Klaus Weidner wrote:
On Thu, Jan 04, 2007 at 06:19:13PM -0500, Linda Knippers wrote:
devices.txt in kernel documentation.
2176 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2176> 136-143 char Unix98 PTY slaves
Since that document has multiple devices with the same major, I wonder if its
safer to fstatfs() the fd and make sure the f_type is the devpts fs magic
number. It only seems to be defined in fs/devpts/inode.c though.
#define DEVPTS_SUPER_MAGIC 0x1cd1
devpts is mounted on /dev/pts before single user mode so it seems to always
be there unless someone unmounts it. If you try to ssh in without /dev/pts
mounted the ssh hangs.
I think blacklists are usually a bad idea for security, for example this
breaks if people have a kernel that supports the old-style ptys that
don't use devpts. How about turning it around and only allowing use of
known good ttys, similar to /etc/securetty, or insisting on type
"tty_device_t" which includes the virtual console and serial terminals
but not the ptys?
Hardcoding types into code makes it inflexible to policy changes, this
is a bad idea IMO, the tty whitelist, however, is probably the way to
go. I don't know if we should use the existing /etc/securetty or add
our own file though.
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
