When systemd makes mount namespace for PrivateDevices=yes, it bind-mount
outer /dev/pts [1], and makes symlink pts/ptmx -> $tmpdir/dev/ptmx
(src/core/namespace.c [mount_dev]).
However outer /dev/pts is mounted *without* option ptmxmode
(src/core/mount-setup.c), so in outer namespace /dev/pts/ptmx has mode
000 (inaccessible).
As a result, service with PrivateDevices=yes cannot open new ptys
(unless it has root/CAP_DAC_OVERRIDE).
Test units file attached (ptytest.service is expected to fail, while
both ptytest-sysdev.service [no PrivateDevices] and ptytest-root.service
[has CAP_DAC_OVERRIDE] are expected to work).
Tested only on debian/jessie with systemd-215, however I checked current
systemd git master sources, and have not found any changes that could've
affected this issue.
[1] BTW, why? I'd rather expect it to mount newinstance of devpts?
[Unit]
Description=pty test
[Service]
##################################################################
# if it will fail, try commenting *one* of following lines:
PrivateDevices=yes
# (1) first test with *only* above line commented out
User=daemon
# (2) and second test with *only* above line commented out
# (then `systemctl daemon-reload` and `systemctl restart ptytest`)
##################################################################
Type=oneshot
Environment=SHELL=/bin/sh
WorkingDirectory=/tmp
UMask=0000
ExecStart=/usr/bin/script -a -c '/bin/echo working'
[Unit]
Description=pty test (with PrivateDevices=no)
[Service]
User=daemon
Type=oneshot
Environment=SHELL=/bin/sh
WorkingDirectory=/tmp
UMask=0000
ExecStart=/usr/bin/script -a -c '/bin/echo working'
[Unit]
Description=pty test (with CAP_DAC_OVERRIDE)
[Service]
PrivateDevices=yes
Type=oneshot
Environment=SHELL=/bin/sh
WorkingDirectory=/tmp
UMask=0000
ExecStart=/usr/bin/script -a -c '/bin/echo working'
_______________________________________________
systemd-devel mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
