[Bug 2813] sshd fails to start in user namespaces when the gid for tty is not mapped
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Dec 1 17:30:09 AEDT 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2813
--- Comment #6 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Oliver Freyermuth from comment #5)
> This does indeed sound like a valid dirty hack that could be used
> for all self-made containers! I'll give it a spin in the next days.
>
> It does not scale, though: This would mean all containers out there
> (for example the hundreds of thousands on DockerHub) would need that
> hack to the group-file.
If your system is violating POSIX by making chown() do strange things
or stat() lie then any workarounds that are required are on you.
OpenSSH is deployed on a lot of systems on many platforms and
configurations. Unix pty handling is already weird enough without
adding hacks for such cases.
> This fallback, in my opinion, makes things even more strange: Why
> only fallback when tty is not in the groups file, and not fallback
> always? Is there any reason to care if the pty belongs to a group
> named "tty" explicitly (and only if that exists) instead of just
> caring for the actual permissions?
Yes, eg on some systems tools such as write(1) rely on being able to
open the tty device by virtue of being setgid tty:
$ uname -sr; ls -l `which write`
Linux 4.18.10-200.fc28.x86_64
-rwxr-sr-x 1 root tty 20328 Jul 16 21:56 /usr/bin/write
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list