ed8c-3747-19b3e8f2850d@gmail.com> <878tijwjic.fsf@xmission.com> <87ziaztoxu.fsf@xmission.com> Date: Mon, 20 Nov 2017 11:06:28 -0600 In-Reply-To: (Michael Kerrisk's message of "Mon, 20 Nov 2017 11:20:13 +0100") Message-ID: <87zi7gq3qj.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=1eGpWq-00056Q-Ih;;;mid=<87zi7gq3qj.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.204.119;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19pBypUu0gg+b3mAeb5IlvP6W35wjT1v4I= X-SA-Exim-Connect-IP: 67.3.204.119 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa06.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01 autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;"Michael Kerrisk \(man-pages\)" X-Spam-Relay-Country: X-Spam-Timing: total 5305 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.7 (0.1%), b_tie_ro: 1.74 (0.0%), parse: 0.97 (0.0%), extract_message_metadata: 14 (0.3%), get_uri_detail_list: 4.4 (0.1%), tests_pri_-1000: 3.0 (0.1%), tests_pri_-950: 1.20 (0.0%), tests_pri_-900: 1.03 (0.0%), tests_pri_-400: 59 (1.1%), check_bayes: 57 (1.1%), b_tokenize: 21 (0.4%), b_tok_get_all: 22 (0.4%), b_comp_prob: 6 (0.1%), b_tok_touch_all: 3.2 (0.1%), b_finish: 0.65 (0.0%), tests_pri_0: 452 (8.5%), check_dkim_signature: 0.64 (0.0%), check_dkim_adsp: 11 (0.2%), tests_pri_500: 4767 (89.9%), poll_dns_idle: 4761 (89.7%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "Michael Kerrisk (man-pages)" writes: > On 08/16/2017 07:14 PM, Eric W. Biederman wrote: >> Aleksa Sarai writes: >> >>>> A couple of things to note on the bigger picture. >>>> >>>> The glibc library on all distributions has been changed to not have a >>>> setuid binary pt_chown, that uses ptsname. This was the primary fix >>>> for the security issue. >>>> >>>> The behavior of opening /dev/ptmx has been changed to perform a path >>>> lookup relative to the location of /dev/ptmx of ./pts/ptmx and open >>>> it it is a devpts filesystem and to fail otherwise. This further >>>> makes it hard to confuse userspace this way as /dev/ptmx always >>>> corresponds to /dev/pts/ptmx. Even in chroots and in other mount >>>> namespaces. >>> >>> I have a feeling that there might be a way to trick glibc if you use >>> FUSE, but I haven't actually tried to create a PoC for it. Fair point >>> though. >> >> To trick glibc fuse would have to be mounted somewhere on /dev. >> >>>> That makes TIOCGPTPEER a very nice addition, but not something people >>>> have to scramble to use to ensure their system is secure. As a hostile >>>> environment now has to work very hard to confuse the existing mechanisms. >>> >>> There are usecases where you simply need TIOCGPTPEER, and no other >>> userspace alternative will do, but maybe if we modified the paragraph >>> to read (as suggested): >>> >>> Security-conscious programs interacting with namespaces may >>> wish to use this operation rather than open(2) with the >>> pathname returned by ptsname(3). >>> >>> This would clarify that there are usecases where you need this >>> particular feature, without saying causing people to panic over >>> inaccurate claims of glibc being broken. Does that sound better? >> >> I think your original words sounded fine. I would even go for new >> programs may want to use the new ioctl as it fundamentally less racy >> and more of what is actually trying to be implemented with the userspace >> pieces. >> >> I just wanted to point out that TIOCGPTPEER while being the interface >> that it would have been nice had we had since the beginning (and would >> have avoided all of the problems) is actually not something we need to >> scramble and use it is just a very nice to have. As the immediate >> issues have been fixed in other ways. It was not clear to me from the >> other discussions if you and Michael Kerrisk were aware of the >> mitigations that had been made to address the security issue. > > So, my takeaway is that we leave this text: > > Security-conscious programs interacting with namespaces may > wish to use this operation rather than open(2) with the > pathname returned by ptsname(3), and similar library func‐ > tions that have insecure APIs. (For example, confusion can > occur in some cases using ptsname(3) with a pathname where > a devpts filesystem has been mounted in a different mount > namespace.) > > as is? > >> The change to the behavior of /dev/ptmx may need to be documented >> somewhere. I am not certain if anything has been documented since >> devpts has started allowing multiple mounts. > > Eric can you say more about this. When did this change occur? > What is the model: mount devpts once in each mount namespace? Let me replay things as best I can remember them. Once upon a time pty's were ordinary dev entries, and posix_openpt scoured around and found a pair of master/slave devices that were not used and return those. With a suid helper (pt_chown) grantpt changes the permissions on the slave side. This was in the days before udev and hotplug support in the kernel and so had the disadvantage of having requiring someone to call mknod in /dev for all possible ptys to be used before a pty could be created. Following a posix draft /dev/ptmx and the devpts filesystem (expected to be mounted at /dev/pts) were added. The opening of /dev/ptmx creates a slave entry in the devpts filesystem. The devpts filesystem options "uid", "gid", and "mode" existed since the beginning (2.1.93 ish) to ensure that the newly created slave tty has the correct mode. At which point the setuid granpt helper (pt_chown) should have begun the process of retirement. The weird quirk with devpts is that if it was mounted a secound time you would get the same filesytem you mounted the first time, but would have the opportunity to change the mount options. As some uncareful scripts would mount devpts in a chroot without the proper mount options in some distributions the pt_chown binary was kept on not just for backwards compability but to keep the system working after these weird scripts ran. I believe one of them is xen-image-builder. Meanwhile in the land of containers and checkpoint/restart we wanted the ability to migrate open ptys. To do that we felt it was necessary to preserve the major/minor numbers of the open ptys, so the migrated ptys would have the same numbers. Which resulted in devpts gaining the "newinstance" mount option and a ptmx device node in 2.6.29. To create a new slave in a mount of devpts mounted with "newinstance" it was necessary to open /dev/pts/ptmx which in practice was bind mounted or symlinked to /dev/ptmx to create a new pty. This solved things for containers. Lurking in the background was setuid helper for grantpt (pt_chown) which would not go away because of silly chrooted scripts that do things wrong. The addition of "newinstance" and user namespaces made it possible for an mischievous person to mount devpts without privilege and open a pty and pass that back to glibc and ask it to call granpt on it. At which point glibc would be confused and ask pt_chown to chown the same numbered pty in the local instance of devpts. As the attacker could completely control the pty number this had the potential for a lot of mischief. At the end of the day this wound up with 3 fixes. - Distributions stopped shipping pt_chown. - The devpts "newinstance" mount option was made to always apply in 4.7, ensuring the mount options of devpts would not affect other mounts, and thus removing the need for pt_chown. - The TIOCGPTPEER ioctl was added which if used carefully makes it impossible to confused glibc. To make "newinstance" always apply to devpts without breaking any existing distribution was interesting. The problem was the /dev/ptmx device node, which was fine when there was only one instance of devpts. When the "newinstance" mount option was added a specific devpts instance was mounted kernel internal and was used for /dev/ptmx for backwards compatiblity. Which worked at the time. With "newinstance" always creating a new instance of devpts that definition did not work. We examined just having /dev/ptmx point to the first mount of devpts but that fails on distributions like CentOS6 that mount devpts in the initrd and then again from fstab. We examined having devtmpfs create ptmx as a symlink to pts/ptmx, but that fails on distributions like slackware that don't mount devtmpfs. What did work was to have /dev/ptmx perform a relative path based lookup of "pts" in the same directory as the "ptmx" device node. That works for the weird distros like CentOS6 and the weird chroot images that call mknod /dev/ptmx and mount devpts themselves. Plus it works for all of the normal cases. Eric From 1584587307244901533@xxx Mon Nov 20 12:16:57 +0000 2017 X-GM-THRID: 1575826915259777764 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread