Re: [PATCH] ioctl_tty.2: add TIOCGPTPEER documentation

From: Aleksa Sarai
Date: Wed Aug 16 2017 - 12:54:15 EST


A couple of things to note on the bigger picture.

The glibc library on all distributions has been changed to not have a
setuid binary pt_chown, that uses ptsname. This was the primary fix
for the security issue.

The behavior of opening /dev/ptmx has been changed to perform a path
lookup relative to the location of /dev/ptmx of ./pts/ptmx and open
it it is a devpts filesystem and to fail otherwise. This further
makes it hard to confuse userspace this way as /dev/ptmx always
corresponds to /dev/pts/ptmx. Even in chroots and in other mount
namespaces.

I have a feeling that there might be a way to trick glibc if you use FUSE, but I haven't actually tried to create a PoC for it. Fair point though.

That makes TIOCGPTPEER a very nice addition, but not something people
have to scramble to use to ensure their system is secure. As a hostile
environment now has to work very hard to confuse the existing mechanisms.

There are usecases where you simply need TIOCGPTPEER, and no other userspace alternative will do, but maybe if we modified the paragraph to read (as suggested):

Security-conscious programs interacting with namespaces may
wish to use this operation rather than open(2) with the
pathname returned by ptsname(3).

This would clarify that there are usecases where you need this particular feature, without saying causing people to panic over inaccurate claims of glibc being broken. Does that sound better?

--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/