From nobody Tue Feb 08 12:37:32 2022 X-Original-To: hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9C3F519ADE7B for ; Tue, 8 Feb 2022 12:38:03 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JtMx62cGcz4ccm for ; Tue, 8 Feb 2022 12:38:02 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: by mail.evolve.de (OpenSMTPD) with ESMTP id 07c3e891; Tue, 8 Feb 2022 12:37:58 +0000 (UTC) Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id 7fc0d7b1 (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO); Tue, 8 Feb 2022 12:37:56 +0000 (UTC) Date: Tue, 8 Feb 2022 13:37:32 +0100 From: Michael Gmelin To: Alexander Leidinger Cc: hackers@freebsd.org Subject: Re: Behavior of /dev/pts in a jail? Message-ID: <20220208133732.500611e3.grembo@freebsd.org> In-Reply-To: <20220208094128.Horde.LqeAS3LDe4RHYSV3IH2XY96@webmail.leidinger.net> References: <20220208094128.Horde.LqeAS3LDe4RHYSV3IH2XY96@webmail.leidinger.net> X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}> +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+ xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII= List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4JtMx62cGcz4ccm X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=softfail (mx1.freebsd.org: 213.239.217.29 is neither permitted nor denied by domain of grembo@freebsd.org) smtp.mailfrom=grembo@freebsd.org X-Spamd-Result: default: False [-1.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[grembo]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; R_SPF_SOFTFAIL(0.00)[~all]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.999]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; MLMMJ_DEST(0.00)[hackers]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On Tue, 08 Feb 2022 09:41:28 +0100 Alexander Leidinger wrote: > Hi, > > I'm debugging a problem with gnupg on -current (as of Jan 20, but I > see this problem since several months). The pinentry-tty program > fails to ask for a PW. One of the gnupg authors found a bug which > makes the pinentry-tty program segfault (fixed in v1.2.0), but this > doesn't solve the problem (converts the segfault into a error > output). We narrowed the problem down to gpg-agent not being able to > see anything in /dev/pts and as such not being able to open my tty. > > So: > - a jail with devfs > - login into the jail via "jexec zsh" followed by "su - " > - a shell-wrapper for pinentry-tty which "ls -la /dev/pts" into a > logfile > - in the user-zsh inside the jail, I can see /dev/pts/2 (my tty) as > being rw for me in "ls -la /dev/pts" with the same uid as my user > (the user id inside the jail and the user id to which I ssh-ed on the > jail-host are the same) > - executing gpg in this same shell in a way which is supposed to > ask for a PW results in the pinentry-wrapper being called and > /dev/pts being completely empty in the ls output in the logfile -> no > PW being asked > - doing a ls of /dev/pts afterwards inside the shell still shows > /dev/pts/2 > > Neither gpg nor gpg-agent are SUID. > > This behavior surprises me. The non-root shell I use inside the jail > sees /dev/pts/2. This shell forks gpg which forks gpg-agent which > forks pinentry-tty. As such I would expect /dev/pts/2 being visible > to pinentry-tty. > > For me either this entry in the FS should be visible to all processes > of this user, or to none. > > What am I missing here? I've seen a similar problem with jails running on top of bhyve (in that case, doing ssh wouldn't work). The solution back then was to add ttyu* to devfs rules _before_ starting the jail: devfs rule -s 3 add 3250 path "ttyu*" unhide Not sure if what you're seeing is related, but it feels a bit like that. See also https://lists.freebsd.org/archives/freebsd-current/2021-August/000409.html Cheers Michael > > Gnupg ticket: https://dev.gnupg.org/T5814 > Workaround if someone has the same problem: "gpg > --pinentry-mode=loopback ..." > > Bye, > Alexander. > -- Michael Gmelin