From 67e5a20ad1b5579a571f43f7dd8a1556a8bea7a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Tue, 15 Oct 2013 14:54:41 -0400 Subject: [PATCH] Improper pty permissions - missing mode=0620, gid=5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fix is coming from Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720122 The reason for the hardcoded gid= and mode= is because of the fix for CVE-2013-2207 which removes pt_chown from glibc and so requires proper write access to devpts. It looks like the "tty" group is guaranteed to be gid=5 on at least all RedHat based and Debian based systems. So this hardcode gid shouldn't be a big problem. If we however support any distro where that's not the case, we'll need to implement an extra lxc.conf option and matching template changes. Signed-off-by: Stéphane Graber Signed-off-by: Serge Hallyn --- src/lxc/conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 457fa2635..208c08ba5 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -1427,7 +1427,7 @@ static int setup_pts(int pts) } if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, - "newinstance,ptmxmode=0666")) { + "newinstance,ptmxmode=0666,mode=0620,gid=5")) { SYSERROR("failed to mount a new instance of '/dev/pts'"); return -1; }