[lxc-devel] [PATCH] Improper pty permissions - missing mode=0620, gid=5
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Oct 16 16:47:04 UTC 2013
Quoting Stéphane Graber (stgraber at ubuntu.com):
> This fix is coming from Debian bug:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122
>
> The reason for the hardcoded gid= and mode= is because of the fix for
> CVE-2013-2207 which removes pt_chown from glibc and so requires proper
> write access to devpts.
>
> It looks like the "tty" group is guaranteed to be gid=5 on at least all
> RedHat based and Debian based systems. So this hardcode gid shouldn't be
Ok. In the past I've declined to do this precisely bc tty is userspace
specified and therefore I didn't trust this. But if you've looked into
it this much then I'm happy with it.
> a big problem. If we however support any distro where that's not the
> case, we'll need to implement an extra lxc.conf option and matching
> template changes.
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> src/lxc/conf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index ecbcf41..f3d9aab 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1426,7 +1426,7 @@ static int setup_pts(int pts)
> }
>
> if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,
> - "newinstance,ptmxmode=0666")) {
> + "newinstance,ptmxmode=0666,mode=0620,gid=5")) {
> SYSERROR("failed to mount a new instance of '/dev/pts'");
> return -1;
> }
> --
> 1.8.3.2
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
More information about the lxc-devel
mailing list