[Bug 1242913] [NEW] /dev/pts being created with mode=600 by Lxc

Launchpad Bug Tracker 1242913 at bugs.launchpad.net
Mon Oct 21 22:00:26 UTC 2013 

You have been subscribed to a public bug:

I'm trying to set up a Centos 6 instance using lxc and it works fine
except that non-root users cannot create pseudo-terminals under
/dev/pts.  After lots of googling, it appears that Lxc has reverted to
an earlier bad behavior, in that /dev/pts is being created with the
wrong permissions.

HOST
# fgrep pts /proc/mounts 
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

LXC instance
[root at rh64bare ~]# fgrep pts /proc/mounts 
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty1 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty2 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty3 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty4 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=666 0 0
devpts /dev/ptmx devpts rw,relatime,mode=600,ptmxmode=666 0 0

Note the mode on /dev/pts; only root can create pseudo terminals.  I
tried to add an explicit devpts line to the instance fstab with the
correct parameters, but nothing changed.  Additionally, /dev/pts is
being created root/root, not root/tty, so the gid=5 (also missing from
the /dev/pts options) would have no effect in any case.

Running Ubuntu 13.10 (but saw it with 13.4 as well).

This was fixed upstream:

commit 67e5a20ad1b5579a571f43f7dd8a1556a8bea7a1
Author: Stéphane Graber <stgraber at ubuntu.com>
Date:   Tue Oct 15 14:54:41 2013 -0400

    Improper pty permissions - missing mode=0620, gid=5
    
    This fix is coming from Debian bug:
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122
    
    The reason for the hardcoded gid= and mode= is because of the fix for
    CVE-2013-2207 which removes pt_chown from glibc and so requires proper
    write access to devpts.
    
    It looks like the "tty" group is guaranteed to be gid=5 on at least all
    RedHat based and Debian based systems. So this hardcode gid shouldn't be
    a big problem. If we however support any distro where that's not the
    case, we'll need to implement an extra lxc.conf option and matching
    template changes.
    
    Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
    Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Appears to be fixed in Trusty, but really needs to be backported to
Saucy

** Affects: lxc (Ubuntu)
     Importance: Undecided
         Status: New

-- 
/dev/pts being created with mode=600 by Lxc
https://bugs.launchpad.net/bugs/1242913
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu.

More information about the Ubuntu-server-bugs mailing list