From nobody Sat Sep 16 13:12:11 2023 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Rns0X1LjJz4srfp for ; Sat, 16 Sep 2023 13:12:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Rns0X0JcNz3gsl for ; Sat, 16 Sep 2023 13:12:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694869932; a=rsa-sha256; cv=none; b=wJOZRa1Dse4vByfh/UeIRbw0ksjXi2Cuq+u70ccyuK/+Jt8UhyaSVJ1DFHPgE2GIHSXDIe UcjU71rset6F8wXoI4lNRRPD35zvbgHjOQOdAkzjGR1oCWKEPrxckNRnu/0r5Wlp3mDBfe 8ZK0YB1nFCo9oRrdwCgALJoUg/OqHnkEBJ/BI+ltIW/qUfUM1RHvqLA0YDf2wk/qy9dGxj 522qcCsPU6u13z5ZqW5eLGgQ6AIY3gAmSAXuImTSaIKCyMW5VpbDlcITcC73+D+7X0ZiR/ jwN/m2pAqlaIHE5i3kzSYliII2wmJX3EN8f0ZSAoj5IpuPN7fWpBC02HtZTIlA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694869932; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IYnrv1Ontkh6jXKuqQXeIsMw4MXfve6V/Wyrd2rZDQ0=; b=qc7QJ/6QC/Zx31PfYuWhdwZhnNOMR2eCD3y5u1W8HOAhk0g5RAr3WyHZMfI8JLfpr7iaIl y2X9k3zrh2XFB+p6EmIsDYX0Q1DB7Glq3pKQ33i5mbtI4yyXYqDjY8WVrfuG5p8pNCAZF0 08lfxMV8YAx8Pw7NbVvrY9Msb290Ve7DEVe31xA02M9pAlcqcb3roi1eM3jxCUVVZIehs1 /z+Atb6VMmvXDeIZDz8h2b4IL2tWDrlE19igco2NVaoNcVUDApxqZf6iuonmjj7YEFEnW7 XYgIfrsxDtYlROqvPxfMvCa09m3PHkRZY8SeAcbb8ktCJh0TgOJkC2InBcXXvQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Rns0W6WSMz17GT for ; Sat, 16 Sep 2023 13:12:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 38GDCBEi067272 for ; Sat, 16 Sep 2023 13:12:11 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 38GDCBdU067271 for jail@FreeBSD.org; Sat, 16 Sep 2023 13:12:11 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 259149] mac_portacl not in affect when running VNET jail Date: Sat, 16 Sep 2023 13:12:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: freebsd@igalic.co X-Bugzilla-Status: Closed X-Bugzilla-Resolution: Works As Intended X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259149 --- Comment #9 from Mina Gali=C4=87 --- (In reply to Thomas Hurst from comment #8) you wanna prepare a patch? --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Sep 22 11:44:33 2023 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RsVnx3yDvz4tlhX for ; Fri, 22 Sep 2023 11:45:41 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RsVnw2PR5z3D3l for ; Fri, 22 Sep 2023 11:45:40 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=oqupByEU; spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 2a00:1828:2000:313::1:5 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net; dmarc=pass (policy=quarantine) header.from=leidinger.net List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1695383124; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=aQMKJngXE52xoI5K1mK3Sv45xO4TEfNS2CJonna/oao=; b=oqupByEUBEWeu0JtyMGA3FoDy8KjqKyT2cqpoqZ2b0YitSZwZ5DTfgJEV77G/nNu7QuqqK +VzYkLKWX5oeW7nEjFMBt7MYOiHFhcrc/yZcioUoLkpH1bCOwCfITfMpRgOL5VM9y2RIcg u5StwGOuYBZOaH329lTyUP9JRGD17LK8PpHp/8OSTVizH7akWVLehI8F83SryhrxzP5Og9 m3cQH7U5qcUpBQsXgzwkejuAwQNhnbGi6kx9G5ox6wOaKArw/OyOaZ+yVMERiGBA/c7kWj 3GW/HkfCSytG1jJIlXsfhQWn16fXphjYZdzlpMLOZ46/20MpjDixOkZLVLM7MA== Date: Fri, 22 Sep 2023 13:44:33 +0200 From: Alexander Leidinger To: FreeBSD Jail ML Subject: Opening of /dev/pts/3 fails in jail (no such file), but it is visible in ls Message-ID: <1c9037e072f646e02082e143e42c70e0@Leidinger.net> X-Sender: Alexander@Leidinger.net Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_6624c69a29a91047f14f228d9c8d2f02"; micalg=pgp-sha256 X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.96 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.86)[-0.859]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org]; RCVD_COUNT_ZERO(0.00)[0]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; TO_DN_ALL(0.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; BLOCKLISTDE_FAIL(0.00)[2a00:1828:2000:313::1:5:server fail]; HAS_ATTACHMENT(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4RsVnw2PR5z3D3l This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_6624c69a29a91047f14f228d9c8d2f02 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, I'm trying to debug an issue with pinentry-tty. The reason is that I want to export a gpg secret key, but it fails when the gpg-agent tries to ask for the PW. An alternative way to export the key works, but the main way should work too. So I took the time now to dig deeper. This is inside a jail, I haven't tried if it is the same effect outside a jail. With the gpg developer Werner Koch I tried to debug this, and we went down to do a pinentry-wrapper which calls pinentry within ktrace. The important part is this: ---snip--- 79943 pinentry-tty RET write 1 79943 pinentry-tty CALL read(0x3,0x464697e00158,0x3ea) 79943 pinentry-tty GIO fd 3 read 7 bytes "GETPIN " 79943 pinentry-tty RET read 7 79943 pinentry-tty CALL sigaction(SIGALRM,0x3fee6ca161d0,0) 79943 pinentry-tty RET sigaction 0 79943 pinentry-tty CALL sigaction(SIGINT,0x3fee6ca161d0,0) 79943 pinentry-tty RET sigaction 0 79943 pinentry-tty CALL setitimer(ITIMER_REAL,0x3fee6ca16160,0x3fee6ca16140) 79943 pinentry-tty STRU itimerval { .interval = {0, 0}, .value = {60, 0} } 79943 pinentry-tty STRU itimerval { .interval = {0, 0}, .value = {0, 0} } 79943 pinentry-tty RET setitimer 0 79943 pinentry-tty CALL open(0x46469782c020,0) 79943 pinentry-tty NAMI "/dev/pts/3" 79943 pinentry-tty RET open -1 errno 2 No such file or directory 79943 pinentry-tty CALL write(0x4,0x3fee6ca16420,0x36) 79943 pinentry-tty GIO fd 4 wrote 54 bytes "ERR 83886179 Verarbeitung wurde abgebrochen " 79943 pinentry-tty RET write 54/0x36 79943 pinentry-tty CALL write(0x4,0x3fee6dd96326,0x1) 79943 pinentry-tty GIO fd 4 wrote 1 byte ---snip--- The file exists and I see it inside the jail: ---snip--- % ll /dev/pts/3 crw--w---- 1 netchild tty 0x180 22 Sep. 12:44 /dev/pts/3 ---snip--- The corresponding code is here: https://github.com/gpg/pinentry/blob/master/tty/pinentry-tty.c#L547 The ttyname comes from the env (set via "export GPG_TTY=$(tty)") set in my .zshenv when logging in (ssh to host, jexec into jail, "su - netchild" -> .zshenv -> GPG_TTY is set). If I do the same via ssh to this account, a new PTS is allocated and this works. So clearly, the jail is restricting the access to the pts which was allocated on the host side instead of the jail side. On one hand this is understandable, as it was not created inside the jail. On the other hand the expectation is if I see the pts inside the jail, I should be able to access it. I can see it with ls, but I can not open it with open(). There is a mismatch. The first question which comes to my mind now is, what the bug is... is it a bug that it is visible in ls, or is it a bug that I can not open it? What is the reason for the unexpected behavior I see? Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_6624c69a29a91047f14f228d9c8d2f02 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmUNfjEACgkQEg2wmwP4 2Ia6pA/+LMNGkz6ifGuSZMtFOmpR2aRYL6bHFu1kqP2wR4UZ9tNHoTbnWB7SajGA nhP1py0O1rfO1bpC62wxYGhqHSQxk6IsFHMcpjTZCjWPdXY01TwCSoZoG5RvbFv7 SCmRn5ZBdVLrBZOK3hApX572Iork79Q6UOEqAIwGGQNEwxPi5EUVOlJy4Cn92Jul Lg9khhNVo7spn6+g78rMOzQDMNLNT2XfVIoZJFv83RIVxezCzEfAh+BZrL9bs4Uf Yh/EpKFQddL2U/K5DxFrLICh9HcaR41KtVvCSFQkjodlaAYYFjDDoTWBTC3oOuRg g8ovvtBgLbUyajedJnXFD8zdiMCh23RusuQlOWeFcr2aMMS1qJmpROAsjcdPupaE Dal16yfRH+8NWjpWg1VTyhQRelNnNwtRT0DV5VKsewVlAetX9qZXhsytVfeQyDmL V0UYbhU4SLvY/aURwj1H4MvaBZCYU7H529iauNo4JlXsCbaHd0aAzI1514+PuI37 iuUtEP7zS9D75hXEfth5W+Q/LqOj+94VkuQl8/6dpX+mijk4IRRiZewMJ1w2ui3L P+ZsogxwYK6zAM2bjE0u3CAn1JHW1VflxARCVVoc4qE+wpXgGHi/cgiqP3Jd2+0d v8mKDQn4ZeqNrbix3E9A+Uo3Q6eqaN/7wkbSBxsJ/2wMQsqv7MA= =bhtx -----END PGP SIGNATURE----- --=_6624c69a29a91047f14f228d9c8d2f02-- From nobody Fri Sep 22 12:02:56 2023 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RsWB76YPmz4tmKp for ; Fri, 22 Sep 2023 12:03:11 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4RsWB71j7Dz3G11 for ; Fri, 22 Sep 2023 12:03:11 +0000 (UTC) (envelope-from kostikbel@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.17.1/8.17.1) with ESMTPS id 38MC2vfu089625 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 22 Sep 2023 15:03:00 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 38MC2vfu089625 Received: (from kostik@localhost) by tom.home (8.17.1/8.17.1/Submit) id 38MC2uYF089624; Fri, 22 Sep 2023 15:02:56 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Fri, 22 Sep 2023 15:02:56 +0300 From: Konstantin Belousov To: Alexander Leidinger Cc: FreeBSD Jail ML Subject: Re: Opening of /dev/pts/3 fails in jail (no such file), but it is visible in ls Message-ID: References: <1c9037e072f646e02082e143e42c70e0@Leidinger.net> List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1c9037e072f646e02082e143e42c70e0@Leidinger.net> X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on tom.home X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] X-Rspamd-Queue-Id: 4RsWB71j7Dz3G11 On Fri, Sep 22, 2023 at 01:44:33PM +0200, Alexander Leidinger wrote: > Hi, > > I'm trying to debug an issue with pinentry-tty. The reason is that I want to > export a gpg secret key, but it fails when the gpg-agent tries to ask for > the PW. An alternative way to export the key works, but the main way should > work too. So I took the time now to dig deeper. This is inside a jail, I > haven't tried if it is the same effect outside a jail. > > With the gpg developer Werner Koch I tried to debug this, and we went down > to do a pinentry-wrapper which calls pinentry within ktrace. > > The important part is this: > ---snip--- > 79943 pinentry-tty RET write 1 > 79943 pinentry-tty CALL read(0x3,0x464697e00158,0x3ea) > 79943 pinentry-tty GIO fd 3 read 7 bytes > "GETPIN > " > 79943 pinentry-tty RET read 7 > 79943 pinentry-tty CALL sigaction(SIGALRM,0x3fee6ca161d0,0) > 79943 pinentry-tty RET sigaction 0 > 79943 pinentry-tty CALL sigaction(SIGINT,0x3fee6ca161d0,0) > 79943 pinentry-tty RET sigaction 0 > 79943 pinentry-tty CALL > setitimer(ITIMER_REAL,0x3fee6ca16160,0x3fee6ca16140) > 79943 pinentry-tty STRU itimerval { .interval = {0, 0}, .value = {60, 0} } > 79943 pinentry-tty STRU itimerval { .interval = {0, 0}, .value = {0, 0} } > 79943 pinentry-tty RET setitimer 0 > 79943 pinentry-tty CALL open(0x46469782c020,0) > 79943 pinentry-tty NAMI "/dev/pts/3" > 79943 pinentry-tty RET open -1 errno 2 No such file or directory > 79943 pinentry-tty CALL write(0x4,0x3fee6ca16420,0x36) > 79943 pinentry-tty GIO fd 4 wrote 54 bytes > "ERR 83886179 Verarbeitung wurde abgebrochen " > 79943 pinentry-tty RET write 54/0x36 > 79943 pinentry-tty CALL write(0x4,0x3fee6dd96326,0x1) > 79943 pinentry-tty GIO fd 4 wrote 1 byte > ---snip--- > > The file exists and I see it inside the jail: > ---snip--- > % ll /dev/pts/3 > crw--w---- 1 netchild tty 0x180 22 Sep. 12:44 /dev/pts/3 > ---snip--- > > The corresponding code is here: > https://github.com/gpg/pinentry/blob/master/tty/pinentry-tty.c#L547 > > The ttyname comes from the env (set via "export GPG_TTY=$(tty)") set in my > .zshenv when logging in (ssh to host, jexec into jail, "su - netchild" -> > .zshenv -> GPG_TTY is set). > > If I do the same via ssh to this account, a new PTS is allocated and this > works. > > So clearly, the jail is restricting the access to the pts which was > allocated on the host side instead of the jail side. > > On one hand this is understandable, as it was not created inside the jail. > On the other hand the expectation is if I see the pts inside the jail, I > should be able to access it. I can see it with ls, but I can not open it > with open(). There is a mismatch. > > The first question which comes to my mind now is, what the bug is... is it a > bug that it is visible in ls, or is it a bug that I can not open it? What is > the reason for the unexpected behavior I see? Both actions behave as expected: - visibility is governed by devfs rules, it operates on names of the devfs nodes - opening pty requires corresponding privileges. So everything works as expected. From nobody Fri Sep 22 12:14:44 2023 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RsWSc6W1Gz4tnWb for ; Fri, 22 Sep 2023 12:15:44 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (P-256)) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RsWSc55ZCz3Gmq for ; Fri, 22 Sep 2023 12:15:44 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1695384938; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wKfpANbV2wOlYVHg1PuaxWSqjWISNt54ApIGMs72WU0=; b=TXf7kUjydPzuLnKS75e6Whvq3bt7q51wS/wHG9CNLq5xeB7rzmVH31j/zzYo1Dl7EYEVik lWDIEM/C6tQoj/g4J/yusu9sVBfP0iY7EFFNAhwQqT3wWgg75yoq+TYypoDdYDRqeQvrHp hjZXISiy/991k2maX51V/bkpDcWKTNOX2G0miNQYCopiycXEC5WWAcdeGkf9ncXlzZzFdb CnaMnGkqDP3xO7WGIv1VlXN3V9OGugS2tBuaHv87xoBDLQG3XW0s35y1QjB+oXqXlintYq fF9ehKc5J1LVnPmOyL86vmmaxYTzMSR8WiIhu8Hes4IhXHlu/1GSv0js7r/Llw== Date: Fri, 22 Sep 2023 14:14:44 +0200 From: Alexander Leidinger To: Konstantin Belousov Cc: FreeBSD Jail ML Subject: Re: Opening of /dev/pts/3 fails in jail (no such file), but it is visible in ls In-Reply-To: References: <1c9037e072f646e02082e143e42c70e0@Leidinger.net> Message-ID: <4944b61787c627ae604767c5c0f4d4bd@Leidinger.net> X-Sender: Alexander@Leidinger.net Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_f0adeacf93a257b05a4ca6b40e46a09b"; micalg=pgp-sha256 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE] X-Rspamd-Queue-Id: 4RsWSc55ZCz3Gmq This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_f0adeacf93a257b05a4ca6b40e46a09b Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2023-09-22 14:02, schrieb Konstantin Belousov: > On Fri, Sep 22, 2023 at 01:44:33PM +0200, Alexander Leidinger wrote: >> Hi, >> >> I'm trying to debug an issue with pinentry-tty. The reason is that I >> want to >> export a gpg secret key, but it fails when the gpg-agent tries to ask >> for >> the PW. An alternative way to export the key works, but the main way >> should >> work too. So I took the time now to dig deeper. This is inside a jail, >> I >> haven't tried if it is the same effect outside a jail. >> >> With the gpg developer Werner Koch I tried to debug this, and we went >> down >> to do a pinentry-wrapper which calls pinentry within ktrace. >> >> The important part is this: >> ---snip--- >> 79943 pinentry-tty RET write 1 >> 79943 pinentry-tty CALL read(0x3,0x464697e00158,0x3ea) >> 79943 pinentry-tty GIO fd 3 read 7 bytes >> "GETPIN >> " >> 79943 pinentry-tty RET read 7 >> 79943 pinentry-tty CALL sigaction(SIGALRM,0x3fee6ca161d0,0) >> 79943 pinentry-tty RET sigaction 0 >> 79943 pinentry-tty CALL sigaction(SIGINT,0x3fee6ca161d0,0) >> 79943 pinentry-tty RET sigaction 0 >> 79943 pinentry-tty CALL >> setitimer(ITIMER_REAL,0x3fee6ca16160,0x3fee6ca16140) >> 79943 pinentry-tty STRU itimerval { .interval = {0, 0}, .value = >> {60, 0} } >> 79943 pinentry-tty STRU itimerval { .interval = {0, 0}, .value = {0, >> 0} } >> 79943 pinentry-tty RET setitimer 0 >> 79943 pinentry-tty CALL open(0x46469782c020,0) >> 79943 pinentry-tty NAMI "/dev/pts/3" >> 79943 pinentry-tty RET open -1 errno 2 No such file or directory >> 79943 pinentry-tty CALL write(0x4,0x3fee6ca16420,0x36) >> 79943 pinentry-tty GIO fd 4 wrote 54 bytes >> "ERR 83886179 Verarbeitung wurde abgebrochen " >> 79943 pinentry-tty RET write 54/0x36 >> 79943 pinentry-tty CALL write(0x4,0x3fee6dd96326,0x1) >> 79943 pinentry-tty GIO fd 4 wrote 1 byte >> ---snip--- >> >> The file exists and I see it inside the jail: >> ---snip--- >> % ll /dev/pts/3 >> crw--w---- 1 netchild tty 0x180 22 Sep. 12:44 /dev/pts/3 >> ---snip--- >> >> The corresponding code is here: >> >> https://github.com/gpg/pinentry/blob/master/tty/pinentry-tty.c#L547 >> >> The ttyname comes from the env (set via "export GPG_TTY=$(tty)") set >> in my >> .zshenv when logging in (ssh to host, jexec into jail, "su - netchild" >> -> >> .zshenv -> GPG_TTY is set). >> >> If I do the same via ssh to this account, a new PTS is allocated and >> this >> works. >> >> So clearly, the jail is restricting the access to the pts which was >> allocated on the host side instead of the jail side. >> >> On one hand this is understandable, as it was not created inside the >> jail. >> On the other hand the expectation is if I see the pts inside the jail, >> I >> should be able to access it. I can see it with ls, but I can not open >> it >> with open(). There is a mismatch. >> >> The first question which comes to my mind now is, what the bug is... >> is it a >> bug that it is visible in ls, or is it a bug that I can not open it? >> What is >> the reason for the unexpected behavior I see? > Both actions behave as expected: > - visibility is governed by devfs rules, it operates on names of the > devfs nodes > - opening pty requires corresponding privileges. > > So everything works as expected. Everything works as technically implemented according to the rules of the underlying technology... and you have adapted your expectations to the underlying technology. From a human point of view who is not aware of the underlying technology, there is a mismatch and it does not work as expected. We could adapt the expectation of our users, by documenting this behavior in e.g. pts(4) and or jexec(8) including a way how to login to a jail from the host in a way which provides a good pty. Or we could adapt the technology, to adapt to the expectations of users. The first one is surely easy. The second one may be desirable. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_f0adeacf93a257b05a4ca6b40e46a09b Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmUNhUQACgkQEg2wmwP4 2IZNiA//fTPIQskL7abRsWoL63TP8Lg0nek9A0TAUsc4W5i26oyzQ1gZJ0zZfq6V WcnFMbP5M7UHcWhg2o/KbzRXPhiAtrDIrGJMhW/u/PPa2i0keKkcRpHzZMnFohn7 2xelzT5hHCR/0PFmvGEvFEMWVBr62UD9Zw6kDCIGszwU/Et2988USzrfHk+RvIh4 Nv0P9vvULCsXWOCg1/fpyXgClzvU1pk0sK7lBn2P/pGxweBDT1bEcsT1pt3jGiCY ahU3NQL5y0EcOxNIf7B5mEhGGbJx3Rr+AelsRDpc2IFOUudkHxG3NLWb8szgGUox tXmXMn6m83kvItqQiN+ffU77OJ+qeIo9FlRdmxLfQTjNm1CJHqmL8WEOyir+E18R RWPgoDrr54e+/iYyUD1SaigHm7BImbX2OMeeh9XuP7Ow6gMIizmBDsjXqPHLl7R+ PDU5a9AwTrWrXstxwjfiSLIMicx2curuTKbLmUDtxqHZZTEFAv0wwX12gSCvekUl kKwMakt/mW/KYCCvN29YUaRMSlinjl/fnCStpHF7Sh6FICu+nydz79YemjZFXuuX vPPQAJZGMJIPGDzdJ1ntdCHjA+x9VDQYfWic+3LPNA27cIvmd/I5xqfEDnC50qRC XSkSkOeSTkk1Je9kIGJRAtkNlTyOtvlw8H1ol++1TsjF04/BKyQ= =CPne -----END PGP SIGNATURE----- --=_f0adeacf93a257b05a4ca6b40e46a09b--