From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
security@debian.org, "security\@kernel.org" <security@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
"security\@ubuntu.com \>\> security" <security@ubuntu.com>,
Peter Hurley <peter@hurleysoftware.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>, Willy Tarreau <w@1wt.eu>,
Aurelien Jarno <aurelien@aurel32.net>, Jann Horn <jann@thejh.net>,
Greg KH <greg@kroah.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Jiri Slaby <jslaby@suse.com>, Florian Weimer <fw@deneb.enyo.de>,
"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup
Date: Fri, 08 Apr 2016 18:03:11 -0500 [thread overview]
Message-ID: <87wpo7itzk.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CA+55aFyb_WGTm7=QLLnAC6pSyvso-a6mTcXWvJAtxpKo5nzUTA@mail.gmail.com> (Linus Torvalds's message of "Fri, 8 Apr 2016 14:54:18 -0700")
Linus Torvalds <torvalds@linux-foundation.org> writes:
> But more fundamentally I still don't actually understand why you even
> really care.
At this point I care because there is a failure of communication.
Until this email no one has ever said: "Ok that actually could happen
but we don't actually care."
Right now I am a bit paranoid because I have seen a few too many cases
where some little detail was glossed over and someone clever turned it
into a great big CVE they could drive a truck through. So I am once
bitten twice shy and all of that.
> We get the wrong pts case *today*. We'd get a different wrong pts
> namespace when somebody tries to do odd things. Why would we care? It
> would be a _better_ guess.
>
> I don't see the security issue. If you do tricks to get pty's in
> another group, what's the problem? You have to do it consciously, and
> I don't see what the downside is. You get what you ask for, and I
> don't see a new attack surface.
>
> The whole "somebody used chmod on /dev/pts/" argument sounds bogus.
> That's an insane thing to do. If you want a private namespace, you
> make *all* of /dev private, you don't go "oh, I'll just make the pts
> subdirectory private".
Oh I pretty much agree it is an insane thing to do. At the same time I
know that people can make a lot of little sane decisions that can lead
to an insane situation, so just because it is insane I can't rule
it out automatically.
The actual sane thing to do, and what I think most of userspace does
at this point is to create it's own mount namespace so nothing is
visible to outsiders.
> In other words, your whole scenario sounds totally made up to begin
> with. And even if it happens, I don't see what would be so disastrous
> about it.
In general I agree. The scenario is made up. I would be surprised if
it happens.
> I mean, right now, /dev/ptmx is world read-write in the root container
> and everybody gets access to the same underlying set of ptys. And
> that's not some horrible security issue. It's how things are
> *supposed* to work.
I agree.
> So I really don't see the argument. You guys are just making shit up.
I don't see why we have the linux extension of supporting anything
except mode 0666 on /dev/ptmx or /dev/pts/ptmx. This is really about
not breaking that linux extension by overlooking some little detail.
On the attack analysis front the worst thing I can see happening is a
denial of service attack. I see two possible denial of service attacks.
One possible attack creates a pty and prevents devpts from being
unmounted. Another possible attack creates all possible ptys on a
devpts instance, and prevents legitimate tty creations from happening.
At the end of the day as you say it would be a pretty crazy person who
isolated a mount of devpts with just the permissions of /dev/pts/ptmx.
So if we don't want to care knowing those stupid attacks above are
possible I am happy not to care. They don't look all that serious to
me.
Eric
next prev parent reply other threads:[~2016-04-08 23:14 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <43AD2BA7-B594-4299-95F3-D86FD38AF21B@zytor.com>
[not found] ` <87egexpf4o.fsf@x220.int.ebiederm.org>
[not found] ` <CA+55aFw9Bg+Zh_T4zP487n3ieaxoMHgZ_nNJVdpSR4kQK9gQ9w@mail.gmail.com>
[not found] ` <1CB621EF-1647-463B-A144-D611DB150E15@zytor.com>
[not found] ` <20151208223135.GA8352@kroah.com>
[not found] ` <87oae0h2bo.fsf@x220.int.ebiederm.org>
[not found] ` <56677DE3.5040705@zytor.com>
[not found] ` <20151209012311.GA11794@kroah.com>
[not found] ` <84B136DF-55E4-476A-9CB2-062B15677EE5@zytor.com>
[not found] ` <20151209013859.GA12442@kroah.com>
[not found] ` <20151209083225.GA30452@1wt.eu>
2015-12-11 19:40 ` [PATCH] devpts: Sensible /dev/ptmx & force newinstance Eric W. Biederman
2015-12-11 20:50 ` Linus Torvalds
2015-12-11 21:03 ` Eric W. Biederman
2015-12-11 21:04 ` Al Viro
2015-12-11 21:11 ` Eric W. Biederman
2015-12-11 21:48 ` Andy Lutomirski
2015-12-11 22:07 ` H. Peter Anvin
2015-12-11 22:12 ` Andy Lutomirski
2015-12-11 22:18 ` H. Peter Anvin
2015-12-11 22:24 ` Andy Lutomirski
2015-12-11 22:29 ` H. Peter Anvin
2015-12-11 22:35 ` Eric W. Biederman
2015-12-11 22:52 ` Andy Lutomirski
2015-12-11 22:58 ` Jann Horn
2015-12-11 23:00 ` Andy Lutomirski
2015-12-11 23:07 ` H. Peter Anvin
2015-12-11 23:16 ` Andy Lutomirski
2015-12-11 23:30 ` H. Peter Anvin
2015-12-11 22:57 ` H. Peter Anvin
2015-12-14 19:47 ` Peter Hurley
2015-12-14 19:55 ` H. Peter Anvin
2015-12-19 21:13 ` Eric W. Biederman
2015-12-20 4:11 ` Eric W. Biederman
2015-12-20 4:35 ` H. Peter Anvin
2015-12-20 9:42 ` Eric W. Biederman
2015-12-21 22:03 ` Eric W. Biederman
2015-12-21 22:23 ` Linus Torvalds
2016-04-05 0:03 ` [PATCH 00/13] devpts: New instances for every mount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Eric W. Biederman
2016-04-05 1:29 ` [PATCH 02/13] devpts: More obvious check for the system devpts in pty allocation Eric W. Biederman
2016-04-05 1:29 ` [PATCH 03/13] devpts: Cleanup newinstance parsing Eric W. Biederman
2016-04-05 1:29 ` [PATCH 04/13] devpts: Stop rolling devpts_remount by hand in devpts_mount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 05/13] devpts: Fail early (if appropriate) on overmount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 06/13] devpts: Use the same default mode for both /dev/ptmx and dev/pts/ptmx Eric W. Biederman
2016-04-05 1:29 ` [PATCH 07/13] devpts: Move parse_mount_options into fill_super Eric W. Biederman
2016-04-05 1:29 ` [PATCH 08/13] devpts: Make devpts_kill_sb safe if fsi is NULL Eric W. Biederman
2016-04-05 1:29 ` [PATCH 09/13] devpts: Move the creation of /dev/pts/ptmx into fill_super Eric W. Biederman
2016-04-05 1:29 ` [PATCH 10/13] devpts: Simplify devpts_mount by using mount_nodev Eric W. Biederman
2016-04-05 1:29 ` [PATCH 11/13] vfs: Implement mount_super_once Eric W. Biederman
2016-04-05 1:29 ` [PATCH 12/13] devpts: Always return a distinct instance when mounting Eric W. Biederman
2016-04-05 1:29 ` [PATCH 13/13] devpts: Kill the DEVPTS_MULTIPLE_INSTANCE config option Eric W. Biederman
2016-04-05 2:54 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Al Viro
2016-04-05 3:03 ` Al Viro
2016-04-08 18:54 ` Eric W. Biederman
2016-04-07 16:06 ` Linus Torvalds
2016-04-08 18:51 ` Eric W. Biederman
2016-04-08 19:05 ` Linus Torvalds
2016-04-08 20:05 ` Eric W. Biederman
2016-04-08 20:43 ` Andy Lutomirski
2016-04-08 21:29 ` Eric W. Biederman
2016-04-08 21:54 ` Linus Torvalds
2016-04-08 23:03 ` Eric W. Biederman [this message]
2016-04-08 21:56 ` Andy Lutomirski
2016-04-09 13:09 ` One Thousand Gnomes
2016-04-09 14:10 ` H. Peter Anvin
2016-04-09 14:45 ` Eric W. Biederman
2016-04-09 22:37 ` H. Peter Anvin
2016-04-10 0:01 ` Linus Torvalds
2016-04-10 0:06 ` H. Peter Anvin
2016-04-10 0:16 ` Linus Torvalds
2016-04-10 0:44 ` Andy Lutomirski
[not found] ` <CA+55aFzs00iDkYhvFCq=AZMVcNL0+oZT4SeimTeVurJq=5ZS3A@mail.gmail.com>
2016-04-11 14:48 ` H. Peter Anvin
2016-04-12 1:31 ` Al Viro
2016-04-11 20:12 ` Andy Lutomirski
2016-04-11 20:10 ` Eric W. Biederman
2016-04-11 20:16 ` H. Peter Anvin
2016-04-11 23:37 ` Eric W. Biederman
2016-04-12 0:01 ` Linus Torvalds
2016-04-12 0:10 ` Eric W. Biederman
2016-04-12 1:06 ` H. Peter Anvin
2016-04-12 1:18 ` Linus Torvalds
2016-04-12 1:23 ` Eric W. Biederman
2016-04-12 1:47 ` Al Viro
2016-04-12 1:34 ` Al Viro
2016-04-12 2:16 ` Eric W. Biederman
2016-04-12 17:44 ` Andy Lutomirski
2016-04-12 18:12 ` Linus Torvalds
2016-04-12 19:07 ` H. Peter Anvin
2016-04-15 15:34 ` [PATCH 01/16] devpts: Attempting to get it right Eric W. Biederman
2016-04-15 15:35 ` [PATCH 01/16] devpts: Use the same default mode for both /dev/ptmx and dev/pts/ptmx Eric W. Biederman
2016-04-15 15:35 ` [PATCH 02/16] devpts: Set the proper fops for /dev/pts/ptmx Eric W. Biederman
2016-04-15 15:35 ` [PATCH 03/16] vfs: Implement vfs_loopback_mount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 04/16] devpts: Teach /dev/ptmx to automount the appropriate devpts via path lookup Eric W. Biederman
2016-04-15 22:03 ` Jann Horn
2016-04-19 18:46 ` Eric W. Biederman
2016-04-15 15:35 ` [PATCH 05/16] vfs: Allow unlink, and rename on expirable file mounts Eric W. Biederman
2016-04-15 15:35 ` [PATCH 06/16] devpts: More obvious check for the system devpts in pty allocation Eric W. Biederman
2016-04-15 15:35 ` [PATCH 07/16] devpts: Cleanup newinstance parsing Eric W. Biederman
2016-04-15 15:35 ` [PATCH 08/16] devpts: Stop rolling devpts_remount by hand in devpts_mount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 09/16] devpts: Fail early (if appropriate) on overmount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 10/16] devpts: Move parse_mount_options into fill_super Eric W. Biederman
2016-04-15 15:35 ` [PATCH 11/16] devpts: Make devpts_kill_sb safe if fsi is NULL Eric W. Biederman
2016-04-15 15:35 ` [PATCH 12/16] devpts: Move the creation of /dev/pts/ptmx into fill_super Eric W. Biederman
2016-04-15 15:35 ` [PATCH 13/16] devpts: Simplify devpts_mount by using mount_nodev Eric W. Biederman
2016-04-15 15:35 ` [PATCH 14/16] vfs: Implement mount_super_once Eric W. Biederman
2016-04-15 23:02 ` Linus Torvalds
2016-04-19 18:22 ` Eric W. Biederman
2016-04-19 18:47 ` H. Peter Anvin
2016-04-19 19:03 ` Eric W. Biederman
2016-04-19 19:25 ` H. Peter Anvin
2016-04-19 19:26 ` H. Peter Anvin
2016-04-20 3:27 ` Eric W. Biederman
2016-04-20 11:50 ` Austin S. Hemmelgarn
2016-04-20 16:12 ` H. Peter Anvin
2016-04-19 18:55 ` H. Peter Anvin
2016-04-19 23:29 ` Linus Torvalds
2016-04-20 1:24 ` Linus Torvalds
2016-04-20 1:37 ` H. Peter Anvin
2016-04-15 15:35 ` [PATCH 15/16] devpts: Always return a distinct instance when mounting Eric W. Biederman
2016-04-15 15:35 ` [PATCH 16/16] devpts: Kill the DEVPTS_MULTIPLE_INSTANCE config option Eric W. Biederman
2016-04-15 16:49 ` [PATCH 01/16] devpts: Attempting to get it right Andy Lutomirski
2016-04-15 20:43 ` Eric W. Biederman
2016-04-15 21:29 ` H. Peter Anvin
2016-04-19 19:00 ` Eric W. Biederman
2016-04-16 18:31 ` Linus Torvalds
2016-04-19 18:44 ` Does anyone care about a race free ptsname? Eric W. Biederman
2016-04-19 19:16 ` H. Peter Anvin
2016-04-19 20:32 ` Eric W. Biederman
2016-04-19 20:55 ` H. Peter Anvin
2016-04-19 20:42 ` Serge E. Hallyn
2016-04-19 23:23 ` Linus Torvalds
2016-04-19 23:39 ` H. Peter Anvin
2016-04-20 0:18 ` Linus Torvalds
2016-04-20 1:48 ` Serge E. Hallyn
2016-04-19 22:06 ` [PATCH 01/16] devpts: Attempting to get it right Eric W. Biederman
2016-04-19 23:35 ` Linus Torvalds
2016-04-20 0:24 ` Peter Hurley
2016-04-20 0:49 ` Peter Hurley
2016-04-20 3:04 ` [PATCH] devpts: Make each mount of devpts an independent filesystem Eric W. Biederman
2016-04-20 3:25 ` Al Viro
2016-04-20 3:43 ` Eric W. Biederman
2016-04-20 4:11 ` Al Viro
2016-04-20 4:21 ` Eric W. Biederman
2016-04-20 4:36 ` Konstantin Khlebnikov
2016-04-20 4:49 ` Linus Torvalds
2016-04-20 14:55 ` Eric W. Biederman
2016-04-20 15:34 ` Konstantin Khlebnikov
2016-04-20 15:50 ` Eric W. Biederman
2016-04-20 17:00 ` [PATCH v2] " Eric W. Biederman
[not found] ` <874mabt3df.fsf_-_@x220.int.ebiederm.org>
2016-05-06 19:04 ` [PATCH 1/1] " Eric W. Biederman
2016-05-06 19:35 ` [PATCH 0/1] devpts: Removing the need for pt_chown Greg KH
2016-05-06 19:45 ` Peter Hurley
2016-05-06 19:54 ` Greg KH
2016-06-02 15:29 ` [PATCH tty-next] devpts: Make each mount of devpts an independent filesystem Eric W. Biederman
2016-06-02 18:57 ` Linus Torvalds
2016-06-02 20:22 ` Eric W. Biederman
2016-06-02 20:36 ` H. Peter Anvin
2016-06-02 21:23 ` Eric W. Biederman
2016-06-02 21:44 ` Linus Torvalds
2016-04-11 23:49 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Eric W. Biederman
2016-04-12 0:08 ` Linus Torvalds
2016-04-12 0:22 ` Eric W. Biederman
2016-04-12 0:50 ` Linus Torvalds
2016-04-11 20:05 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wpo7itzk.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=aurelien@aurel32.net \
--cc=fw@deneb.enyo.de \
--cc=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=jann@thejh.net \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peter@hurleysoftware.com \
--cc=security@debian.org \
--cc=security@kernel.org \
--cc=security@ubuntu.com \
--cc=serge.hallyn@ubuntu.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).