[gentoo-dev] glibc: pt_chown setuid going away by default

[Mike Frysinger <vapier@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2329 bytes --]

tl;dr: make sure your /dev/pts is mounted correctly w/gid=5 or bad things will 
happen and it's (probably) all your fault

when you run grantpt(), glibc attempts to set up your pty with correct 
ownership & permissions.  it does so by executing a setuid helper called 
pt_chown as needed.  we all know setuid==bad, so let's do something about it.

this system is a throw back to the bad old bsd pty days where you had a ton of 
pre-allocated nodes in /dev/ named pty??.  since the user has requested a new 
pty, the system had to make sure it had correct permissions before giving it 
back (it might be the default of root:root, or it might have the previous 
user's settings which would be super bad).  this system sucks for many 
reasons.

with Linux, we have devpts mounted at /dev/pts/ which provides dynamic UNIX 98 
ptys via the /dev/ptmx control node.  the kernel knows that when you request a 
new pty, the sane thing is to set the default uid/gid to your own process's 
uid/gid.  it even goes further and allows you to specify (at mount time) 
default gid/permissions.

with openrc (and in baselayout-1.12, but i'm pretty sure it's been this way 
for even longer), our default mount uses gid=5 (the tty group) and mode=620 
(what we want).  that means when a new pty is requested, the kernel 
automatically sets the ownership of the new file to the process's uid and the 
mounted group setting (tty), as well as setting the perms to 620.

back to glibc, when you call grantpt(), it checks the current uid/gid/mode.  
if they all match what it expects (and it should with our default devpts mount 
opts), it returns w/out doing any real work (like calling the setuid pt_chown 
helper).  that means this binary is sitting around with setuid perms for no 
good reason.

i plan on updating the latest glibc to add USE=suid.  in pkg_preinst and 
ROOT==/, the ebuild will read /proc/mounts for a devpts line with gid=5.  if 
it doesn't find one, i'll have it call `die`.  if the bsd pty scenario wasn't 
long dead, and the devpts option didn't have gid=/mode= options, then it might 
be reasonable to have it warn and do `chmod +s`.  but i can't think of any 
legitimate reasons for not using devpts & mounting it correctly.  this is the 
right answer even in the embedded world.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]