On Thu, Jan 04, 2007 at 06:19:13PM -0500, Linda Knippers wrote: > > devices.txt in kernel documentation. > > 2176 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2176> > > 136-143 char Unix98 PTY slaves > > Since that document has multiple devices with the same major, I wonder if its > safer to fstatfs() the fd and make sure the f_type is the devpts fs magic > number. It only seems to be defined in fs/devpts/inode.c though. > > > #define DEVPTS_SUPER_MAGIC 0x1cd1 > > devpts is mounted on /dev/pts before single user mode so it seems to always > be there unless someone unmounts it. If you try to ssh in without /dev/pts > mounted the ssh hangs.
I think blacklists are usually a bad idea for security, for example this breaks if people have a kernel that supports the old-style ptys that don't use devpts. How about turning it around and only allowing use of known good ttys, similar to /etc/securetty, or insisting on type "tty_device_t" which includes the virtual console and serial terminals but not the ptys? -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
