oss-sec mailing list archives
Re: Access to /dev/pts devices via pt_chown and user namespaces
From: "Dmitry V. Levin" <ldv () altlinux org>
Date: Wed, 24 Feb 2016 11:03:04 +0300
On Wed, Feb 24, 2016 at 07:01:11AM +0000, Simon McVittie wrote: [...]
<https://bugs.debian.org/717544> has some interesting background. The Debian and Ubuntu glibc maintainers tried turning off pt_chown in 2014, but had to turn it back on because it caused too many regressions: in particular "mount -t devpts devpts-foo chroot-foo/dev/pts" apparently alters the mount options for the "real" /dev/pts, not just the one being mounted in the chroot (presumably losing the noexec,nosuid,gid=5 and mode=620 or mode=600 options that are expected in Debian). I don't know whether the default mount options were subsequently altered in util-linux and/or the kernel as suggested on that bug, or whether manually mounting devpts is just not going to be a supported action in Debian 9.
Linux kernel, starting with version 2.6.29, allows multiple instances of devpts filesystem (assuming that CONFIG_DEVPTS_MULTIPLE_INSTANCES is enabled) when "newinstance" mount option is specified for devpts. The feature is primarily to support containers, but also addresses the issue: https://www.kernel.org/doc/Documentation/filesystems/devpts.txt -- ldv
Attachment:
_bin
Description:
Current thread:
- Access to /dev/pts devices via pt_chown and user namespaces halfdog (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Solar Designer (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Dmitry V. Levin (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces halfdog (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Simon McVittie (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Dmitry V. Levin (Feb 24)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Serge Hallyn (Feb 24)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Jakub Wilk (Feb 27)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Dmitry V. Levin (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Solar Designer (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Alan Coopersmith (Feb 23)