On Sun, Feb 19, 2017 at 04:35:12PM +0100, Florian Weimer wrote: > * Greg KH: > > > On Fri, Feb 17, 2017 at 12:02:52PM +0100, Florian Weimer wrote: > >> We want to reject PTY devices from other namespaces as valid input to > >> the ttyname and ttyname_r functions, while still providing a hint to > >> callers that the device is, in fact, a PTY. Christian Brauner wrote a > >> glibc patch for this: > >> > >> <https://sourceware.org/ml/libc-alpha/2017-01/msg00531.html> > >> > >> It hard-codes the major PTY device number range. Is this feasible? > >> Is it part of the stable userspace ABI for the TTY subsystem? > > > > What major numbers are you using in the patch '2' and '3'? > > I think there is just one patch, and the check looks like this: > > static inline int > is_pty (struct stat64 *sb) > { > int m = major (sb->st_rdev); > return (136 <= m && m <= 143); > } Ah, yes, 136-143 are the right ones, sorry, I was looking at the "legacy" ones in devices.txt. > > And yes, > > major numbers are static and you should be fine to rely on them. But > > can't you test that the device is a pty to verify it? > > It's not entirely clear what exactly a PTY descriptor should be for > ttyname. Going forward, we only want to treat descriptors for PTY > devices which can be accessed using /dev/pts paths in the current > namespace as PTYs. Christian's patch adds a separate error code for > the case where the descriptor is a PTY, but it comes from a different > namespace. > > I'm concerned that some software out there assumes that if standard > input is a PTY according to ttyname, it is safe to chown it. There > have been security issues related to that a long time ago on some UNIX > systems, and I want us to be conservative here. Yeah, it's tricky. And putting namespaces in the mix makes it messier. Good luck! greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
