On Wed, Jul 05, 2006 at 11:44:54PM +0200, Robert Michel wrote: > Salve Herbert, ML! > > Herbert Poetzl schrieb am Sonntag, den 02. Juli 2006 um 17:59h: > > > What should I read to learn what fd,pts stands for and > > > to know what /dev/pts/[14|20|21|31-34] are? > > > > *phew* good question, probably a lot of source code :) > > > > thing is, fd and pts (/14,/20 ...) are 'just' names > > used for character and block device nodes, identified > > by the unique major and minor identifiers ... > > > > so, basically c:136:14 means the 14th pseudo terminal > > (regardless of the name, could as well be named hansi) > > > > > >Could it by that I'm allowed to remove devices, but > > > > >not allowed to create one? > > > > > > > > Exactly. Giving guests the ability to create devices is a huge security > > > > risk, basically equivalent to just giving access to the host directly. > > Whats about the pseudo terminals? > sshd, screen ... and some others can create new ones > as [EMAIL PROTECTED] :) > asterisk seems like to have an own terminal: > > # from [Asterist-Users] ML Tzafrir Cohen wrote on > # Tue Jul 4 09:05:46 MST 2006 > # safe_asterisk has a flawed logic: it assumes that the tty device will > # always exist. Thus it is not suited for use with screen.
> I used "ln -s /dev/pts/31 /dev/tty9" successful, /dev/pts is very dynamic, i.e. it is assigned when you ask /dev/ptmx for a new terminal, and it will lose its connection and meaning when you close it > but on the next day /usr/sbin/safe_asterisk does > not found /dev/tty9..... /dev/pts/31 exist only > for my bash, after exiting this bash, also > /dev/pts/31 has been gone, and so this "hack" > does not work... ;( precisely, either you _want_ that output to go somewhere, then you have to 'provide' a real vc terminal or to make asterisk 'create' it on startup (by requesting a new one, like e.g. screen does) > How can I create with /etc/init.d/asterisk > a new pseudo terminal, e.g. /dev/pts/ast > and "ln -s /dev/pts/ast /dev/tty9" you could, for example, use screen to provide that pseudo terminal without modifying asterisk > Dirty trick would be to start with /etc/init.d/asterisk > a ssh or telnet connection to 127.0.0.1, > is there a smart way to create pseudo terminal, especialy > that this terminal is durable and do not fade away when > something crashed? > > > device nodes are always local, so they cannot be > > 'forwarded' to another host, OTOH, you are free to > > create fifos (pipes) and symlinks to 'redirect' > > stuff remotely and local > > [EMAIL PROTECTED] mknode ..... /dev/pts/asterisk > [EMAIL PROTECTED] ln -s /dev/pts/asterisk /dev/tty9 > ??? > > #mknod /dev/tty9 c 7 7 > mknod: »/dev/tty9«: Die Operation ist nicht erlaubt > (operatin is not allowed) better use /dev/vc/9 (c:4:9 or the udev equiv) but basically you 'could' create the device for the guest on the host side, and the guest will be able to use it, just be careful _what_ you give to your guests :) > And "mknod /dev/tty9 -p" as FIFO does not help > to run asterisk with a console. > > I found this: > # From: Herbert Poetzl <herbert_at_13thfloor.at> > # Date: Wed 17 May 2006 - 18:13:50 BST > # Message-ID: <[EMAIL PROTECTED]> > # On Sun, May 14, 2006 at 09:48:20PM -0700, EKC wrote: > #> I'm running a perl script inside of a linux vserver, and the script > #> requires access to tty and pty devices. However /dev/MAKEDEV and > #> mknod > #> cannot create pty devices from within a vserver. > [...] > #> Is there a way to add devices from within a vserver itself? > #pts/ptmx is auto created inside a guest, with proper > #permissions and security (tty and pty are not required > #inside a guest, unless you want to assign certain 'real' > #consoles to the guest, like vt0/1/2 etc) > > ok and how can I use this magic auto creation inside a guest > with/for /etc/init.d/asterisk? > ;) > > man ptmx getpt(3), grantpt(3), ptsname(3), unlockpt(3) > still a little bit too comlex for me ;( > man expect > man screen > > Well I could write > #!/bin/sh > # ttydumy.sh > rm /dev/tty9 > ln -s $tty /dev/tty9 > > and call screen .../ttydumy.sh inside safe_asterisk, > but it seems that screen inside slows asterisk. > (and this is ugly for ssh login and screen -r with > multiple screens...) > > So [EMAIL PROTECTED] can indirectly create dumy devices > and there is still no tool like mknode for vserver > - because it is not so neccessary and does not > have such a high priority - right? no, because it is a big can of worms and a security issue, just imagine somebody creating a block device which 'accidentially' is identical to your host's root partition, and then starts modifying stuff at a very low level :) > Dont't get me wrong, I don't want to be unpolite > and I don't want to be missunderstood that expecting > support and including of that feature.... > > It's just that I want to understand the power > of vserver and to do the best with them and also > try to document/promote them that it is possible > to run an umpached asterisk with a colord CLI > (Patching asterisk would be a second solution, > would work for me but I think many vserver user > would not do this...) not only the power, also the responsibilites should be known when you manage a system, btw, giving the proper capability will allow the guest to create arbitrary device nodes HTH, Herbert PS: I assume you know that there is a project which uses Linux-VServer to isolate several asterisk instances on a single host > Greetings, > rob > > > > > This is OT for Vserver ML, > more for vserver+asterisk user: > > PS: My personal workaround at the moment: > start screen and one of that terminal > is used to get asterisk colored inside > this terminal: > tty > /etc/asterisk/tty > ln -s /dev/pts/$tty /dev/tty9 > > inside safe_asterisk a test if that > device still exist... if yes > TTY=tt9 > so when asterisk crash and there is > no TTY9 it will run without a hangup ;) > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
