Linus Torvalds <torva...@linux-foundation.org> writes: > But more fundamentally I still don't actually understand why you even > really care.
At this point I care because there is a failure of communication. Until this email no one has ever said: "Ok that actually could happen but we don't actually care." Right now I am a bit paranoid because I have seen a few too many cases where some little detail was glossed over and someone clever turned it into a great big CVE they could drive a truck through. So I am once bitten twice shy and all of that. > We get the wrong pts case *today*. We'd get a different wrong pts > namespace when somebody tries to do odd things. Why would we care? It > would be a _better_ guess. > > I don't see the security issue. If you do tricks to get pty's in > another group, what's the problem? You have to do it consciously, and > I don't see what the downside is. You get what you ask for, and I > don't see a new attack surface. > > The whole "somebody used chmod on /dev/pts/" argument sounds bogus. > That's an insane thing to do. If you want a private namespace, you > make *all* of /dev private, you don't go "oh, I'll just make the pts > subdirectory private". Oh I pretty much agree it is an insane thing to do. At the same time I know that people can make a lot of little sane decisions that can lead to an insane situation, so just because it is insane I can't rule it out automatically. The actual sane thing to do, and what I think most of userspace does at this point is to create it's own mount namespace so nothing is visible to outsiders. > In other words, your whole scenario sounds totally made up to begin > with. And even if it happens, I don't see what would be so disastrous > about it. In general I agree. The scenario is made up. I would be surprised if it happens. > I mean, right now, /dev/ptmx is world read-write in the root container > and everybody gets access to the same underlying set of ptys. And > that's not some horrible security issue. It's how things are > *supposed* to work. I agree. > So I really don't see the argument. You guys are just making shit up. I don't see why we have the linux extension of supporting anything except mode 0666 on /dev/ptmx or /dev/pts/ptmx. This is really about not breaking that linux extension by overlooking some little detail. On the attack analysis front the worst thing I can see happening is a denial of service attack. I see two possible denial of service attacks. One possible attack creates a pty and prevents devpts from being unmounted. Another possible attack creates all possible ptys on a devpts instance, and prevents legitimate tty creations from happening. At the end of the day as you say it would be a pretty crazy person who isolated a mount of devpts with just the permissions of /dev/pts/ptmx. So if we don't want to care knowing those stupid attacks above are possible I am happy not to care. They don't look all that serious to me. Eric