(Replying via mutt since the PSU in my main machine (the one that has Thunderbird installed) died last night: the RMA is in progress, but it'll be a few days...)
On Sat, Aug 04, 2007 at 04:42:51PM +0100, Ken Moffat wrote: > > so the nobody user won't be able to read these devices. Not sure how > > you would work around that, unless you use login instead of su to > > start the nobody user doing the testing (which will change ownership > > of /dev/pts/x and hence the tests will pass) > > > A little bit of testing (after building to the end of chapter 6 > earlier, I've gone back into chroot to play with this). It looks as > if chown /dev/stdin *might* work (I'm on an xterm): > > root in chroot /# chown nobody /dev/stdin > root in chroot /# su-tools nobody -s /bin/bash > bash: /dev/null/.bashrc: Not a directory > nobody in chroot /$ ls -l /dev/stdin > lrwxrwxrwx 1 root root 15 Aug 4 15:51 /dev/stdin -> /proc/self/fd/0 > nobody in chroot /$ ls -l /dev/pts > total 0 > crw--w---- 1 ken tty 136, 0 Aug 4 16:22 0 > crw--w---- 1 ken tty 136, 1 Aug 4 16:01 1 > crw--w---- 1 ken tty 136, 2 Aug 4 16:30 2 > crw--w---- 1 nobody tty 136, 3 Aug 4 16:32 3 > crw--w---- 1 ken tty 136, 4 Aug 4 16:30 4 > nobody in chroot /$ test -r /dev/stdin ; echo $? > 0 > nobody in chroot /$ > > This seems too good to be true. We are running as root, so I guess > we can happily continue to read and write to this pts dev after the > tests are finished. If nobody pokes a hole in this or beats me to it, > I'll start another build, but probably not before tomorrow. Seems like it should work to me. There is one thing we might want to be careful of: We may not want to allow some random host user to access the pseudo-term device after the tests are done. However, this is a separate devpts mount from the host's /dev/pts, so I'm not sure if the devices are accessible from the host. They shouldn't be available directly, but if the same device major/minor numbers show up in a file in the host's /dev/pts directory, *and* if the chown affects both, then they may be. But I haven't tried it (and don't have a system available to do so either, see above...). Er, actually, depending on the read/execute permissions on the various directories leading up to $LFS, the random user on the host may be able to open the $LFS/dev/pts/X file directly. That wouldn't be good... (OTOH, I'm not sure how much damage may be done by allowing an untrusted user to read and write your TTY device, either. I'm assuming they can get the input that you're sending it, and I'm assuming they can print to it, but I'm not sure they can read the device's contents. And if the TTY is only being used to build LFS, it may not matter much either. The root password has already been assigned by this point, I think, so sniffing that won't be possible.)
pgp0gcORxdwy2.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
