From nobody Tue Feb 8 08:41:28 2022 X-Original-To: hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6E80319AD625 for ; Tue, 8 Feb 2022 08:42:01 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JtGhl3mfTz3pGq for ; Tue, 8 Feb 2022 08:41:58 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from outgoing.leidinger.net (p5b1653d5.dip0.t-ipconnect.de [91.22.83.213]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "outgoing.leidinger.net", Issuer "R3" (verified OK)) by mailgate.Leidinger.net (Postfix) with ESMTPSA id A0B652AD7B for ; Tue, 8 Feb 2022 09:41:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1644309709; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=oKjcL6GX9UhYCgsAGz1uKQ7hhLRbQUbuyaiYdeogaeo=; b=cqTM9bqa1qEwHYsPA4NMN1RSyatbO+OwcheOHAKnGtZxgvXU4eYEJg62IqSdG/CV2JxMCo AqjDnTxu5Tg3qTXZShb2PmHE1MY0dc5FgEMeBarERNqv/FSyTYceVN45YJFRGw7KZTNZXP 3Ny7T5LszbBdlGjrlGq3XtoL9iXgqgpT/JnrdYlji4mUVcf+OSDTOA0PlwmHclUbfLba4r Gfj18qMCu82SH7/rU4hjdMlEgp4hVzTjyoMFTj+5CcLeIsVBVWeyNSj2pDgVkreaah3f/7 CXOI5jysKQY/k+PvxDA2W8MNKtcFjpKlvsbt2b7EyVlrdYt76sT2W7KTw8wdYw== Received: from webmail.leidinger.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by outgoing.leidinger.net (Postfix) with ESMTPS id 1090AA411 for ; Tue, 8 Feb 2022 09:41:31 +0100 (CET) Date: Tue, 08 Feb 2022 09:41:28 +0100 Message-ID: <20220208094128.Horde.LqeAS3LDe4RHYSV3IH2XY96@webmail.leidinger.net> From: Alexander Leidinger To: hackers@freebsd.org Subject: Behavior of /dev/pts in a jail? Accept-Language: de,en Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Disposition: inline X-Rspamd-Queue-Id: 4JtGhl3mfTz3pGq X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=cqTM9bqa; dmarc=pass (policy=quarantine) header.from=leidinger.net; spf=pass (mx1.freebsd.org: domain of Alexander@leidinger.net designates 89.238.82.207 as permitted sender) smtp.mailfrom=Alexander@leidinger.net X-Spamd-Result: default: False [-3.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[hackers@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[hackers]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[91.22.83.213:received] X-ThisMailContainsUnwantedMimeParts: N Hi, I'm debugging a problem with gnupg on -current (as of Jan 20, but I see this problem since several months). The pinentry-tty program fails to ask for a PW. One of the gnupg authors found a bug which makes the pinentry-tty program segfault (fixed in v1.2.0), but this doesn't solve the problem (converts the segfault into a error output). We narrowed the problem down to gpg-agent not being able to see anything in /dev/pts and as such not being able to open my tty. So: - a jail with devfs - login into the jail via "jexec zsh" followed by "su - " - a shell-wrapper for pinentry-tty which "ls -la /dev/pts" into a logfile - in the user-zsh inside the jail, I can see /dev/pts/2 (my tty) as being rw for me in "ls -la /dev/pts" with the same uid as my user (the user id inside the jail and the user id to which I ssh-ed on the jail-host are the same) - executing gpg in this same shell in a way which is supposed to ask for a PW results in the pinentry-wrapper being called and /dev/pts being completely empty in the ls output in the logfile -> no PW being asked - doing a ls of /dev/pts afterwards inside the shell still shows /dev/pts/2 Neither gpg nor gpg-agent are SUID. This behavior surprises me. The non-root shell I use inside the jail sees /dev/pts/2. This shell forks gpg which forks gpg-agent which forks pinentry-tty. As such I would expect /dev/pts/2 being visible to pinentry-tty. For me either this entry in the FS should be visible to all processes of this user, or to none. What am I missing here? Gnupg ticket: https://dev.gnupg.org/T5814 Workaround if someone has the same problem: "gpg --pinentry-mode=loopback ..." Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF