From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
security@debian.org, "security\@kernel.org" <security@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
"security\@ubuntu.com \>\> security" <security@ubuntu.com>,
Peter Hurley <peter@hurleysoftware.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>, Willy Tarreau <w@1wt.eu>,
Aurelien Jarno <aurelien@aurel32.net>, Jann Horn <jann@thejh.net>,
Greg KH <greg@kroah.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Jiri Slaby <jslaby@suse.com>, Florian Weimer <fw@deneb.enyo.de>,
"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup
Date: Fri, 08 Apr 2016 18:03:11 -0500 [thread overview]
Message-ID: <87wpo7itzk.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CA+55aFyb_WGTm7=QLLnAC6pSyvso-a6mTcXWvJAtxpKo5nzUTA@mail.gmail.com> (Linus Torvalds's message of "Fri, 8 Apr 2016 14:54:18 -0700")
Linus Torvalds <torvalds@linux-foundation.org> writes:
> But more fundamentally I still don't actually understand why you even
> really care.
At this point I care because there is a failure of communication.
Until this email no one has ever said: "Ok that actually could happen
but we don't actually care."
Right now I am a bit paranoid because I have seen a few too many cases
where some little detail was glossed over and someone clever turned it
into a great big CVE they could drive a truck through. So I am once
bitten twice shy and all of that.
> We get the wrong pts case *today*. We'd get a different wrong pts
> namespace when somebody tries to do odd things. Why would we care? It
> would be a _better_ guess.
>
> I don't see the security issue. If you do tricks to get pty's in
> another group, what's the problem? You have to do it consciously, and
> I don't see what the downside is. You get what you ask for, and I
> don't see a new attack surface.
>
> The whole "somebody used chmod on /dev/pts/" argument sounds bogus.
> That's an insane thing to do. If you want a private namespace, you
> make *all* of /dev private, you don't go "oh, I'll just make the pts
> subdirectory private".
Oh I pretty much agree it is an insane thing to do. At the same time I
know that people can make a lot of little sane decisions that can lead
to an insane situation, so just because it is insane I can't rule
it out automatically.
The actual sane thing to do, and what I think most of userspace does
at this point is to create it's own mount namespace so nothing is
visible to outsiders.
> In other words, your whole scenario sounds totally made up to begin
> with. And even if it happens, I don't see what would be so disastrous
> about it.
In general I agree. The scenario is made up. I would be surprised if
it happens.
> I mean, right now, /dev/ptmx is world read-write in the root container
> and everybody gets access to the same underlying set of ptys. And
> that's not some horrible security issue. It's how things are
> *supposed* to work.
I agree.
> So I really don't see the argument. You guys are just making shit up.
I don't see why we have the linux extension of supporting anything
except mode 0666 on /dev/ptmx or /dev/pts/ptmx. This is really about
not breaking that linux extension by overlooking some little detail.
On the attack analysis front the worst thing I can see happening is a
denial of service attack. I see two possible denial of service attacks.
One possible attack creates a pty and prevents devpts from being
unmounted. Another possible attack creates all possible ptys on a
devpts instance, and prevents legitimate tty creations from happening.
At the end of the day as you say it would be a pretty crazy person who
isolated a mount of devpts with just the permissions of /dev/pts/ptmx.
So if we don't want to care knowing those stupid attacks above are
possible I am happy not to care. They don't look all that serious to
me.
Eric
next prev parent reply other threads:[~2016-04-08 23:14 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <43AD2BA7-B594-4299-95F3-D86FD38AF21B@zytor.com>
[not found] ` <87egexpf4o.fsf@x220.int.ebiederm.org>
[not found] ` <CA+55aFw9Bg+Zh_T4zP487n3ieaxoMHgZ_nNJVdpSR4kQK9gQ9w@mail.gmail.com>
[not found] ` <1CB621EF-1647-463B-A144-D611DB150E15@zytor.com>
[not found] ` <20151208223135.GA8352@kroah.com>
[not found] ` <87oae0h2bo.fsf@x220.int.ebiederm.org>
[not found] ` <56677DE3.5040705@zytor.com>
[not found] ` <20151209012311.GA11794@kroah.com>
[not found] ` <84B136DF-55E4-476A-9CB2-062B15677EE5@zytor.com>
[not found] ` <20151209013859.GA12442@kroah.com>
[not found] ` <20151209083225.GA30452@1wt.eu>
2015-12-11 19:40 ` [PATCH] devpts: Sensible /dev/ptmx & force newinstance Eric W. Biederman
2015-12-11 20:50 ` Linus Torvalds
2015-12-11 21:03 ` Eric W. Biederman
2015-12-11 21:04 ` Al Viro
2015-12-11 21:11 ` Eric W. Biederman
2015-12-11 21:48 ` Andy Lutomirski
2015-12-11 22:07 ` H. Peter Anvin
2015-12-11 22:12 ` Andy Lutomirski
2015-12-11 22:18 ` H. Peter Anvin
2015-12-11 22:24 ` Andy Lutomirski
2015-12-11 22:29 ` H. Peter Anvin
2015-12-11 22:35 ` Eric W. Biederman
2015-12-11 22:52 ` Andy Lutomirski
2015-12-11 22:58 ` Jann Horn
2015-12-11 23:00 ` Andy Lutomirski
2015-12-11 23:07 ` H. Peter Anvin
2015-12-11 23:16 ` Andy Lutomirski
2015-12-11 23:30 ` H. Peter Anvin
2015-12-11 22:57 ` H. Peter Anvin
2015-12-14 19:47 ` Peter Hurley
2015-12-14 19:55 ` H. Peter Anvin
2015-12-19 21:13 ` Eric W. Biederman
2015-12-20 4:11 ` Eric W. Biederman
2015-12-20 4:35 ` H. Peter Anvin
2015-12-20 9:42 ` Eric W. Biederman
2015-12-21 22:03 ` Eric W. Biederman
2015-12-21 22:23 ` Linus Torvalds
2016-04-05 0:03 ` [PATCH 00/13] devpts: New instances for every mount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Eric W. Biederman
2016-04-05 1:29 ` [PATCH 02/13] devpts: More obvious check for the system devpts in pty allocation Eric W. Biederman
2016-04-05 1:29 ` [PATCH 03/13] devpts: Cleanup newinstance parsing Eric W. Biederman
2016-04-05 1:29 ` [PATCH 04/13] devpts: Stop rolling devpts_remount by hand in devpts_mount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 05/13] devpts: Fail early (if appropriate) on overmount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 06/13] devpts: Use the same default mode for both /dev/ptmx and dev/pts/ptmx Eric W. Biederman
2016-04-05 1:29 ` [PATCH 07/13] devpts: Move parse_mount_options into fill_super Eric W. Biederman
2016-04-05 1:29 ` [PATCH 08/13] devpts: Make devpts_kill_sb safe if fsi is NULL Eric W. Biederman
2016-04-05 1:29 ` [PATCH 09/13] devpts: Move the creation of /dev/pts/ptmx into fill_super Eric W. Biederman
2016-04-05 1:29 ` [PATCH 10/13] devpts: Simplify devpts_mount by using mount_nodev Eric W. Biederman
2016-04-05 1:29 ` [PATCH 11/13] vfs: Implement mount_super_once Eric W. Biederman
2016-04-05 1:29 ` [PATCH 12/13] devpts: Always return a distinct instance when mounting Eric W. Biederman
2016-04-05 1:29 ` [PATCH 13/13] devpts: Kill the DEVPTS_MULTIPLE_INSTANCE config option Eric W. Biederman
2016-04-05 2:54 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Al Viro
2016-04-05 3:03 ` Al Viro
2016-04-08 18:54 ` Eric W. Biederman
2016-04-07 16:06 ` Linus Torvalds
2016-04-08 18:51 ` Eric W. Biederman
2016-04-08 19:05 ` Linus Torvalds
2016-04-08 20:05 ` Eric W. Biederman
2016-04-08 20:43 ` Andy Lutomirski
2016-04-08 21:29 ` Eric W. Biederman
2016-04-08 21:54 ` Linus Torvalds
2016-04-08 23:03 ` Eric W. Biederman [this message]
2016-04-08 21:56 ` Andy Lutomirski
2016-04-09 13:09 ` One Thousand Gnomes
2016-04-09 14:10 ` H. Peter Anvin
2016-04-09 14:45 ` Eric W. Biederman
2016-04-09 22:37 ` H. Peter Anvin
2016-04-10 0:01 ` Linus Torvalds
2016-04-10 0:06 ` H. Peter Anvin
2016-04-10 0:16 ` Linus Torvalds
2016-04-10 0:44 ` Andy Lutomirski
[not found] ` <CA+55aFzs00iDkYhvFCq=AZMVcNL0+oZT4SeimTeVurJq=5ZS3A@mail.gmail.com>
2016-04-11 14:48 ` H. Peter Anvin
2016-04-12 1:31 ` Al Viro
2016-04-11 20:12 ` Andy Lutomirski
2016-04-11 20:10 ` Eric W. Biederman
2016-04-11 20:16 ` H. Peter Anvin
2016-04-11 23:37 ` Eric W. Biederman
2016-04-12 0:01 ` Linus Torvalds
2016-04-12 0:10 ` Eric W. Biederman
2016-04-12 1:06 ` H. Peter Anvin
2016-04-12 1:18 ` Linus Torvalds
2016-04-12 1:23 ` Eric W. Biederman
2016-04-12 1:47 ` Al Viro
2016-04-12 1:34 ` Al Viro
2016-04-12 2:16 ` Eric W. Biederman
2016-04-12 17:44 ` Andy Lutomirski
2016-04-12 18:12 ` Linus Torvalds
2016-04-12 19:07 ` H. Peter Anvin
2016-04-15 15:34 ` [PATCH 01/16] devpts: Attempting to get it right Eric W. Biederman
2016-04-15 15:35 ` [PATCH 01/16] devpts: Use the same default mode for both /dev/ptmx and dev/pts/ptmx Eric W. Biederman
2016-04-15 15:35 ` [PATCH 02/16] devpts: Set the proper fops for /dev/pts/ptmx Eric W. Biederman
2016-04-15 15:35 ` [PATCH 03/16] vfs: Implement vfs_loopback_mount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 04/16] devpts: Teach /dev/ptmx to automount the appropriate devpts via path lookup Eric W. Biederman
2016-04-15 22:03 ` Jann Horn
2016-04-19 18:46 ` Eric W. Biederman
2016-04-15 15:35 ` [PATCH 05/16] vfs: Allow unlink, and rename on expirable file mounts Eric W. Biederman
2016-04-15 15:35 ` [PATCH 06/16] devpts: More obvious check for the system devpts in pty allocation Eric W. Biederman
2016-04-15 15:35 ` [PATCH 07/16] devpts: Cleanup newinstance parsing Eric W. Biederman
2016-04-15 15:35 ` [PATCH 08/16] devpts: Stop rolling devpts_remount by hand in devpts_mount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 09/16] devpts: Fail early (if appropriate) on overmount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 10/16] devpts: Move parse_mount_options into fill_super Eric W. Biederman
2016-04-15 15:35 ` [PATCH 11/16] devpts: Make devpts_kill_sb safe if fsi is NULL Eric W. Biederman
2016-04-15 15:35 ` [PATCH 12/16] devpts: Move the creation of /dev/pts/ptmx into fill_super Eric W. Biederman
2016-04-15 15:35 ` [PATCH 13/16] devpts: Simplify devpts_mount by using mount_nodev Eric W. Biederman
2016-04-15 15:35 ` [PATCH 14/16] vfs: Implement mount_super_once Eric W. Biederman
2016-04-15 23:02 ` Linus Torvalds
2016-04-19 18:22 ` Eric W. Biederman
2016-04-19 18:47 ` H. Peter Anvin
2016-04-19 19:03 ` Eric W. Biederman
2016-04-19 19:25 ` H. Peter Anvin
2016-04-19 19:26 ` H. Peter Anvin
2016-04-20 3:27 ` Eric W. Biederman
2016-04-20 11:50 ` Austin S. Hemmelgarn
2016-04-20 16:12 ` H. Peter Anvin
2016-04-19 18:55 ` H. Peter Anvin
2016-04-19 23:29 ` Linus Torvalds
2016-04-20 1:24 ` Linus Torvalds
2016-04-20 1:37 ` H. Peter Anvin
2016-04-15 15:35 ` [PATCH 15/16] devpts: Always return a distinct instance when mounting Eric W. Biederman
2016-04-15 15:35 ` [PATCH 16/16] devpts: Kill the DEVPTS_MULTIPLE_INSTANCE config option Eric W. Biederman
2016-04-15 16:49 ` [PATCH 01/16] devpts: Attempting to get it right Andy Lutomirski
2016-04-15 20:43 ` Eric W. Biederman
2016-04-15 21:29 ` H. Peter Anvin
2016-04-19 19:00 ` Eric W. Biederman
2016-04-16 18:31 ` Linus Torvalds
2016-04-19 18:44 ` Does anyone care about a race free ptsname? Eric W. Biederman
2016-04-19 19:16 ` H. Peter Anvin
2016-04-19 20:32 ` Eric W. Biederman
2016-04-19 20:55 ` H. Peter Anvin
2016-04-19 20:42 ` Serge E. Hallyn
2016-04-19 23:23 ` Linus Torvalds
2016-04-19 23:39 ` H. Peter Anvin
2016-04-20 0:18 ` Linus Torvalds
2016-04-20 1:48 ` Serge E. Hallyn
2016-04-19 22:06 ` [PATCH 01/16] devpts: Attempting to get it right Eric W. Biederman
2016-04-19 23:35 ` Linus Torvalds
2016-04-20 0:24 ` Peter Hurley
2016-04-20 0:49 ` Peter Hurley
2016-04-20 3:04 ` [PATCH] devpts: Make each mount of devpts an independent filesystem Eric W. Biederman
2016-04-20 3:25 ` Al Viro
2016-04-20 3:43 ` Eric W. Biederman
2016-04-20 4:11 ` Al Viro
2016-04-20 4:21 ` Eric W. Biederman
2016-04-20 4:36 ` Konstantin Khlebnikov
2016-04-20 4:49 ` Linus Torvalds
2016-04-20 14:55 ` Eric W. Biederman
2016-04-20 15:34 ` Konstantin Khlebnikov
2016-04-20 15:50 ` Eric W. Biederman
2016-04-20 17:00 ` [PATCH v2] " Eric W. Biederman
[not found] ` <874mabt3df.fsf_-_@x220.int.ebiederm.org>
2016-05-06 19:04 ` [PATCH 1/1] " Eric W. Biederman
2016-05-06 19:35 ` [PATCH 0/1] devpts: Removing the need for pt_chown Greg KH
2016-05-06 19:45 ` Peter Hurley
2016-05-06 19:54 ` Greg KH
2016-06-02 15:29 ` [PATCH tty-next] devpts: Make each mount of devpts an independent filesystem Eric W. Biederman
2016-06-02 18:57 ` Linus Torvalds
2016-06-02 20:22 ` Eric W. Biederman
2016-06-02 20:36 ` H. Peter Anvin
2016-06-02 21:23 ` Eric W. Biederman
2016-06-02 21:44 ` Linus Torvalds
2016-04-11 23:49 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Eric W. Biederman
2016-04-12 0:08 ` Linus Torvalds
2016-04-12 0:22 ` Eric W. Biederman
2016-04-12 0:50 ` Linus Torvalds
2016-04-11 20:05 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wpo7itzk.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=aurelien@aurel32.net \
--cc=fw@deneb.enyo.de \
--cc=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=jann@thejh.net \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peter@hurleysoftware.com \
--cc=security@debian.org \
--cc=security@kernel.org \
--cc=security@ubuntu.com \
--cc=serge.hallyn@ubuntu.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.