Re: open_init_pty function? - Christopher J. PeBenito

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: eric gisse <jowr.pi@gmail.com>, <selinux@tycho.nsa.gov>
Subject: Re: open_init_pty function?
Date: Mon, 15 Dec 2014 08:55:13 -0500	[thread overview]
Message-ID: <548EE841.6090402@tresys.com> (raw)
In-Reply-To: <CAHZ_Ajs3ah9JcoxdmUr54-AzsN8ksP81HMpMfi-egTx4=Hzt-w@mail.gmail.com>

On 12/15/2014 6:32 AM, eric gisse wrote:
> In tracking down some related issues, the subject of the helper
> program /usr/sbin/open_init_pty came up.
> 
> This gets called by run_init as the final step for running a program
> in the initrc context, like this:
> 
> if (execvp("/usr/sbin/open_init_pty", argv)) {
>   perror("execvp");
>   exit(-1);
> }
> 
> The context for this problem is the discovery that open_init_pty
> doesn't play well with others by refusing to pass along return codes.
> Eg, run_init from stock will always return 0.
> 
> Debian fixes this problem by fixing open_init_pty to return status
> codes, redhat bypasses it in favor of execvp(), and gentoo uses stock
> and is evaluating its' options.
> 
> What I'm trying to figure out is, is the function of open_init_pty in
> the general sense.
> 
> Init scripts don't generally get a pty, so I don't understand the
> necessity and hope someone here can shed a little light on this.

Most daemons will print early error messages before reopening their
stdin/out/err to /dev/null.  The purpose of open_init_pty is to provide
an isolated stdin/out/err for the init scripts and daemons.  Without it,
we'd have to allow all daemons to read/write sysadm/unconfined
terminals, which opens those highly-privileged users to attack.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2014-12-15 13:55 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-15 11:32 open_init_pty function? eric gisse
2014-12-15 13:55 ` Christopher J. PeBenito [this message]
2014-12-15 16:33   ` eric gisse
2014-12-15 18:26     ` Christopher J. PeBenito
2014-12-17 13:32       ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=548EE841.6090402@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=jowr.pi@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.