Received: by 10.223.164.202 with SMTP id h10csp3629317wrb;
        Mon, 20 Nov 2017 02:21:02 -0800 (PST)
X-Google-Smtp-Source: AGs4zMYVrhufWRzL4qe/DjUmGPns8MLk202OcHS7i4xaJOdywlGM4Llmcj0f1Cj6PPj9hfqz42qf
X-Received: by 10.101.67.140 with SMTP id m12mr12708670pgp.51.1511173262124;
        Mon, 20 Nov 2017 02:21:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511173262; cv=none;
        d=google.com; s=arc-20160816;
        b=c19syK4K8aKLbDNHi//dmL97UDOKvPHgZOxZqPAubaYooTQsxYgxzMtOqIxUDuYJuW
         RXh6bg08rDG0Eur4g75eaC+xhrjVlUaHC4zzd9q6in5Up4iepJZBy/5TDTVlDeoL2NgN
         /UUT0dkykD+OELzaaQ7BBd/zfKoSDcEByRYMkUr+3W6XjN2KGzIAIgVi5onHf23F+h69
         0/AiX+UBZbr1Cg+Cueduqc94ZHB5O6dKzDpYrGZAh3auj8aP7gP1xZIuEcvtjyRNiZWf
         lwb8+ye4h1JKQ+EeDH0ROSWWUk1mlle/NddbRlQ12/A2WrPQclaFOQrspqebQODpOiAP
         aYIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:cc:dkim-signature
         :arc-authentication-results;
        bh=bPu4Lodg2tkJPUt5nfk1eMuqybib/LjyU23J0iwfFdk=;
        b=hH/qmBVcCJFYuHbh8zmmbKiCd2wUGqQTcJsQB/YD41WIByyFMOA/ULEjEH7z1P/+H1
         h117/aGCxY0dBofAGeYsRONxdMkULqiRtyRgNFK1CIEBg5Yaxq8nOpesyM8IWopJqQVw
         pZuU3zbHcP2F+SwdmmNuftsImYOWiro731A+TT+E7bMsPREJyqfU2eyHmsBpqdSNB7W/
         z9ZJA4+rFRbhCGwWKMph6OYVqliuW7/4scnk2yJmXQGymLPG5WOptkuNmF2lB3+YXozD
         7PRb+jHYPHMVJQ1SjQMg/driVEH+DC6X7AK5VvW7XRwW7mtWsC7ZPDV3Vkm4oeTILke4
         N+kg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=U/jfjRGp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l24si8711303pfi.284.2017.11.20.02.20.52;
        Mon, 20 Nov 2017 02:21:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=U/jfjRGp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751185AbdKTKUT (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 68 others); Mon, 20 Nov 2017 05:20:19 -0500
Received: from mail-wm0-f44.google.com ([74.125.82.44]:44404 "EHLO
        mail-wm0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751049AbdKTKUQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 Nov 2017 05:20:16 -0500
Received: by mail-wm0-f44.google.com with SMTP id r68so17733328wmr.3;
        Mon, 20 Nov 2017 02:20:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=cc:subject:to:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=bPu4Lodg2tkJPUt5nfk1eMuqybib/LjyU23J0iwfFdk=;
        b=U/jfjRGp4bAmade6P4zYWg0qruUkD8hO+ZFYj0cLeuDMC/cFKXFfHSWvbvexzuEoBY
         TMHU7HLidDnltTo3dBFCsZwv/FiJ1Yuzpnnnluj6kpJdhgwgkudcYj/9HYGqH8Rbdjex
         BQVpnvR8QWPfzp/MjEXL9R8gBjY42ki+JybdACl8PSpPxCHJc87SQiTBYp5VuoN4RvNI
         kKOmblWVu0HGXYcBanmcXhEvWU+390miwnDWO1j8pWgF1a3p3tvDz9tioa5dH5htMVoz
         WIeorkL6g+pYGD5ZLebkOvBA5fVcqeRRlXU3FkEkNnSVIZtVe9m6U6cO5P9K4jwXxYw2
         PHoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:cc:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=bPu4Lodg2tkJPUt5nfk1eMuqybib/LjyU23J0iwfFdk=;
        b=lFQFtlrSpbhfEe4fQCqxl0idSu3DbULg65dLSjc6RLiyT2JnllZZlREuhaKRNWRFD9
         mBQRbP/HDJu4gXsrQIMvbSzkUDQkhDRj96HpFHq16TTdbI0K/icIBTU+PIWiFy08szNX
         dJmnZfE2F2JdsVO9/nXRnseCEKf5ELByg7fVhSS51lWG1tM1sZpTpbBW+7bkbrEEkPul
         GSVmSkUIDh4l6QfpLL6bjWtC8B9Q33NtCUiRUSuBUPrY3CMbHGatZEes49mtSqB/Sxkb
         z017+rF7Giq0IBJJKi0WY1O75QzBlj+IvaLNdxEmySO0SIC8ZYeSrLbMD88Y22MBPWJ9
         gl4A==
X-Gm-Message-State: AJaThX7vqriuc8VegFlbR8BNyU6VLD6timgH6QjIEdg+HW7Tt1J0qczP
        Y5mvPX4TM0eFzDgENiCL7gY=
X-Received: by 10.80.134.51 with SMTP id o48mr15768604edo.276.1511173215117;
        Mon, 20 Nov 2017 02:20:15 -0800 (PST)
Received: from [192.168.234.154] (mail2.jambit.com. [213.131.239.194])
        by smtp.gmail.com with ESMTPSA id g45sm6404398eda.88.2017.11.20.02.20.13
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 20 Nov 2017 02:20:14 -0800 (PST)
Cc:     mtk.manpages@gmail.com, linux-man@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        containers@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org, Jiri Slaby <jslaby@suse.com>,
        Christian Brauner <christian.brauner@ubuntu.com>
Subject: Re: [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation
To:     "Eric W. Biederman" <ebiederm@xmission.com>,
        Aleksa Sarai <asarai@suse.de>
References: <20170609170147.32311-1-asarai@suse.de>
 <11706e49-8271-ed8c-3747-19b3e8f2850d@gmail.com>
 <878tijwjic.fsf@xmission.com> <a7175aad-645c-8f86-d7cf-51f24f0bc281@suse.de>
 <87ziaztoxu.fsf@xmission.com>
From:   "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Message-ID: <c702b5c6-0098-4a61-f51c-c28ed085534f@gmail.com>
Date:   Mon, 20 Nov 2017 11:20:13 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <87ziaztoxu.fsf@xmission.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 08/16/2017 07:14 PM, Eric W. Biederman wrote:
> Aleksa Sarai <asarai@suse.de> writes:
> 
>>> A couple of things to note on the bigger picture.
>>>
>>> The glibc library on all distributions has been changed to not have a
>>> setuid binary pt_chown, that uses ptsname.  This was the primary fix
>>> for the security issue.
>>>
>>> The behavior of opening /dev/ptmx has been changed to perform a path
>>> lookup relative to the location of /dev/ptmx of  ./pts/ptmx and open
>>> it it is a devpts filesystem and to fail otherwise.    This further
>>> makes it hard to confuse userspace this way as /dev/ptmx always
>>> corresponds to /dev/pts/ptmx.  Even in chroots and in other mount
>>> namespaces.
>>
>> I have a feeling that there might be a way to trick glibc if you use
>> FUSE, but I haven't actually tried to create a PoC for it. Fair point
>> though.
> 
> To trick glibc fuse would have to be mounted somewhere on /dev.
> 
>>> That makes TIOCGPTPEER a very nice addition, but not something people
>>> have to scramble to use to ensure their system is secure.  As a hostile
>>> environment now has to work very hard to confuse the existing mechanisms.
>>
>> There are usecases where you simply need TIOCGPTPEER, and no other
>> userspace alternative will do, but maybe if we modified the paragraph
>> to read (as suggested):
>>
>>   Security-conscious programs interacting with namespaces may
>>   wish  to  use  this  operation rather than open(2) with the
>>   pathname returned by ptsname(3).
>>
>> This would clarify that there are usecases where you need this
>> particular feature, without saying causing people to panic over
>> inaccurate claims of glibc being broken. Does that sound better?
> 
> I think your original words sounded fine.  I would even go for new
> programs may want to use the new ioctl as it fundamentally less racy
> and more of what is actually trying to be implemented with the userspace
> pieces.
> 
> I just wanted to point out that TIOCGPTPEER while being the interface
> that it would have been nice had we had since the beginning (and would
> have avoided all of the problems) is actually not something we need to
> scramble and use it is just a very nice to have.  As the immediate
> issues have been fixed in other ways.    It was not clear to me from the
> other discussions if you and Michael Kerrisk were aware of the
> mitigations that had been made to address the security issue.

So, my takeaway is that we leave this text:

              Security-conscious programs interacting with namespaces may
              wish  to  use  this  operation rather than open(2) with the
              pathname returned by ptsname(3), and similar library  func‐
              tions that have insecure APIs.  (For example, confusion can
              occur in some cases using ptsname(3) with a pathname  where
              a  devpts  filesystem has been mounted in a different mount
              namespace.)

as is?

> The change to the behavior of /dev/ptmx may need to be documented
> somewhere.   I am not certain if anything has been documented since
> devpts has started allowing multiple mounts.

Eric can you say more about this. When did this change occur?
What is the model: mount devpts once in each mount namespace?

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

From 1575908868617255957@xxx Wed Aug 16 17:16:52 +0000 2017
X-GM-THRID: 1575826915259777764
X-Gmail-Labels: Inbox,Category Forums