From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org>
Cc: "Michael Kerrisk (man-pages)"
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Greg Kroah-Hartman
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Jiri Slaby <jslaby-IBi9RG/b67k@public.gmane.org>,
Christian Brauner
<christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation
Date: Wed, 16 Aug 2017 12:14:37 -0500 [thread overview]
Message-ID: <87ziaztoxu.fsf@xmission.com> (raw)
In-Reply-To: <a7175aad-645c-8f86-d7cf-51f24f0bc281-l3A5Bk7waGM@public.gmane.org> (Aleksa Sarai's message of "Thu, 17 Aug 2017 02:54:03 +1000")
Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org> writes:
>> A couple of things to note on the bigger picture.
>>
>> The glibc library on all distributions has been changed to not have a
>> setuid binary pt_chown, that uses ptsname. This was the primary fix
>> for the security issue.
>>
>> The behavior of opening /dev/ptmx has been changed to perform a path
>> lookup relative to the location of /dev/ptmx of ./pts/ptmx and open
>> it it is a devpts filesystem and to fail otherwise. This further
>> makes it hard to confuse userspace this way as /dev/ptmx always
>> corresponds to /dev/pts/ptmx. Even in chroots and in other mount
>> namespaces.
>
> I have a feeling that there might be a way to trick glibc if you use
> FUSE, but I haven't actually tried to create a PoC for it. Fair point
> though.
To trick glibc fuse would have to be mounted somewhere on /dev.
>> That makes TIOCGPTPEER a very nice addition, but not something people
>> have to scramble to use to ensure their system is secure. As a hostile
>> environment now has to work very hard to confuse the existing mechanisms.
>
> There are usecases where you simply need TIOCGPTPEER, and no other
> userspace alternative will do, but maybe if we modified the paragraph
> to read (as suggested):
>
> Security-conscious programs interacting with namespaces may
> wish to use this operation rather than open(2) with the
> pathname returned by ptsname(3).
>
> This would clarify that there are usecases where you need this
> particular feature, without saying causing people to panic over
> inaccurate claims of glibc being broken. Does that sound better?
I think your original words sounded fine. I would even go for new
programs may want to use the new ioctl as it fundamentally less racy
and more of what is actually trying to be implemented with the userspace
pieces.
I just wanted to point out that TIOCGPTPEER while being the interface
that it would have been nice had we had since the beginning (and would
have avoided all of the problems) is actually not something we need to
scramble and use it is just a very nice to have. As the immediate
issues have been fixed in other ways. It was not clear to me from the
other discussions if you and Michael Kerrisk were aware of the
mitigations that had been made to address the security issue.
The change to the behavior of /dev/ptmx may need to be documented
somewhere. I am not certain if anything has been documented since
devpts has started allowing multiple mounts.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Aleksa Sarai <asarai@suse.de>
Cc: "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,
linux-man@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, Jiri Slaby <jslaby@suse.com>,
Christian Brauner <christian.brauner@ubuntu.com>
Subject: Re: [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation
Date: Wed, 16 Aug 2017 12:14:37 -0500 [thread overview]
Message-ID: <87ziaztoxu.fsf@xmission.com> (raw)
In-Reply-To: <a7175aad-645c-8f86-d7cf-51f24f0bc281@suse.de> (Aleksa Sarai's message of "Thu, 17 Aug 2017 02:54:03 +1000")
Aleksa Sarai <asarai@suse.de> writes:
>> A couple of things to note on the bigger picture.
>>
>> The glibc library on all distributions has been changed to not have a
>> setuid binary pt_chown, that uses ptsname. This was the primary fix
>> for the security issue.
>>
>> The behavior of opening /dev/ptmx has been changed to perform a path
>> lookup relative to the location of /dev/ptmx of ./pts/ptmx and open
>> it it is a devpts filesystem and to fail otherwise. This further
>> makes it hard to confuse userspace this way as /dev/ptmx always
>> corresponds to /dev/pts/ptmx. Even in chroots and in other mount
>> namespaces.
>
> I have a feeling that there might be a way to trick glibc if you use
> FUSE, but I haven't actually tried to create a PoC for it. Fair point
> though.
To trick glibc fuse would have to be mounted somewhere on /dev.
>> That makes TIOCGPTPEER a very nice addition, but not something people
>> have to scramble to use to ensure their system is secure. As a hostile
>> environment now has to work very hard to confuse the existing mechanisms.
>
> There are usecases where you simply need TIOCGPTPEER, and no other
> userspace alternative will do, but maybe if we modified the paragraph
> to read (as suggested):
>
> Security-conscious programs interacting with namespaces may
> wish to use this operation rather than open(2) with the
> pathname returned by ptsname(3).
>
> This would clarify that there are usecases where you need this
> particular feature, without saying causing people to panic over
> inaccurate claims of glibc being broken. Does that sound better?
I think your original words sounded fine. I would even go for new
programs may want to use the new ioctl as it fundamentally less racy
and more of what is actually trying to be implemented with the userspace
pieces.
I just wanted to point out that TIOCGPTPEER while being the interface
that it would have been nice had we had since the beginning (and would
have avoided all of the problems) is actually not something we need to
scramble and use it is just a very nice to have. As the immediate
issues have been fixed in other ways. It was not clear to me from the
other discussions if you and Michael Kerrisk were aware of the
mitigations that had been made to address the security issue.
The change to the behavior of /dev/ptmx may need to be documented
somewhere. I am not certain if anything has been documented since
devpts has started allowing multiple mounts.
Eric
next prev parent reply other threads:[~2017-08-16 17:14 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-09 17:01 [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation Aleksa Sarai
2017-06-09 17:01 ` Aleksa Sarai
[not found] ` <20170609170147.32311-1-asarai-l3A5Bk7waGM@public.gmane.org>
2017-06-09 18:10 ` Greg Kroah-Hartman
2017-06-09 18:10 ` Greg Kroah-Hartman
2017-06-09 18:10 ` Greg Kroah-Hartman
2017-08-15 19:27 ` Michael Kerrisk (man-pages)
2017-08-15 19:27 ` Michael Kerrisk (man-pages)
2017-08-15 19:27 ` Michael Kerrisk (man-pages)
[not found] ` <11706e49-8271-ed8c-3747-19b3e8f2850d-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-08-16 4:43 ` Aleksa Sarai
2017-08-16 4:43 ` Aleksa Sarai
2017-08-16 16:43 ` Eric W. Biederman
2017-08-16 16:43 ` Eric W. Biederman
[not found] ` <878tijwjic.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-08-16 16:54 ` Aleksa Sarai
2017-08-16 16:54 ` Aleksa Sarai
[not found] ` <a7175aad-645c-8f86-d7cf-51f24f0bc281-l3A5Bk7waGM@public.gmane.org>
2017-08-16 17:14 ` Eric W. Biederman
2017-08-16 17:14 ` Eric W. Biederman [this message]
2017-08-16 17:14 ` Eric W. Biederman
[not found] ` <87ziaztoxu.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-11-20 10:20 ` Michael Kerrisk (man-pages)
2017-11-20 10:20 ` Michael Kerrisk (man-pages)
2017-11-20 10:20 ` Michael Kerrisk (man-pages)
[not found] ` <c702b5c6-0098-4a61-f51c-c28ed085534f-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-11-20 12:15 ` Christian Brauner
2017-11-20 12:15 ` Christian Brauner
2017-11-20 12:15 ` Christian Brauner
2017-11-20 17:06 ` Eric W. Biederman
2017-11-20 17:06 ` Eric W. Biederman
2017-11-20 17:06 ` Eric W. Biederman
2017-08-16 16:54 ` Aleksa Sarai
-- strict thread matches above, loose matches on Subject: below --
2017-06-09 17:01 Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ziaztoxu.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=asarai-l3A5Bk7waGM@public.gmane.org \
--cc=christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=jslaby-IBi9RG/b67k@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.