/dev/pts being created with mode=600 by Lxc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Unassigned | ||
Quantal |
Fix Released
|
High
|
Unassigned | ||
Raring |
Fix Released
|
High
|
Unassigned | ||
Saucy |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
== Rationale ==
This needs to be SRUed to allow distros that dropped pt_chown to still work under LXC.
The change was done upstream as soon as we heard of the matching CVE, this change absolutely needs to land before or at the same time as the eglibc security update.
== Test case ==
1) Start container
2) cat /proc/mounts | grep "/dev/pts "
Check that this matches "devpts /dev/pts devpts rw,relatime,
== Regression potential ==
The only risk is if a distro doesn't use 5 as the gid for the tty group. As far as we could find before doing that change upstream, none of the distros supported by LXC do so.
== Original bug report ==
I'm trying to set up a Centos 6 instance using lxc and it works fine except that non-root users cannot create pseudo-terminals under /dev/pts. After lots of googling, it appears that Lxc has reverted to an earlier bad behavior, in that /dev/pts is being created with the wrong permissions.
HOST
# fgrep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,
LXC instance
[root@rh64bare ~]# fgrep pts /proc/mounts
devpts /dev/console devpts rw,nosuid,
devpts /dev/tty1 devpts rw,nosuid,
devpts /dev/tty2 devpts rw,nosuid,
devpts /dev/tty3 devpts rw,nosuid,
devpts /dev/tty4 devpts rw,nosuid,
devpts /dev/pts devpts rw,relatime,
devpts /dev/ptmx devpts rw,relatime,
Note the mode on /dev/pts; only root can create pseudo terminals. I tried to add an explicit devpts line to the instance fstab with the correct parameters, but nothing changed. Additionally, /dev/pts is being created root/root, not root/tty, so the gid=5 (also missing from the /dev/pts options) would have no effect in any case.
Running Ubuntu 13.10 (but saw it with 13.4 as well).
This was fixed upstream:
commit 67e5a20ad1b5579
Author: Stéphane Graber <email address hidden>
Date: Tue Oct 15 14:54:41 2013 -0400
Improper pty permissions - missing mode=0620, gid=5
This fix is coming from Debian bug:
http://
The reason for the hardcoded gid= and mode= is because of the fix for
CVE-2013-2207 which removes pt_chown from glibc and so requires proper
write access to devpts.
It looks like the "tty" group is guaranteed to be gid=5 on at least all
RedHat based and Debian based systems. So this hardcode gid shouldn't be
a big problem. If we however support any distro where that's not the
case, we'll need to implement an extra lxc.conf option and matching
template changes.
Signed-off-by: Stéphane Graber <email address hidden>
Signed-off-by: Serge Hallyn <email address hidden>
Appears to be fixed in Trusty, but really needs to be backported to Saucy
affects: | ubuntu → lxc (Ubuntu) |
Changed in lxc (Ubuntu Trusty): | |
status: | New → Fix Released |
Changed in lxc (Ubuntu Precise): | |
status: | New → Triaged |
Changed in lxc (Ubuntu Quantal): | |
status: | New → Triaged |
Changed in lxc (Ubuntu Raring): | |
status: | New → Triaged |
Changed in lxc (Ubuntu Saucy): | |
status: | New → Triaged |
Changed in lxc (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in lxc (Ubuntu Quantal): | |
importance: | Undecided → High |
Changed in lxc (Ubuntu Raring): | |
importance: | Undecided → High |
Changed in lxc (Ubuntu Saucy): | |
importance: | Undecided → High |
description: | updated |
Changed in lxc (Ubuntu Saucy): | |
status: | Triaged → Fix Committed |
Confirmed that this patch alone fixes /dev/pts permissions problems...