[lxc-devel] [PATCH] Improper pty permissions - missing mode=0620, gid=5
Stéphane Graber
stgraber at ubuntu.com
Tue Oct 15 18:54:41 UTC 2013
This fix is coming from Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122
The reason for the hardcoded gid= and mode= is because of the fix for
CVE-2013-2207 which removes pt_chown from glibc and so requires proper
write access to devpts.
It looks like the "tty" group is guaranteed to be gid=5 on at least all
RedHat based and Debian based systems. So this hardcode gid shouldn't be
a big problem. If we however support any distro where that's not the
case, we'll need to implement an extra lxc.conf option and matching
template changes.
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
src/lxc/conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index ecbcf41..f3d9aab 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1426,7 +1426,7 @@ static int setup_pts(int pts)
}
if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,
- "newinstance,ptmxmode=0666")) {
+ "newinstance,ptmxmode=0666,mode=0620,gid=5")) {
SYSERROR("failed to mount a new instance of '/dev/pts'");
return -1;
}
--
1.8.3.2
More information about the lxc-devel
mailing list