On Wed, Mar 29, 2017 at 10:07 AM, Russell Coker <russ...@coker.com.au> wrote: > Package: systemd-container > Version: 232-22 > Severity: normal > > # grep pts /proc/mounts > devpts /dev/pts devpts > rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 > # ls -l /dev/pts/ptmx > c---------. 1 root root 5, 2 Mar 20 21:51 /dev/pts/ptmx > > The above is from a regular Debian/unstable shell. > > # grep pts /proc/mounts > devpts /dev/pts devpts > rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0 > # ls -l /dev/pts/ptmx > crw-rw-rw-. 1 root root 5, 2 Mar 30 2017 /dev/pts/ptmx > > The above is from a shell run from a chroot managed by systemd-nspawn. I have > systemd-nspawn starting the below shell script that runs sshd, so nothing in > the chroot environment has any effect on mount options. > > Why does the virtual environment created by systemd-nspawn have different > permissions for /dev/pts/ptmx than the outside environment? I am not claiming > that what systemd-nspawn is doing is inherently wrong (it might be the correct > thing for other distributions), but I believe that it should be consistent > with > the main Debian environment. It is plausible that systemd-nspawn is correct > here and the rest of Debian is wrong, if so please reassign the bug > appropriately. But as a security person I'm leaning towards minimum > privileges > being the correct choice, which means mode 0 would be correct and mode 666 > (as used by systemd-nspawn) would be a bug.
>From the kernel documentation: > As an option instead of placing a /dev/ptmx device node at /dev/ptmx > it is possible to place a symlink to /dev/pts/ptmx at /dev/ptmx or > to bind mount /dev/ptx/ptmx to /dev/ptmx. If you opt for using > the devpts filesystem in this manner devpts should be mounted with > the ptmxmode=0666, or chmod 0666 /dev/pts/ptmx should be called. And indeed nspawn sets up /dev/ptmx as a symlink, while debian host does not do that. In the host, /dev/ptmx has 0666 permissions. [1] https://www.kernel.org/doc/Documentation/filesystems/devpts.txt -- Saludos, Felipe Sateler
