From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
security@debian.org, "security\@kernel.org" <security@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
"security\@ubuntu.com \>\> security" <security@ubuntu.com>,
Peter Hurley <peter@hurleysoftware.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>, Willy Tarreau <w@1wt.eu>,
Aurelien Jarno <aurelien@aurel32.net>,
One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
Jann Horn <jann@thejh.net>, Greg KH <greg@kroah.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Jiri Slaby <jslaby@suse.com>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: [PATCH 01/16] devpts: Attempting to get it right
Date: Fri, 15 Apr 2016 15:43:56 -0500 [thread overview]
Message-ID: <87y48evbzn.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CALCETrUDMucb_NDgehstZ08GZEsYCpV4ShUZfh6S25Hd2z+crQ@mail.gmail.com> (Andy Lutomirski's message of "Fri, 15 Apr 2016 09:49:21 -0700")
Andy Lutomirski <luto@amacapital.net> writes:
> On Fri, Apr 15, 2016 at 8:34 AM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>>
>> To recap the situation for those who have not been following closely.
>>
>> There are programs such as xen-create-image that run as root and setup
>> a chroot environment with:
>> "mknod dev/ptmx c 5 2"
>> "mkdir dev/pts"
>> "mount -t devpts none dev/pts"
>>
>> Which mostly works but stomps the mount options of the system /dev/pts.
>> In particular the options of "gid=5,mode=620" are lost resulting in a
>> situation where creating a new pty by opening /dev/ptmx results in
>> that pty having the wrong permissions.
>>
>> Some distributions have been working around this problem by continuing
>> to install a setuid root pt_chown binary that will be called by glibc
>> to fix the permissions.
>>
>> Maintaining a setuid root pt_chown binary is not too scary until
>> multiple instances of devpts are considered at which point it becomes
>> possible to trick the setuid root pt_chown binary into operating on the
>> wrong files and directories. Leading to all of the things one might
>> fear when a setuid root binary goes wrong.
>>
>> The following patchset digs us out of that hole by carefully devpts and
>> /dev/ptmx in a way that does not introduce any userspace regressions,
>> while making each mount of devpts distinct (so pt_chown is unnecessary)
>> and arranging things so that enough information is available so
>> that a secure pt_chown binary is possible to write if that is ever
>> needed.
>>
>> The approach I have chosen to take is to first enhance the /dev/ptmx
>> device node to automount /dev/pts/ptmx on top of it. This leads to a
>> simple high performance solution that allows applications such as
>> xen-create-image (that call "mknod ptmx c 5 2" and mount devpts)
>> to continue to run as before even when they are given a non-system
>> instance of devpts.
>>
>> Using automountic bind mounts of /dev/pts/ptmx results in no new
>> security cases to consider as this can already be done, and actually
>> results in a simplification of the analysis of the code. As now all
>> opens of ptmx are of /dev/pts/ptmx. /dev/ptmx is now just a magic
>> mountpoint that does the right thing.
>
> And what happens when someone tries to rm /dev/ptmx or unmount their
> pts instance or similar?
Unlink works (that was a trivial extension of the existing semantics).
It really didn't make sense that we honor mounts that can appear and
disappear on their own as much as we honor other mounts.
> What happens if /dev/ptmx is in a mount that
> is set to propagate elsewhere but /dev/pts was replaced by an
> unprivileged user? (Can this happen? I'm not sure.)
Well nothing that currently works will break in such a weird scenario.
So I call what happens in the crazy cases you are imagining well defined
obvious semantics (aka all you need to do is to apply the current
rules). Plus you have to be pretty crazy to do something like that.
Further I am 90% certain that the propogation semantics on the /dev
directory are what define how mounts of /dev/pts and /dev/ptmx
propagate.
> This seems much weirder than the previous approach. I think I'm
> starting to come over to Linus' view -- the magic lookup was fine, and
> I still can't think of a case where the permissions matter. If we
> care, we can cause the /dev/ptmx magic lookup to fail if the devpts it
> finds was created with newinstance. (After all, devpts instances
> created with newinstance *never* worked via /dev/ptmx magic.)
It isn't weirder. The rules are actually just a little simpler.
That is my take away from playing with it and working with it. The code
is actually really boring and just works in practice.
But please take my branch and play with it, and see if you can get it to
do something weird and magical. It is observable enough I don't expect
you can. But please. If I am wrong I will happily scrap this.
Right now this looks from my vanrage point like really really obvious
semantics, that don't cause regressions, and that are easy to understand
and observe.
Eric
next prev parent reply other threads:[~2016-04-15 20:54 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <43AD2BA7-B594-4299-95F3-D86FD38AF21B@zytor.com>
[not found] ` <87egexpf4o.fsf@x220.int.ebiederm.org>
[not found] ` <CA+55aFw9Bg+Zh_T4zP487n3ieaxoMHgZ_nNJVdpSR4kQK9gQ9w@mail.gmail.com>
[not found] ` <1CB621EF-1647-463B-A144-D611DB150E15@zytor.com>
[not found] ` <20151208223135.GA8352@kroah.com>
[not found] ` <87oae0h2bo.fsf@x220.int.ebiederm.org>
[not found] ` <56677DE3.5040705@zytor.com>
[not found] ` <20151209012311.GA11794@kroah.com>
[not found] ` <84B136DF-55E4-476A-9CB2-062B15677EE5@zytor.com>
[not found] ` <20151209013859.GA12442@kroah.com>
[not found] ` <20151209083225.GA30452@1wt.eu>
2015-12-11 19:40 ` [PATCH] devpts: Sensible /dev/ptmx & force newinstance Eric W. Biederman
2015-12-11 20:50 ` Linus Torvalds
2015-12-11 21:03 ` Eric W. Biederman
2015-12-11 21:04 ` Al Viro
2015-12-11 21:11 ` Eric W. Biederman
2015-12-11 21:48 ` Andy Lutomirski
2015-12-11 22:07 ` H. Peter Anvin
2015-12-11 22:12 ` Andy Lutomirski
2015-12-11 22:18 ` H. Peter Anvin
2015-12-11 22:24 ` Andy Lutomirski
2015-12-11 22:29 ` H. Peter Anvin
2015-12-11 22:35 ` Eric W. Biederman
2015-12-11 22:52 ` Andy Lutomirski
2015-12-11 22:58 ` Jann Horn
2015-12-11 23:00 ` Andy Lutomirski
2015-12-11 23:07 ` H. Peter Anvin
2015-12-11 23:16 ` Andy Lutomirski
2015-12-11 23:30 ` H. Peter Anvin
2015-12-11 22:57 ` H. Peter Anvin
2015-12-14 19:47 ` Peter Hurley
2015-12-14 19:55 ` H. Peter Anvin
2015-12-19 21:13 ` Eric W. Biederman
2015-12-20 4:11 ` Eric W. Biederman
2015-12-20 4:35 ` H. Peter Anvin
2015-12-20 9:42 ` Eric W. Biederman
2015-12-21 22:03 ` Eric W. Biederman
2015-12-21 22:23 ` Linus Torvalds
2016-04-05 0:03 ` [PATCH 00/13] devpts: New instances for every mount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Eric W. Biederman
2016-04-05 1:29 ` [PATCH 02/13] devpts: More obvious check for the system devpts in pty allocation Eric W. Biederman
2016-04-05 1:29 ` [PATCH 03/13] devpts: Cleanup newinstance parsing Eric W. Biederman
2016-04-05 1:29 ` [PATCH 04/13] devpts: Stop rolling devpts_remount by hand in devpts_mount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 05/13] devpts: Fail early (if appropriate) on overmount Eric W. Biederman
2016-04-05 1:29 ` [PATCH 06/13] devpts: Use the same default mode for both /dev/ptmx and dev/pts/ptmx Eric W. Biederman
2016-04-05 1:29 ` [PATCH 07/13] devpts: Move parse_mount_options into fill_super Eric W. Biederman
2016-04-05 1:29 ` [PATCH 08/13] devpts: Make devpts_kill_sb safe if fsi is NULL Eric W. Biederman
2016-04-05 1:29 ` [PATCH 09/13] devpts: Move the creation of /dev/pts/ptmx into fill_super Eric W. Biederman
2016-04-05 1:29 ` [PATCH 10/13] devpts: Simplify devpts_mount by using mount_nodev Eric W. Biederman
2016-04-05 1:29 ` [PATCH 11/13] vfs: Implement mount_super_once Eric W. Biederman
2016-04-05 1:29 ` [PATCH 12/13] devpts: Always return a distinct instance when mounting Eric W. Biederman
2016-04-05 1:29 ` [PATCH 13/13] devpts: Kill the DEVPTS_MULTIPLE_INSTANCE config option Eric W. Biederman
2016-04-05 2:54 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Al Viro
2016-04-05 3:03 ` Al Viro
2016-04-08 18:54 ` Eric W. Biederman
2016-04-07 16:06 ` Linus Torvalds
2016-04-08 18:51 ` Eric W. Biederman
2016-04-08 19:05 ` Linus Torvalds
2016-04-08 20:05 ` Eric W. Biederman
2016-04-08 20:43 ` Andy Lutomirski
2016-04-08 21:29 ` Eric W. Biederman
2016-04-08 21:54 ` Linus Torvalds
2016-04-08 23:03 ` Eric W. Biederman
2016-04-08 21:56 ` Andy Lutomirski
2016-04-09 13:09 ` One Thousand Gnomes
2016-04-09 14:10 ` H. Peter Anvin
2016-04-09 14:45 ` Eric W. Biederman
2016-04-09 22:37 ` H. Peter Anvin
2016-04-10 0:01 ` Linus Torvalds
2016-04-10 0:06 ` H. Peter Anvin
2016-04-10 0:16 ` Linus Torvalds
2016-04-10 0:44 ` Andy Lutomirski
[not found] ` <CA+55aFzs00iDkYhvFCq=AZMVcNL0+oZT4SeimTeVurJq=5ZS3A@mail.gmail.com>
2016-04-11 14:48 ` H. Peter Anvin
2016-04-12 1:31 ` Al Viro
2016-04-11 20:12 ` Andy Lutomirski
2016-04-11 20:10 ` Eric W. Biederman
2016-04-11 20:16 ` H. Peter Anvin
2016-04-11 23:37 ` Eric W. Biederman
2016-04-12 0:01 ` Linus Torvalds
2016-04-12 0:10 ` Eric W. Biederman
2016-04-12 1:06 ` H. Peter Anvin
2016-04-12 1:18 ` Linus Torvalds
2016-04-12 1:23 ` Eric W. Biederman
2016-04-12 1:47 ` Al Viro
2016-04-12 1:34 ` Al Viro
2016-04-12 2:16 ` Eric W. Biederman
2016-04-12 17:44 ` Andy Lutomirski
2016-04-12 18:12 ` Linus Torvalds
2016-04-12 19:07 ` H. Peter Anvin
2016-04-15 15:34 ` [PATCH 01/16] devpts: Attempting to get it right Eric W. Biederman
2016-04-15 15:35 ` [PATCH 01/16] devpts: Use the same default mode for both /dev/ptmx and dev/pts/ptmx Eric W. Biederman
2016-04-15 15:35 ` [PATCH 02/16] devpts: Set the proper fops for /dev/pts/ptmx Eric W. Biederman
2016-04-15 15:35 ` [PATCH 03/16] vfs: Implement vfs_loopback_mount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 04/16] devpts: Teach /dev/ptmx to automount the appropriate devpts via path lookup Eric W. Biederman
2016-04-15 22:03 ` Jann Horn
2016-04-19 18:46 ` Eric W. Biederman
2016-04-15 15:35 ` [PATCH 05/16] vfs: Allow unlink, and rename on expirable file mounts Eric W. Biederman
2016-04-15 15:35 ` [PATCH 06/16] devpts: More obvious check for the system devpts in pty allocation Eric W. Biederman
2016-04-15 15:35 ` [PATCH 07/16] devpts: Cleanup newinstance parsing Eric W. Biederman
2016-04-15 15:35 ` [PATCH 08/16] devpts: Stop rolling devpts_remount by hand in devpts_mount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 09/16] devpts: Fail early (if appropriate) on overmount Eric W. Biederman
2016-04-15 15:35 ` [PATCH 10/16] devpts: Move parse_mount_options into fill_super Eric W. Biederman
2016-04-15 15:35 ` [PATCH 11/16] devpts: Make devpts_kill_sb safe if fsi is NULL Eric W. Biederman
2016-04-15 15:35 ` [PATCH 12/16] devpts: Move the creation of /dev/pts/ptmx into fill_super Eric W. Biederman
2016-04-15 15:35 ` [PATCH 13/16] devpts: Simplify devpts_mount by using mount_nodev Eric W. Biederman
2016-04-15 15:35 ` [PATCH 14/16] vfs: Implement mount_super_once Eric W. Biederman
2016-04-15 23:02 ` Linus Torvalds
2016-04-19 18:22 ` Eric W. Biederman
2016-04-19 18:47 ` H. Peter Anvin
2016-04-19 19:03 ` Eric W. Biederman
2016-04-19 19:25 ` H. Peter Anvin
2016-04-19 19:26 ` H. Peter Anvin
2016-04-20 3:27 ` Eric W. Biederman
2016-04-20 11:50 ` Austin S. Hemmelgarn
2016-04-20 16:12 ` H. Peter Anvin
2016-04-19 18:55 ` H. Peter Anvin
2016-04-19 23:29 ` Linus Torvalds
2016-04-20 1:24 ` Linus Torvalds
2016-04-20 1:37 ` H. Peter Anvin
2016-04-15 15:35 ` [PATCH 15/16] devpts: Always return a distinct instance when mounting Eric W. Biederman
2016-04-15 15:35 ` [PATCH 16/16] devpts: Kill the DEVPTS_MULTIPLE_INSTANCE config option Eric W. Biederman
2016-04-15 16:49 ` [PATCH 01/16] devpts: Attempting to get it right Andy Lutomirski
2016-04-15 20:43 ` Eric W. Biederman [this message]
2016-04-15 21:29 ` H. Peter Anvin
2016-04-19 19:00 ` Eric W. Biederman
2016-04-16 18:31 ` Linus Torvalds
2016-04-19 18:44 ` Does anyone care about a race free ptsname? Eric W. Biederman
2016-04-19 19:16 ` H. Peter Anvin
2016-04-19 20:32 ` Eric W. Biederman
2016-04-19 20:55 ` H. Peter Anvin
2016-04-19 20:42 ` Serge E. Hallyn
2016-04-19 23:23 ` Linus Torvalds
2016-04-19 23:39 ` H. Peter Anvin
2016-04-20 0:18 ` Linus Torvalds
2016-04-20 1:48 ` Serge E. Hallyn
2016-04-19 22:06 ` [PATCH 01/16] devpts: Attempting to get it right Eric W. Biederman
2016-04-19 23:35 ` Linus Torvalds
2016-04-20 0:24 ` Peter Hurley
2016-04-20 0:49 ` Peter Hurley
2016-04-20 3:04 ` [PATCH] devpts: Make each mount of devpts an independent filesystem Eric W. Biederman
2016-04-20 3:25 ` Al Viro
2016-04-20 3:43 ` Eric W. Biederman
2016-04-20 4:11 ` Al Viro
2016-04-20 4:21 ` Eric W. Biederman
2016-04-20 4:36 ` Konstantin Khlebnikov
2016-04-20 4:49 ` Linus Torvalds
2016-04-20 14:55 ` Eric W. Biederman
2016-04-20 15:34 ` Konstantin Khlebnikov
2016-04-20 15:50 ` Eric W. Biederman
2016-04-20 17:00 ` [PATCH v2] " Eric W. Biederman
[not found] ` <874mabt3df.fsf_-_@x220.int.ebiederm.org>
2016-05-06 19:04 ` [PATCH 1/1] " Eric W. Biederman
2016-05-06 19:35 ` [PATCH 0/1] devpts: Removing the need for pt_chown Greg KH
2016-05-06 19:45 ` Peter Hurley
2016-05-06 19:54 ` Greg KH
2016-06-02 15:29 ` [PATCH tty-next] devpts: Make each mount of devpts an independent filesystem Eric W. Biederman
2016-06-02 18:57 ` Linus Torvalds
2016-06-02 20:22 ` Eric W. Biederman
2016-06-02 20:36 ` H. Peter Anvin
2016-06-02 21:23 ` Eric W. Biederman
2016-06-02 21:44 ` Linus Torvalds
2016-04-11 23:49 ` [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup Eric W. Biederman
2016-04-12 0:08 ` Linus Torvalds
2016-04-12 0:22 ` Eric W. Biederman
2016-04-12 0:50 ` Linus Torvalds
2016-04-11 20:05 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y48evbzn.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=aurelien@aurel32.net \
--cc=fw@deneb.enyo.de \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=jann@thejh.net \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peter@hurleysoftware.com \
--cc=security@debian.org \
--cc=security@kernel.org \
--cc=security@ubuntu.com \
--cc=serge.hallyn@ubuntu.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).