Received: by 10.223.164.202 with SMTP id h10csp3629317wrb; Mon, 20 Nov 2017 02:21:02 -0800 (PST) X-Google-Smtp-Source: AGs4zMYVrhufWRzL4qe/DjUmGPns8MLk202OcHS7i4xaJOdywlGM4Llmcj0f1Cj6PPj9hfqz42qf X-Received: by 10.101.67.140 with SMTP id m12mr12708670pgp.51.1511173262124; Mon, 20 Nov 2017 02:21:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511173262; cv=none; d=google.com; s=arc-20160816; b=c19syK4K8aKLbDNHi//dmL97UDOKvPHgZOxZqPAubaYooTQsxYgxzMtOqIxUDuYJuW RXh6bg08rDG0Eur4g75eaC+xhrjVlUaHC4zzd9q6in5Up4iepJZBy/5TDTVlDeoL2NgN /UUT0dkykD+OELzaaQ7BBd/zfKoSDcEByRYMkUr+3W6XjN2KGzIAIgVi5onHf23F+h69 0/AiX+UBZbr1Cg+Cueduqc94ZHB5O6dKzDpYrGZAh3auj8aP7gP1xZIuEcvtjyRNiZWf lwb8+ye4h1JKQ+EeDH0ROSWWUk1mlle/NddbRlQ12/A2WrPQclaFOQrspqebQODpOiAP aYIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:cc:dkim-signature :arc-authentication-results; bh=bPu4Lodg2tkJPUt5nfk1eMuqybib/LjyU23J0iwfFdk=; b=hH/qmBVcCJFYuHbh8zmmbKiCd2wUGqQTcJsQB/YD41WIByyFMOA/ULEjEH7z1P/+H1 h117/aGCxY0dBofAGeYsRONxdMkULqiRtyRgNFK1CIEBg5Yaxq8nOpesyM8IWopJqQVw pZuU3zbHcP2F+SwdmmNuftsImYOWiro731A+TT+E7bMsPREJyqfU2eyHmsBpqdSNB7W/ z9ZJA4+rFRbhCGwWKMph6OYVqliuW7/4scnk2yJmXQGymLPG5WOptkuNmF2lB3+YXozD 7PRb+jHYPHMVJQ1SjQMg/driVEH+DC6X7AK5VvW7XRwW7mtWsC7ZPDV3Vkm4oeTILke4 N+kg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=U/jfjRGp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l24si8711303pfi.284.2017.11.20.02.20.52; Mon, 20 Nov 2017 02:21:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=U/jfjRGp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751185AbdKTKUT (ORCPT + 68 others); Mon, 20 Nov 2017 05:20:19 -0500 Received: from mail-wm0-f44.google.com ([74.125.82.44]:44404 "EHLO mail-wm0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751049AbdKTKUQ (ORCPT ); Mon, 20 Nov 2017 05:20:16 -0500 Received: by mail-wm0-f44.google.com with SMTP id r68so17733328wmr.3; Mon, 20 Nov 2017 02:20:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=cc:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=bPu4Lodg2tkJPUt5nfk1eMuqybib/LjyU23J0iwfFdk=; b=U/jfjRGp4bAmade6P4zYWg0qruUkD8hO+ZFYj0cLeuDMC/cFKXFfHSWvbvexzuEoBY TMHU7HLidDnltTo3dBFCsZwv/FiJ1Yuzpnnnluj6kpJdhgwgkudcYj/9HYGqH8Rbdjex BQVpnvR8QWPfzp/MjEXL9R8gBjY42ki+JybdACl8PSpPxCHJc87SQiTBYp5VuoN4RvNI kKOmblWVu0HGXYcBanmcXhEvWU+390miwnDWO1j8pWgF1a3p3tvDz9tioa5dH5htMVoz WIeorkL6g+pYGD5ZLebkOvBA5fVcqeRRlXU3FkEkNnSVIZtVe9m6U6cO5P9K4jwXxYw2 PHoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:cc:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=bPu4Lodg2tkJPUt5nfk1eMuqybib/LjyU23J0iwfFdk=; b=lFQFtlrSpbhfEe4fQCqxl0idSu3DbULg65dLSjc6RLiyT2JnllZZlREuhaKRNWRFD9 mBQRbP/HDJu4gXsrQIMvbSzkUDQkhDRj96HpFHq16TTdbI0K/icIBTU+PIWiFy08szNX dJmnZfE2F2JdsVO9/nXRnseCEKf5ELByg7fVhSS51lWG1tM1sZpTpbBW+7bkbrEEkPul GSVmSkUIDh4l6QfpLL6bjWtC8B9Q33NtCUiRUSuBUPrY3CMbHGatZEes49mtSqB/Sxkb z017+rF7Giq0IBJJKi0WY1O75QzBlj+IvaLNdxEmySO0SIC8ZYeSrLbMD88Y22MBPWJ9 gl4A== X-Gm-Message-State: AJaThX7vqriuc8VegFlbR8BNyU6VLD6timgH6QjIEdg+HW7Tt1J0qczP Y5mvPX4TM0eFzDgENiCL7gY= X-Received: by 10.80.134.51 with SMTP id o48mr15768604edo.276.1511173215117; Mon, 20 Nov 2017 02:20:15 -0800 (PST) Received: from [192.168.234.154] (mail2.jambit.com. [213.131.239.194]) by smtp.gmail.com with ESMTPSA id g45sm6404398eda.88.2017.11.20.02.20.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Nov 2017 02:20:14 -0800 (PST) Cc: mtk.manpages@gmail.com, linux-man@vger.kernel.org, Greg Kroah-Hartman , containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Jiri Slaby , Christian Brauner Subject: Re: [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation To: "Eric W. Biederman" , Aleksa Sarai References: <20170609170147.32311-1-asarai@suse.de> <11706e49-8271-ed8c-3747-19b3e8f2850d@gmail.com> <878tijwjic.fsf@xmission.com> <87ziaztoxu.fsf@xmission.com> From: "Michael Kerrisk (man-pages)" Message-ID: Date: Mon, 20 Nov 2017 11:20:13 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <87ziaztoxu.fsf@xmission.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/16/2017 07:14 PM, Eric W. Biederman wrote: > Aleksa Sarai writes: > >>> A couple of things to note on the bigger picture. >>> >>> The glibc library on all distributions has been changed to not have a >>> setuid binary pt_chown, that uses ptsname. This was the primary fix >>> for the security issue. >>> >>> The behavior of opening /dev/ptmx has been changed to perform a path >>> lookup relative to the location of /dev/ptmx of ./pts/ptmx and open >>> it it is a devpts filesystem and to fail otherwise. This further >>> makes it hard to confuse userspace this way as /dev/ptmx always >>> corresponds to /dev/pts/ptmx. Even in chroots and in other mount >>> namespaces. >> >> I have a feeling that there might be a way to trick glibc if you use >> FUSE, but I haven't actually tried to create a PoC for it. Fair point >> though. > > To trick glibc fuse would have to be mounted somewhere on /dev. > >>> That makes TIOCGPTPEER a very nice addition, but not something people >>> have to scramble to use to ensure their system is secure. As a hostile >>> environment now has to work very hard to confuse the existing mechanisms. >> >> There are usecases where you simply need TIOCGPTPEER, and no other >> userspace alternative will do, but maybe if we modified the paragraph >> to read (as suggested): >> >> Security-conscious programs interacting with namespaces may >> wish to use this operation rather than open(2) with the >> pathname returned by ptsname(3). >> >> This would clarify that there are usecases where you need this >> particular feature, without saying causing people to panic over >> inaccurate claims of glibc being broken. Does that sound better? > > I think your original words sounded fine. I would even go for new > programs may want to use the new ioctl as it fundamentally less racy > and more of what is actually trying to be implemented with the userspace > pieces. > > I just wanted to point out that TIOCGPTPEER while being the interface > that it would have been nice had we had since the beginning (and would > have avoided all of the problems) is actually not something we need to > scramble and use it is just a very nice to have. As the immediate > issues have been fixed in other ways. It was not clear to me from the > other discussions if you and Michael Kerrisk were aware of the > mitigations that had been made to address the security issue. So, my takeaway is that we leave this text: Security-conscious programs interacting with namespaces may wish to use this operation rather than open(2) with the pathname returned by ptsname(3), and similar library func‐ tions that have insecure APIs. (For example, confusion can occur in some cases using ptsname(3) with a pathname where a devpts filesystem has been mounted in a different mount namespace.) as is? > The change to the behavior of /dev/ptmx may need to be documented > somewhere. I am not certain if anything has been documented since > devpts has started allowing multiple mounts. Eric can you say more about this. When did this change occur? What is the model: mount devpts once in each mount namespace? Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ From 1575908868617255957@xxx Wed Aug 16 17:16:52 +0000 2017 X-GM-THRID: 1575826915259777764 X-Gmail-Labels: Inbox,Category Forums