From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751639AbdBSPfX (ORCPT ); Sun, 19 Feb 2017 10:35:23 -0500 Received: from albireo.enyo.de ([5.158.152.32]:50762 "EHLO albireo.enyo.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750836AbdBSPfV (ORCPT ); Sun, 19 Feb 2017 10:35:21 -0500 From: Florian Weimer To: Greg KH Cc: linux-api@vger.kernel.org, Christian Brauner , linux-kernel@vger.kernel.org, jslaby@suse.com Subject: Re: Hard-coding PTY device node numbers in userspace References: <87bmu1jd0j.fsf@mid.deneb.enyo.de> <20170217181538.GA9346@kroah.com> Date: Sun, 19 Feb 2017 16:35:12 +0100 In-Reply-To: <20170217181538.GA9346@kroah.com> (Greg KH's message of "Fri, 17 Feb 2017 10:15:38 -0800") Message-ID: <87d1eechxr.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Greg KH: > On Fri, Feb 17, 2017 at 12:02:52PM +0100, Florian Weimer wrote: >> We want to reject PTY devices from other namespaces as valid input to >> the ttyname and ttyname_r functions, while still providing a hint to >> callers that the device is, in fact, a PTY. Christian Brauner wrote a >> glibc patch for this: >> >> >> >> It hard-codes the major PTY device number range. Is this feasible? >> Is it part of the stable userspace ABI for the TTY subsystem? > > What major numbers are you using in the patch '2' and '3'? I think there is just one patch, and the check looks like this: static inline int is_pty (struct stat64 *sb) { int m = major (sb->st_rdev); return (136 <= m && m <= 143); } > And yes, > major numbers are static and you should be fine to rely on them. But > can't you test that the device is a pty to verify it? It's not entirely clear what exactly a PTY descriptor should be for ttyname. Going forward, we only want to treat descriptors for PTY devices which can be accessed using /dev/pts paths in the current namespace as PTYs. Christian's patch adds a separate error code for the case where the descriptor is a PTY, but it comes from a different namespace. I'm concerned that some software out there assumes that if standard input is a PTY according to ttyname, it is safe to chown it. There have been security issues related to that a long time ago on some UNIX systems, and I want us to be conservative here.