On Mon, Apr 11, 2016 at 5:22 PM, Eric W. Biederman
<ebied...@xmission.com> wrote:
>
> I meant the one where I conceded that the only think that it could
> possible protect against was a denial of service attack, from which we
> probably don't care.
Yeah, that's the same email I was talking about, I was just quoting
another part.
> As I agreed with you that it was unnecessary I was just puzzled why you
> called what was essentially agreement with you deafening silence.
The "deafening silence" was about _why_ this all would be a problem,
and why the security checks would be needed.
Basically, I think that if /dev/pts/ is accessible, we should just say
"ok, you can open a pty on it".
The fact that you could open a pty by bind-mounting it somewhere else,
and then adding a "ptmx" node to the same directory is not a security
issue: it's simply how devpts works.
In no actual sane and relevant situation is that a problem, for the
simple fact that there will *already* be a ptmx node that is
world-accessible in the same directory that has that /dev/pts/ mount.
Anything else is insane and irrelevant. This is *literally* what POSIX
says. Sure, POSIX also has that whole language about "posix_openpt()",
but that's just BS and irrelevant. The very page that mentions
"posix_openpt()" also says
"On implementations supporting the /dev/ptmx clone device, opening
the master device of a pseudo-terminal is simply:
mfdp = open("/dev/ptmx", oflag );
if (mfdp < 0)
return -1;"
and Linux unquestionably falls in that "supports /dev/ptmx" camp.
So I claim that the _only_ sane use of devpts is to already have a
world-accessible ptmx node there, and nothing else makes sense.
And if you want to be private, you had better make the whole /dev/
subdirectory private (which also takes care of any bind mount issues)
Linus
