From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759237AbcDHXOK (ORCPT ); Fri, 8 Apr 2016 19:14:10 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:52727 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752449AbcDHXOI (ORCPT ); Fri, 8 Apr 2016 19:14:08 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Linus Torvalds Cc: Andy Lutomirski , security@debian.org, "security\@kernel.org" , Al Viro , "security\@ubuntu.com \>\> security" , Peter Hurley , Serge Hallyn , Willy Tarreau , Aurelien Jarno , Jann Horn , Greg KH , Linux Kernel Mailing List , Jiri Slaby , Florian Weimer , "H. Peter Anvin" References: <878u0s3orx.fsf_-_@x220.int.ebiederm.org> <1459819769-30387-1-git-send-email-ebiederm@xmission.com> <87twjcorwg.fsf@x220.int.ebiederm.org> <87d1pzn60f.fsf@x220.int.ebiederm.org> Date: Fri, 08 Apr 2016 18:03:11 -0500 In-Reply-To: (Linus Torvalds's message of "Fri, 8 Apr 2016 14:54:18 -0700") Message-ID: <87wpo7itzk.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX19sR1B0hCYs7ovPWXwjWuPZaRzh3lG1Weo= X-SA-Exim-Connect-IP: 67.3.249.252 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa01 1397; Body=1 Fuz1=1 Fuz2=1] * 0.5 XM_Body_Dirty_Words Contains a dirty word X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Linus Torvalds X-Spam-Relay-Country: X-Spam-Timing: total 1868 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.8 (0.2%), b_tie_ro: 2.6 (0.1%), parse: 1.33 (0.1%), extract_message_metadata: 27 (1.5%), get_uri_detail_list: 4.1 (0.2%), tests_pri_-1000: 7 (0.4%), tests_pri_-950: 1.96 (0.1%), tests_pri_-900: 1.71 (0.1%), tests_pri_-400: 43 (2.3%), check_bayes: 41 (2.2%), b_tokenize: 17 (0.9%), b_tok_get_all: 10 (0.6%), b_comp_prob: 6 (0.3%), b_tok_touch_all: 3.0 (0.2%), b_finish: 0.85 (0.0%), tests_pri_0: 1766 (94.6%), check_dkim_signature: 0.94 (0.1%), check_dkim_adsp: 1109 (59.4%), tests_pri_500: 9 (0.5%), poll_dns_idle: 0.03 (0.0%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Linus Torvalds writes: > But more fundamentally I still don't actually understand why you even > really care. At this point I care because there is a failure of communication. Until this email no one has ever said: "Ok that actually could happen but we don't actually care." Right now I am a bit paranoid because I have seen a few too many cases where some little detail was glossed over and someone clever turned it into a great big CVE they could drive a truck through. So I am once bitten twice shy and all of that. > We get the wrong pts case *today*. We'd get a different wrong pts > namespace when somebody tries to do odd things. Why would we care? It > would be a _better_ guess. > > I don't see the security issue. If you do tricks to get pty's in > another group, what's the problem? You have to do it consciously, and > I don't see what the downside is. You get what you ask for, and I > don't see a new attack surface. > > The whole "somebody used chmod on /dev/pts/" argument sounds bogus. > That's an insane thing to do. If you want a private namespace, you > make *all* of /dev private, you don't go "oh, I'll just make the pts > subdirectory private". Oh I pretty much agree it is an insane thing to do. At the same time I know that people can make a lot of little sane decisions that can lead to an insane situation, so just because it is insane I can't rule it out automatically. The actual sane thing to do, and what I think most of userspace does at this point is to create it's own mount namespace so nothing is visible to outsiders. > In other words, your whole scenario sounds totally made up to begin > with. And even if it happens, I don't see what would be so disastrous > about it. In general I agree. The scenario is made up. I would be surprised if it happens. > I mean, right now, /dev/ptmx is world read-write in the root container > and everybody gets access to the same underlying set of ptys. And > that's not some horrible security issue. It's how things are > *supposed* to work. I agree. > So I really don't see the argument. You guys are just making shit up. I don't see why we have the linux extension of supporting anything except mode 0666 on /dev/ptmx or /dev/pts/ptmx. This is really about not breaking that linux extension by overlooking some little detail. On the attack analysis front the worst thing I can see happening is a denial of service attack. I see two possible denial of service attacks. One possible attack creates a pty and prevents devpts from being unmounted. Another possible attack creates all possible ptys on a devpts instance, and prevents legitimate tty creations from happening. At the end of the day as you say it would be a pretty crazy person who isolated a mount of devpts with just the permissions of /dev/pts/ptmx. So if we don't want to care knowing those stupid attacks above are possible I am happy not to care. They don't look all that serious to me. Eric