[Bug 2813] sshd fails to start in user namespaces when the gid for tty is not mapped

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Dec 1 17:30:09 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2813

--- Comment #6 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Oliver Freyermuth from comment #5)
> This does indeed sound like a valid dirty hack that could be used
> for all self-made containers! I'll give it a spin in the next days. 
> 
> It does not scale, though: This would mean all containers out there
> (for example the hundreds of thousands on DockerHub) would need that
> hack to the group-file. 

If your system is violating POSIX by making chown() do strange things
or stat() lie then any workarounds that are required are on you.

OpenSSH is deployed on a lot of systems on many platforms and
configurations.  Unix pty handling is already weird enough without
adding hacks for such cases.

> This fallback, in my opinion, makes things even more strange: Why
> only fallback when tty is not in the groups file, and not fallback
> always? Is there any reason to care if the pty belongs to a group
> named "tty" explicitly (and only if that exists) instead of just
> caring for the actual permissions?

Yes, eg on some systems tools such as write(1) rely on being able to
open the tty device by virtue of being setgid tty:

$ uname -sr; ls -l `which write`
Linux 4.18.10-200.fc28.x86_64
-rwxr-sr-x 1 root tty 20328 Jul 16 21:56 /usr/bin/write

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list