Date: Tue, 13 Feb 2001 07:09:48 +0200 (SAST) From: Lists Account <lists@security.za.net> To: Robert Watson <rwatson@freebsd.org> Cc: hackers@freebsd.org Subject: Re: Jail Pseudo Terminals Message-ID: <Pine.BSF.4.21.0102130708170.31659-100000@security.za.net> In-Reply-To: <Pine.NEB.3.96L.1010212104522.88322B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Ok this is getting a bit strange. Interestingly enough ssh works 100% with my method of tty creation, having created (from outside the jail) ttyp32 - ttyp100 (with the minor/major numbers set as 5,XX where XX is ttypXX), and a mknod type of c, ssh allocates ttys fine, however screen still tells me there are no ttys available? Any ideas? Andrew On Mon, 12 Feb 2001, Robert Watson wrote: > > On Mon, 12 Feb 2001, Lists Account wrote: > > > Just a quick question Im hoping someone can help me with. I extended > > the number of pty's available on my base box just fine, with an edit to > > /etc/ttys and making some new devices, then just a kill -1 1, and > > everything worked fine. > > > > I did exactly the same thing under the jail, it didnt work, rebooted the > > box and it still didnt work, does anyone know how to extend the number > > of pty's under a jail? Any help would be MUCH appreciated > > Hmm. What do you mean by, ``I did exactly the same thing under the jail'' > -- the mknod() syscall for device nodes is unavailable under jail() so as > to prevent the creation of inappropriate devices that might allow the > attacker to circumvent the jail() protections. So there are two things > you could have done: (1) used MAKEDEV under jail(), and either it didn't > generate appropriate error messages, or you missed them, and you should be > running the MAKEDEV in the per-jail /dev directory, but not from within > the jail(), or (2) you ran MAKEDEV outside the jail, and something else is > broken. My first guess would be that you did (1), and running MAKEDEV > outside of a jail() process but in the jail() /dev will fix things. > > Also, generally speaking, pty's are not managed by init, rather, they are > dynamically allocated using openpty(), so you shouldn't need to HUP init, > or even modify /etc/ttys. In fact, from within a jail(), you should be > unable to successfully HUP the pid 1 init process. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0102130708170.31659-100000>