[Lxc-users] Permissions on devpts in container

Serge Hallyn serge.hallyn at ubuntu.com
Mon Sep 23 16:07:51 UTC 2013 

Quoting John (lxc at jelmail.com):
> Hello list,
> 
> I have noticed a difference in behaviour on a new host that I have just 
> installed which uses LXC 0.9.0. The differences are noted when compared 
> with another host that has LXC 0.9.0-alpha3 on it.
> 
> Inside a container under LXC 0.9.0, the devpts mounts are like this:
> devpts on /dev/console type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
> devpts on /dev/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
> devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666)
> 
> Previously, under LXC 0.9.0-alpha3, they were like this:
> devpts on /dev/console type devpts (rw,relatime,mode=600,ptmxmode=000)
> devpts on /dev/tty1 type devpts (rw,relatime,mode=600,ptmxmode=000)
> devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666)
> 
> The upshot of this is that regular users can't create pty unless they 
> are in the "tty" group (gid 5).
> This means the simple task of opening a terminal window will fail for 
> such users.
> 
> Is this because of a change made some time between 0.9.0-alpha3 and 
> 0.9.0 ? I have trawled the git commit messages but couldn't see 
> anything. Google did throw the following for me:
> https://bugzilla.redhat.com/show_bug.cgi?id=554203
> http://www.redhat.com/archives/libvir-list/2011-February/msg00975.html
> Those mention the permission change I've experienced but discuss LXC 
> with LibVirt. I am not using LibVirt.
> 
> My LXC config is the same in both examples, and I am not doing anything 
> differently between the two. They are both running ArchLinux and have 
> kernel versions as follows
> System 1: LXC 0.9.0-alpha3 Linux 3.7.10-1-ARCH
> System 2: LXC 0.9.0 Linux 3.11.1-1-ARCH
> 
> Is the rule now that users have to be in group 'tty' in a container or 
> am I missing something else?

I suspect the difference is actually in arch's init.  But I'm
not sure.  The only gid= option I see is specified in the alpine
template.

How exactly are you creating, starting, and accessing the containers?

More information about the lxc-users mailing list