Re: Access to /dev/pts devices via pt_chown and user namespaces

["Dmitry V. Levin" <ldv () altlinux org>]

On Wed, Feb 24, 2016 at 07:01:11AM +0000, Simon McVittie wrote:
[...]
> <https://bugs.debian.org/717544> has some interesting background. The
> Debian and Ubuntu glibc maintainers tried turning off pt_chown in 2014,
> but had to turn it back on because it caused too many regressions: in
> particular "mount -t devpts devpts-foo chroot-foo/dev/pts" apparently
> alters the mount options for the "real" /dev/pts, not just the one being
> mounted in the chroot (presumably losing the noexec,nosuid,gid=5 and
> mode=620 or mode=600 options that are expected in Debian). I don't know
> whether the default mount options were subsequently altered in util-linux
> and/or the kernel as suggested on that bug, or whether manually mounting
> devpts is just not going to be a supported action in Debian 9.

Linux kernel, starting with version 2.6.29, allows multiple instances
of devpts filesystem (assuming that CONFIG_DEVPTS_MULTIPLE_INSTANCES
is enabled) when "newinstance" mount option is specified for devpts.
The feature is primarily to support containers, but also addresses
the issue: 
https://www.kernel.org/doc/Documentation/filesystems/devpts.txt


-- 
ldv

Attachment: _bin
Description: