On 12/21/2013 07:16 PM, Bryan Kadzban wrote:
> On Sat, Dec 21, 2013 at 04:33:42PM +0100, Armin K. wrote:
>> devpts should also be bind-mounted, as it will override default devpts
>> flags and permissions which were mounted before.
>>
>> In my case:
>>
>> mount output before mounting devpts at $LFS/dev/pts
>>
>> devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620)
> 
> Why add nosuid or noexec?
> 

I didn't add anything. It's what systemd does by default. Please note
that this might be not the only variant.

> Only root can create files in the devpts filesystem anyway (the
> directory post mount is 0755 root/root), so users can't add setuid or
> executable files anyway.  And the filesystem contents can't be persisted
> anyway (it's not like a CD or USB drive, which might have the "user"
> option present, allowing users to attach arbitrary files to the system),
> so that's not a vector for introducing setuid or executable files
> either.
> 
> Seems like trying to restrict root isn't the best idea.  :-)
> 
>> I would certainly not want lfs to modify my host system.
> 
> That's one good reason that it's *not* a bind mount, IMO.
> 

Yes, but /dev is already a bind-mount, so lfs *might* (I don't say it
will though) touch host's /dev/pts.

I do recall when I've done a chroot to arch system I have, and I just
mounted $chroot/dev/pts as was done before in lfs - mount -t devpts
devpts $chroot/dev/pts, it broke down my /dev/pts on a currently running
system and I couldn't run any terminal emulator :(

LFS does it correctly by setting correct mode and gid, but I still think
that this one should be a bind-mount.

>> In some cases,
>> tty gid could be different
> 
> This is about the only potential issue.  However, the /etc/group file
> that's about to be created in the book at this point does definitely
> assign tty to gid 5, so inside the chroot, /dev/pts will definitely be
> correct regardless of the host group assignment.
> 
> ...And in fact, I think that's another reason to avoid a bind mount.  If
> the host assigns tty to gid 4, then the bind mount will be broken inside
> chroot, since glibc will require it to be 5 in there.
> 
>> Furthermore, I think that /run should also be mounted when building lfs,
>> since that is meant to be a tmpfs too, but some packages might install
>> files in there.
> 
> That I can see.  :-)
> 


-- 
Note: My last name is not Krejzi.
-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Reply via email to