* Re: Hard-coding PTY device node numbers in userspace [not found] <87bmu1jd0j.fsf@mid.deneb.enyo.de> @ 2017-02-17 18:15 ` Greg KH 2017-02-19 15:35 ` Florian Weimer 0 siblings, 1 reply; 3+ messages in thread From: Greg KH @ 2017-02-17 18:15 UTC (permalink / raw) To: Florian Weimer; +Cc: linux-api, Christian Brauner, linux-kernel, jslaby On Fri, Feb 17, 2017 at 12:02:52PM +0100, Florian Weimer wrote: > We want to reject PTY devices from other namespaces as valid input to > the ttyname and ttyname_r functions, while still providing a hint to > callers that the device is, in fact, a PTY. Christian Brauner wrote a > glibc patch for this: > > <https://sourceware.org/ml/libc-alpha/2017-01/msg00531.html> > > It hard-codes the major PTY device number range. Is this feasible? > Is it part of the stable userspace ABI for the TTY subsystem? What major numbers are you using in the patch '2' and '3'? And yes, major numbers are static and you should be fine to rely on them. But can't you test that the device is a pty to verify it? thanks, greg k-h ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Hard-coding PTY device node numbers in userspace 2017-02-17 18:15 ` Hard-coding PTY device node numbers in userspace Greg KH @ 2017-02-19 15:35 ` Florian Weimer 2017-02-21 15:04 ` Greg KH 0 siblings, 1 reply; 3+ messages in thread From: Florian Weimer @ 2017-02-19 15:35 UTC (permalink / raw) To: Greg KH; +Cc: linux-api, Christian Brauner, linux-kernel, jslaby * Greg KH: > On Fri, Feb 17, 2017 at 12:02:52PM +0100, Florian Weimer wrote: >> We want to reject PTY devices from other namespaces as valid input to >> the ttyname and ttyname_r functions, while still providing a hint to >> callers that the device is, in fact, a PTY. Christian Brauner wrote a >> glibc patch for this: >> >> <https://sourceware.org/ml/libc-alpha/2017-01/msg00531.html> >> >> It hard-codes the major PTY device number range. Is this feasible? >> Is it part of the stable userspace ABI for the TTY subsystem? > > What major numbers are you using in the patch '2' and '3'? I think there is just one patch, and the check looks like this: static inline int is_pty (struct stat64 *sb) { int m = major (sb->st_rdev); return (136 <= m && m <= 143); } > And yes, > major numbers are static and you should be fine to rely on them. But > can't you test that the device is a pty to verify it? It's not entirely clear what exactly a PTY descriptor should be for ttyname. Going forward, we only want to treat descriptors for PTY devices which can be accessed using /dev/pts paths in the current namespace as PTYs. Christian's patch adds a separate error code for the case where the descriptor is a PTY, but it comes from a different namespace. I'm concerned that some software out there assumes that if standard input is a PTY according to ttyname, it is safe to chown it. There have been security issues related to that a long time ago on some UNIX systems, and I want us to be conservative here. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Hard-coding PTY device node numbers in userspace 2017-02-19 15:35 ` Florian Weimer @ 2017-02-21 15:04 ` Greg KH 0 siblings, 0 replies; 3+ messages in thread From: Greg KH @ 2017-02-21 15:04 UTC (permalink / raw) To: Florian Weimer; +Cc: linux-api, Christian Brauner, linux-kernel, jslaby On Sun, Feb 19, 2017 at 04:35:12PM +0100, Florian Weimer wrote: > * Greg KH: > > > On Fri, Feb 17, 2017 at 12:02:52PM +0100, Florian Weimer wrote: > >> We want to reject PTY devices from other namespaces as valid input to > >> the ttyname and ttyname_r functions, while still providing a hint to > >> callers that the device is, in fact, a PTY. Christian Brauner wrote a > >> glibc patch for this: > >> > >> <https://sourceware.org/ml/libc-alpha/2017-01/msg00531.html> > >> > >> It hard-codes the major PTY device number range. Is this feasible? > >> Is it part of the stable userspace ABI for the TTY subsystem? > > > > What major numbers are you using in the patch '2' and '3'? > > I think there is just one patch, and the check looks like this: > > static inline int > is_pty (struct stat64 *sb) > { > int m = major (sb->st_rdev); > return (136 <= m && m <= 143); > } Ah, yes, 136-143 are the right ones, sorry, I was looking at the "legacy" ones in devices.txt. > > And yes, > > major numbers are static and you should be fine to rely on them. But > > can't you test that the device is a pty to verify it? > > It's not entirely clear what exactly a PTY descriptor should be for > ttyname. Going forward, we only want to treat descriptors for PTY > devices which can be accessed using /dev/pts paths in the current > namespace as PTYs. Christian's patch adds a separate error code for > the case where the descriptor is a PTY, but it comes from a different > namespace. > > I'm concerned that some software out there assumes that if standard > input is a PTY according to ttyname, it is safe to chown it. There > have been security issues related to that a long time ago on some UNIX > systems, and I want us to be conservative here. Yeah, it's tricky. And putting namespaces in the mix makes it messier. Good luck! greg k-h ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-02-21 15:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <87bmu1jd0j.fsf@mid.deneb.enyo.de>
2017-02-17 18:15 ` Hard-coding PTY device node numbers in userspace Greg KH
2017-02-19 15:35 ` Florian Weimer
2017-02-21 15:04 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox