Ubuntu
lxc package

/dev/pts being created with mode=600 by Lxc

Bug #1242913 reported by John Peacock
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
High
Unassigned
Quantal
Fix Released
High
Unassigned
Raring
Fix Released
High
Unassigned
Saucy
Fix Released
High
Unassigned
Trusty
Fix Released
Undecided
Unassigned

Bug Description

== Rationale ==
This needs to be SRUed to allow distros that dropped pt_chown to still work under LXC.
The change was done upstream as soon as we heard of the matching CVE, this change absolutely needs to land before or at the same time as the eglibc security update.

== Test case ==
1) Start container
2) cat /proc/mounts | grep "/dev/pts "
Check that this matches "devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0"

== Regression potential ==
The only risk is if a distro doesn't use 5 as the gid for the tty group. As far as we could find before doing that change upstream, none of the distros supported by LXC do so.

== Original bug report ==
I'm trying to set up a Centos 6 instance using lxc and it works fine except that non-root users cannot create pseudo-terminals under /dev/pts. After lots of googling, it appears that Lxc has reverted to an earlier bad behavior, in that /dev/pts is being created with the wrong permissions.

HOST
# fgrep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

LXC instance
[root@rh64bare ~]# fgrep pts /proc/mounts
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty1 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty2 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty3 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/tty4 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=666 0 0
devpts /dev/ptmx devpts rw,relatime,mode=600,ptmxmode=666 0 0

Note the mode on /dev/pts; only root can create pseudo terminals. I tried to add an explicit devpts line to the instance fstab with the correct parameters, but nothing changed. Additionally, /dev/pts is being created root/root, not root/tty, so the gid=5 (also missing from the /dev/pts options) would have no effect in any case.

Running Ubuntu 13.10 (but saw it with 13.4 as well).

This was fixed upstream:

commit 67e5a20ad1b5579a571f43f7dd8a1556a8bea7a1
Author: Stéphane Graber <email address hidden>
Date: Tue Oct 15 14:54:41 2013 -0400

    Improper pty permissions - missing mode=0620, gid=5

    This fix is coming from Debian bug:
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122

    The reason for the hardcoded gid= and mode= is because of the fix for
    CVE-2013-2207 which removes pt_chown from glibc and so requires proper
    write access to devpts.

    It looks like the "tty" group is guaranteed to be gid=5 on at least all
    RedHat based and Debian based systems. So this hardcode gid shouldn't be
    a big problem. If we however support any distro where that's not the
    case, we'll need to implement an extra lxc.conf option and matching
    template changes.

    Signed-off-by: Stéphane Graber <email address hidden>
    Signed-off-by: Serge Hallyn <email address hidden>

Appears to be fixed in Trusty, but really needs to be backported to Saucy

See original description
Revision history for this message
John Peacock (jpeacock) wrote :

Confirmed that this patch alone fixes /dev/pts permissions problems...

Bryan Fullerton (fehwalker)
affects: ubuntu → lxc (Ubuntu)
Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Trusty):
status: New → Fix Released
Changed in lxc (Ubuntu Precise):
status: New → Triaged
Changed in lxc (Ubuntu Quantal):
status: New → Triaged
Changed in lxc (Ubuntu Raring):
status: New → Triaged
Changed in lxc (Ubuntu Saucy):
status: New → Triaged
Changed in lxc (Ubuntu Precise):
importance: Undecided → High
Changed in lxc (Ubuntu Quantal):
importance: Undecided → High
Changed in lxc (Ubuntu Raring):
importance: Undecided → High
Changed in lxc (Ubuntu Saucy):
importance: Undecided → High
description: updated
Revision history for this message
John Peacock (jpeacock) wrote :

Unfortunately, after I submitted this ticket, I discovered that the patch alone is not sufficient. It turns out that the group ownership of /dev/pts is also not being set correctly (it is still root:root), which also prevents users that are members of the tty group from being able to create ptys.

I tested this issue by doing the following (or the moral equivalent):

  mkdir $ROOTFS/dev/pts
  chgrp tty $ROOTFS/dev/pts

while the instance was down. When I brought it up using lxc-start, /dev/pts was again root:root. I'm not clear where the ownership is being changed.

I changed the group ownership from within the instance and installed screen. I created a non-root user that was member of both tty and screen and changed the permissions of /var/run/screen to 01777 and was able to start screen. So far so good or at least less bad.

I'm still investigating my original problem (which was using the Perl CPAN module IO::Tty), which is getting yet another error message:

  IO::Tty::pty_allocate(nonfatal): grantpt()...

which appears to be a related problem. I'll post more tomorrow if I figure out anything else out.

Revision history for this message
John Peacock (jpeacock) wrote :

Rebuilding IO::Tty on a system which lacks grantpt() and pt_chown() fixed the problem with the script not being able to create a pty.

So the only remaining piece is to understand why /dev/pts is being chowned to root:root. Looking at src/lxc/conf.c, I can see where that directory is being created. This isn't specific to Centos; it happens equally with Ubuntu instances.

The attached patch (soon to be submitted upstream) appears to be a belts and braces approach to ensure that the /dev/pts directory has the correct group ownership. Using both patches completely fixes this bug for me.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1242913] Re: /dev/pts being created with mode=600 by Lxc

Quoting John Peacock (<email address hidden>):
> Rebuilding IO::Tty on a system which lacks grantpt() and pt_chown()
> fixed the problem with the script not being able to create a pty.
>
> So the only remaining piece is to understand why /dev/pts is being
> chowned to root:root. Looking at src/lxc/conf.c, I can see where that

On my (ubuntu) host /dev/pts is also owned by root:root. Why should
this matter? You don't manually create files in there, the kernel does
it for you, and AFAIK it doesn't check for your access(2) rights before
doing so. (I could be wrong) Does changing the ownership actually
improve things for you?

Revision history for this message
Stéphane Graber (stgraber) wrote :

Access permissions on the mount point shouldn't matter.

Revision history for this message
John Peacock (jpeacock) wrote :

I've now confirmed that root:root on the mount point works. The Perl IO::Tty module had to be rebuilt against the glibc without pt_chown() before it would work and that confused the issue.

Sorry for the noise...

Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Saucy):
status: Triaged → Fix Committed
Revision history for this message
Stéphane Graber (stgraber) wrote : Please test proposed package

Hello John, or anyone else affected,

Accepted lxc into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/1.0.0~alpha1-0ubuntu12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Hello John, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.7.5-3ubuntu68 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Precise):
status: Triaged → Fix Committed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Hello John, or anyone else affected,

Accepted lxc into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.9.0-0ubuntu3.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Raring):
status: Triaged → Fix Committed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Hello John, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.7.5-3ubuntu69 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Stéphane Graber (stgraber) wrote :

Hello John, or anyone else affected,

Accepted lxc into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.8.0~rc1-4ubuntu39.12.10.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Quantal):
status: Triaged → Fix Committed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Hello John, or anyone else affected,

Accepted lxc into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.8.0~rc1-4ubuntu39.12.10.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Fix verified.

LXC Guest:

root@20d752d45116:/# ls -alF /dev/pts/
total 4
drwxr-xr-x 2 root root 0 Oct 31 18:50 ./
drwxr-xr-x 6 root root 4096 Oct 31 18:50 ../
crw-rw-rw- 1 root root 5, 2 Oct 31 18:50 ptmx

root@20d752d45116:/# cat /proc/mounts | grep "/dev/pts "
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0

root@20d752d45116:/# fgrep pts /proc/mounts
devpts /dev/tty1 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/ptmx devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0

LXC Host:

kirkland@x230:~⟫ fgrep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

tags: added: verification-done
removed: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Hi Dustin,

This bug targets multiple series and as such needs confirmation on each of them.

Please don't use verification-done in such case, but verification-done-<series> (e.g verification-done-precise).

I'd have added the right tag for you but what you pasted doesn't tell me which release of Ubuntu your host system was using.

tags: added: verification-needed
removed: verification-done
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Ah, my bad, Stephane. I tested Ubuntu 13.10 saucy.

tags: added: verification-done-saucy
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

ubuntu@ip-10-164-72-103:~$ cat /etc/issue
Ubuntu 13.04 \n \l

ubuntu@ip-10-164-72-103:~$ dpkg -l | grep lxc
ii liblxc0 0.9.0-0ubuntu3.7 amd64 Linux Containers userspace tools (library)
ii lxc 0.9.0-0ubuntu3.7 amd64 Linux Containers userspace tools
ii lxc-docker 0.6.5 amd64 lxc-docker is a Linux container runtime
ii lxc-docker-0.6.5 0.6.5 amd64 lxc-docker is a Linux container runtime
ii lxc-templates 0.9.0-0ubuntu3.7 all Linux Containers userspace tools (development)
ii python3-lxc 0.9.0-0ubuntu3.7 amd64 Linux Containers userspace tools (Python 3.x bindings)

ubuntu@ip-10-164-72-103:~$ fgrep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

ubuntu@ip-10-164-72-103:~$ sudo docker run -i -t ubuntu /bin/bash

root@853de93e944c:/# fgrep pts /proc/mounts
devpts /dev/tty1 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/ptmx devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0

tags: added: verification-done-raring
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

ubuntu@ip-10-185-176-79:~$ cat /etc/issue
Ubuntu 12.10 \n \l

ubuntu@ip-10-185-176-79:~$ dpkg -l | grep lxc
ii liblxc0 0.8.0~rc1-4ubuntu39.12.10.5 amd64 Linux Containers userspace tools (library)
ii lxc 0.8.0~rc1-4ubuntu39.12.10.5 amd64 Linux Containers userspace tools
ii lxc-docker 0.6.5 amd64 lxc-docker is a Linux container runtime
ii lxc-docker-0.6.5 0.6.5 amd64 lxc-docker is a Linux container runtime

ubuntu@ip-10-185-176-79:~$ fgrep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

ubuntu@ip-10-185-176-79:~$ sudo docker run -i -t ubuntu /bin/bash

root@e2c33ddbd910:/# fgrep pts /proc/mounts
devpts /dev/tty1 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/ptmx devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0

tags: added: verification-done-quantal
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

ubuntu@ip-10-166-49-90:~$ cat /etc/issue
Ubuntu 12.04.3 LTS \n \l

ubuntu@ip-10-166-49-90:~$ dpkg -l | grep lxc
ii lxc 0.7.5-3ubuntu69 Linux containers userspace tools
ii lxc-docker 0.6.5 lxc-docker is a Linux container runtime
ii lxc-docker-0.6.5 0.6.5 lxc-docker is a Linux container runtime

ubuntu@ip-10-166-49-90:~$ fgrep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0

ubuntu@ip-10-166-49-90:~$ sudo docker run -i -t ubuntu /bin/bash

root@b244742650f6:/# fgrep pts /proc/mounts
devpts /dev/tty1 devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/ptmx devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0

tags: added: verification-done-precise
tags: removed: verification-done-precise
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Hang on, wrong paste there for precise...

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Strike Comment #19. Precise is good too.

tags: added: verification-done-precise
tags: removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.0.0~alpha1-0ubuntu12

---------------
lxc (1.0.0~alpha1-0ubuntu12) saucy-proposed; urgency=low

  * 0012-ubuntu-Improper-pty-permissions.patch: fix pty permissions
    (LP: #1242913)
  * 0013-get-rid-of-lxcpath_anon-idea.patch: make containers started with
    a custom config easier to manage. (LP: #1244301)
 -- Serge Hallyn <email address hidden> Fri, 25 Oct 2013 15:42:27 -0500

Changed in lxc (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Stéphane Graber (stgraber) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu69

---------------
lxc (0.7.5-3ubuntu69) precise-proposed; urgency=low

  * mkdir /var/{cache.lib}/lxc before chmoding them to avoid FTBFS.

lxc (0.7.5-3ubuntu68) precise-proposed; urgency=low

  * debian/rules and debian/lxc.postinst: set /var/lib/lxc and /var/cache/lxc
    to be perms 700. That prevents unprivileged users from running setuid-root
    applications. Install that way by default, and for any previous versions,
    update the permissions. After this version, respect the user's choice.
    (LP: #1244635)
  * 0312-ubuntu-Improper-pty-permissions.patch: fix permissions with which
    devpts is mounted in containers. (LP: #1242913)
 -- Serge Hallyn <email address hidden> Tue, 29 Oct 2013 15:01:36 -0500

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.8.0~rc1-4ubuntu39.12.10.5

---------------
lxc (0.8.0~rc1-4ubuntu39.12.10.5) quantal-proposed; urgency=low

  * add mkdir before chown of /var/{lib,cache}/lxc to avoid build failure.

lxc (0.8.0~rc1-4ubuntu39.12.10.4) quantal-proposed; urgency=low

  * debian/rules and debian/lxc.postinst: set /var/lib/lxc and /var/cache/lxc
    to be perms 700. That prevents unprivileged users from running setuid-root
    applications. Install that way by default, and for any previous versions,
    update the permissions. After this version, respect the user's choice.
    (LP: #1244635)
  * 0312-ubuntu-Improper-pty-permissions.patch: fix permissions with which
    devpts is mounted in containers. (LP: #1242913)
 -- Serge Hallyn <email address hidden> Tue, 29 Oct 2013 23:17:06 -0500

Changed in lxc (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.9.0-0ubuntu3.7

---------------
lxc (0.9.0-0ubuntu3.7) raring-proposed; urgency=low

  * debian/rules and debian/lxc.postinst: set /var/lib/lxc and /var/cache/lxc
    to be perms 700. That prevents unprivileged users from running setuid-root
    applications. Install that way by default, and for any previous versions,
    update the permissions. After this version, respect the user's choice.
    (LP: #1244635)
  * 0112-ubuntu-Improper-pty-permissions.patch: fix permissions with which
    devpts is mounted in containers. (LP: #1242913)
 -- Serge Hallyn <email address hidden> Tue, 29 Oct 2013 13:45:17 -0500

Changed in lxc (Ubuntu Raring):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.