From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753662AbdBUPEn (ORCPT <rfc822;w@1wt.eu>);
        Tue, 21 Feb 2017 10:04:43 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:36932 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753629AbdBUPEg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 21 Feb 2017 10:04:36 -0500
Date: Tue, 21 Feb 2017 16:04:32 +0100
From: Greg KH <gregkh@linuxfoundation.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: linux-api@vger.kernel.org,
        Christian Brauner <christian.brauner@canonical.com>,
        linux-kernel@vger.kernel.org, jslaby@suse.com
Subject: Re: Hard-coding PTY device node numbers in userspace
Message-ID: <20170221150432.GA2893@kroah.com>
References: <87bmu1jd0j.fsf@mid.deneb.enyo.de>
 <20170217181538.GA9346@kroah.com>
 <87d1eechxr.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87d1eechxr.fsf@mid.deneb.enyo.de>
User-Agent: Mutt/1.7.2 (2016-11-26)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Feb 19, 2017 at 04:35:12PM +0100, Florian Weimer wrote:
> * Greg KH:
> 
> > On Fri, Feb 17, 2017 at 12:02:52PM +0100, Florian Weimer wrote:
> >> We want to reject PTY devices from other namespaces as valid input to
> >> the ttyname and ttyname_r functions, while still providing a hint to
> >> callers that the device is, in fact, a PTY.  Christian Brauner wrote a
> >> glibc patch for this:
> >> 
> >>   <https://sourceware.org/ml/libc-alpha/2017-01/msg00531.html>
> >> 
> >> It hard-codes the major PTY device number range.  Is this feasible?
> >> Is it part of the stable userspace ABI for the TTY subsystem?
> >
> > What major numbers are you using in the patch '2' and '3'?
> 
> I think there is just one patch, and the check looks like this:
> 
>   static inline int
>   is_pty (struct stat64 *sb)
>   {
>     int m = major (sb->st_rdev);
>     return (136 <= m && m <= 143);
>   }

Ah, yes, 136-143 are the right ones, sorry, I was looking at the
"legacy" ones in devices.txt.

> > And yes,
> > major numbers are static and you should be fine to rely on them.  But
> > can't you test that the device is a pty to verify it?
> 
> It's not entirely clear what exactly a PTY descriptor should be for
> ttyname.  Going forward, we only want to treat descriptors for PTY
> devices which can be accessed using /dev/pts paths in the current
> namespace as PTYs.  Christian's patch adds a separate error code for
> the case where the descriptor is a PTY, but it comes from a different
> namespace.
> 
> I'm concerned that some software out there assumes that if standard
> input is a PTY according to ttyname, it is safe to chown it.  There
> have been security issues related to that a long time ago on some UNIX
> systems, and I want us to be conservative here.

Yeah, it's tricky.  And putting namespaces in the mix makes it messier.
Good luck!

greg k-h