Re: Access to /dev/pts devices via pt_chown and user namespaces

[Jakub Wilk <jwilk () debian org>]

* Simon McVittie <smcv () debian org>, 2016-02-24, 07:01:
> > > Just for the record, pt_chown is not enabled by default in upstream 
> > > glibc starting with glibc-2.18, one has to specify --enable-pt_chown 
> > > configure option explicitly to build pt_chown.
> >
> > Thanks for that information. So for pt_chown, this could hopefully be 
> > just an Ubuntu issue.
>
> And Debian 8 (but not the future Debian 9, at least on Linux kernels), 
> and probably other distributions where backward compat was a concern.
>
> <https://bugs.debian.org/717544> has some interesting background. The 
> Debian and Ubuntu glibc maintainers tried turning off pt_chown in 2014, 
> but had to turn it back on because it caused too many regressions: in 
> particular "mount -t devpts devpts-foo chroot-foo/dev/pts" apparently 
> alters the mount options for the "real" /dev/pts, not just the one 
> being mounted in the chroot (presumably losing the noexec,nosuid,gid=5 
> and mode=620 or mode=600 options that are expected in Debian). I don't 
> know whether the default mount options were subsequently altered in 
> util-linux and/or the kernel as suggested on that bug, or whether 
> manually mounting devpts is just not going to be a supported action in 
> Debian 9.

grantpt() was fixed so that it works even when /dev/pts mount options 
are "wrong":
https://sourceware.org/ml/libc-alpha/2015-12/msg00151.html

This is going to be backported to Debian 8 (jessie):
https://bugs.debian.org/816023

--
Jakub Wilk