** Also affects: lxc (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Quantal)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Raring)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: lxc (Ubuntu Trusty)
Status: New => Fix Released
** Changed in: lxc (Ubuntu Precise)
Status: New => Triaged
** Changed in: lxc (Ubuntu Quantal)
Status: New => Triaged
** Changed in: lxc (Ubuntu Raring)
Status: New => Triaged
** Changed in: lxc (Ubuntu Saucy)
Status: New => Triaged
** Changed in: lxc (Ubuntu Precise)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Quantal)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Raring)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Saucy)
Importance: Undecided => High
** Description changed:
- I'm trying to set up a Centos 6 instance using lxc and it works fine
- except that non-root users cannot create pseudo-terminals under
- /dev/pts. After lots of googling, it appears that Lxc has reverted to
- an earlier bad behavior, in that /dev/pts is being created with the
- wrong permissions.
+ == Rationale ==
+ This needs to be SRUed to allow distros that dropped pt_chown to still work
under LXC.
+ The change was done upstream as soon as we heard of the matching CVE, this
change absolutely needs to land before or at the same time as the eglibc
security update.
+
+ == Test case ==
+ 1) Start container
+ 2) cat /proc/mounts | grep "/dev/pts "
+ Check that this matches "devpts /dev/pts devpts
rw,relatime,gid=5,mode=620,ptmxmode=666 0 0"
+
+ == Regression potential ==
+ The only risk is if a distro doesn't use 5 as the gid for the tty group. As
far as we could find before doing that change upstream, none of the distros
supported by LXC do so.
+
+
+ == Original bug report ==
+ I'm trying to set up a Centos 6 instance using lxc and it works fine except
that non-root users cannot create pseudo-terminals under /dev/pts. After lots
of googling, it appears that Lxc has reverted to an earlier bad behavior, in
that /dev/pts is being created with the wrong permissions.
HOST
- # fgrep pts /proc/mounts
+ # fgrep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
0 0
LXC instance
- [root@rh64bare ~]# fgrep pts /proc/mounts
+ [root@rh64bare ~]# fgrep pts /proc/mounts
devpts /dev/console devpts
rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty1 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
0 0
devpts /dev/tty2 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
0 0
devpts /dev/tty3 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
0 0
devpts /dev/tty4 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=666 0 0
devpts /dev/ptmx devpts rw,relatime,mode=600,ptmxmode=666 0 0
Note the mode on /dev/pts; only root can create pseudo terminals. I
tried to add an explicit devpts line to the instance fstab with the
correct parameters, but nothing changed. Additionally, /dev/pts is
being created root/root, not root/tty, so the gid=5 (also missing from
the /dev/pts options) would have no effect in any case.
Running Ubuntu 13.10 (but saw it with 13.4 as well).
This was fixed upstream:
commit 67e5a20ad1b5579a571f43f7dd8a1556a8bea7a1
Author: Stéphane Graber <[email protected]>
Date: Tue Oct 15 14:54:41 2013 -0400
- Improper pty permissions - missing mode=0620, gid=5
-
- This fix is coming from Debian bug:
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122
-
- The reason for the hardcoded gid= and mode= is because of the fix for
- CVE-2013-2207 which removes pt_chown from glibc and so requires proper
- write access to devpts.
-
- It looks like the "tty" group is guaranteed to be gid=5 on at least all
- RedHat based and Debian based systems. So this hardcode gid shouldn't be
- a big problem. If we however support any distro where that's not the
- case, we'll need to implement an extra lxc.conf option and matching
- template changes.
-
- Signed-off-by: Stéphane Graber <[email protected]>
- Signed-off-by: Serge Hallyn <[email protected]>
+ Improper pty permissions - missing mode=0620, gid=5
+
+ This fix is coming from Debian bug:
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122
+
+ The reason for the hardcoded gid= and mode= is because of the fix for
+ CVE-2013-2207 which removes pt_chown from glibc and so requires proper
+ write access to devpts.
+
+ It looks like the "tty" group is guaranteed to be gid=5 on at least all
+ RedHat based and Debian based systems. So this hardcode gid shouldn't be
+ a big problem. If we however support any distro where that's not the
+ case, we'll need to implement an extra lxc.conf option and matching
+ template changes.
+
+ Signed-off-by: Stéphane Graber <[email protected]>
+ Signed-off-by: Serge Hallyn <[email protected]>
Appears to be fixed in Trusty, but really needs to be backported to
Saucy
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1242913
Title:
/dev/pts being created with mode=600 by Lxc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1242913/+subscriptions
--
Ubuntu-server-bugs mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
