[Bug 1242913] Re: /dev/pts being created with mode=600 by Lxc
Stéphane Graber
stgraber at stgraber.org
Mon Oct 21 22:02:02 UTC 2013
** Also affects: lxc (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Quantal)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Raring)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: lxc (Ubuntu Trusty)
Status: New => Fix Released
** Changed in: lxc (Ubuntu Precise)
Status: New => Triaged
** Changed in: lxc (Ubuntu Quantal)
Status: New => Triaged
** Changed in: lxc (Ubuntu Raring)
Status: New => Triaged
** Changed in: lxc (Ubuntu Saucy)
Status: New => Triaged
** Changed in: lxc (Ubuntu Precise)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Quantal)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Raring)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Saucy)
Importance: Undecided => High
** Description changed:
- I'm trying to set up a Centos 6 instance using lxc and it works fine
- except that non-root users cannot create pseudo-terminals under
- /dev/pts. After lots of googling, it appears that Lxc has reverted to
- an earlier bad behavior, in that /dev/pts is being created with the
- wrong permissions.
+ == Rationale ==
+ This needs to be SRUed to allow distros that dropped pt_chown to still work under LXC.
+ The change was done upstream as soon as we heard of the matching CVE, this change absolutely needs to land before or at the same time as the eglibc security update.
+
+ == Test case ==
+ 1) Start container
+ 2) cat /proc/mounts | grep "/dev/pts "
+ Check that this matches "devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0"
+
+ == Regression potential ==
+ The only risk is if a distro doesn't use 5 as the gid for the tty group. As far as we could find before doing that change upstream, none of the distros supported by LXC do so.
+
+
+ == Original bug report ==
+ I'm trying to set up a Centos 6 instance using lxc and it works fine except that non-root users cannot create pseudo-terminals under /dev/pts. After lots of googling, it appears that Lxc has reverted to an earlier bad behavior, in that /dev/pts is being created with the wrong permissions.
HOST
- # fgrep pts /proc/mounts
+ # fgrep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
LXC instance
- [root at rh64bare ~]# fgrep pts /proc/mounts
+ [root at rh64bare ~]# fgrep pts /proc/mounts
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty1 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty2 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty3 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty4 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=666 0 0
devpts /dev/ptmx devpts rw,relatime,mode=600,ptmxmode=666 0 0
Note the mode on /dev/pts; only root can create pseudo terminals. I
tried to add an explicit devpts line to the instance fstab with the
correct parameters, but nothing changed. Additionally, /dev/pts is
being created root/root, not root/tty, so the gid=5 (also missing from
the /dev/pts options) would have no effect in any case.
Running Ubuntu 13.10 (but saw it with 13.4 as well).
This was fixed upstream:
commit 67e5a20ad1b5579a571f43f7dd8a1556a8bea7a1
Author: Stéphane Graber <stgraber at ubuntu.com>
Date: Tue Oct 15 14:54:41 2013 -0400
- Improper pty permissions - missing mode=0620, gid=5
-
- This fix is coming from Debian bug:
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122
-
- The reason for the hardcoded gid= and mode= is because of the fix for
- CVE-2013-2207 which removes pt_chown from glibc and so requires proper
- write access to devpts.
-
- It looks like the "tty" group is guaranteed to be gid=5 on at least all
- RedHat based and Debian based systems. So this hardcode gid shouldn't be
- a big problem. If we however support any distro where that's not the
- case, we'll need to implement an extra lxc.conf option and matching
- template changes.
-
- Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
- Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
+ Improper pty permissions - missing mode=0620, gid=5
+
+ This fix is coming from Debian bug:
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122
+
+ The reason for the hardcoded gid= and mode= is because of the fix for
+ CVE-2013-2207 which removes pt_chown from glibc and so requires proper
+ write access to devpts.
+
+ It looks like the "tty" group is guaranteed to be gid=5 on at least all
+ RedHat based and Debian based systems. So this hardcode gid shouldn't be
+ a big problem. If we however support any distro where that's not the
+ case, we'll need to implement an extra lxc.conf option and matching
+ template changes.
+
+ Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
+ Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Appears to be fixed in Trusty, but really needs to be backported to
Saucy
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1242913
Title:
/dev/pts being created with mode=600 by Lxc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1242913/+subscriptions
More information about the Ubuntu-server-bugs
mailing list