From nobody Sun Aug 1 16:52:15 2021 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1702412D174F; Sun, 1 Aug 2021 16:52:45 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Gd6d74jkzz4mgy; Sun, 1 Aug 2021 16:52:43 +0000 (UTC) (envelope-from freebsd@grem.de) Received: by mail.evolve.de (OpenSMTPD) with ESMTP id 2c694c77; Sun, 1 Aug 2021 16:52:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=grem.de; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; s=20180501; bh=jJ42k2+NXMRSKlsR4cI4J FWy3LI=; b=uQ5mdze5k4r/C6mjxYnt2aPlfuZIRe+s8G3p7+nNF350FoAwbN8JJ B7q+YftvZ5bTh24ikKX/QvLVoS5ydvtX2lCLTxO90ulh8P4N9bFo4cqgtSPtLsaX NdSONsWx7EfcikHad1utob6+d9M86PkDfMUVQjON5InWnL9ybRMc3gBRQmxXSabh hDczaEHnk2QgtPDr5rW9EDTOfjngMwUj6rO4YsOo2oxLsYr+lZNEJiykejCulraL 0opAdRLNeRp4pf0kYydBjWz1DbRTHI6UZtPK8FFuBv8pxk52+6oC4EYGNFWrnRI4 m8fXJMFJ+6x3Xcyg9+jDxIkFstPsJZ6hg== DomainKey-Signature: a=rsa-sha1; c=nofws; d=grem.de; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=20180501; b=joXUYWuqcRAuuI4 o4OW3U9JGByREqBMFNXUGGBsuJVHAWq9WyMyacxdgJV+dth4y6bYpnwHyKsHPkq2 fE9X1u7ieGhytXTUzY3RE4pdS6PaIfecd+Kj2JoLwDMGWllT7qNI5UwhO6mf+c0a IgiDaOxCPp8neOJPYw9SzNVgSVeISKrynys3HFz8ETKXcJdJS4ccfDxPv0cjI2px IYmsbbiL4Iueda+ouawaWBXsAeecz7MZiu17/B90zf/cY479QL9iqm1YYIZq/u7P oLBZKB+xRGIxuc9E8Y4mc2kIv767mLX0oR8K8TDTmxVH0z+x0E/H6/4OUp8twEnq yFx6BhQ== Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id b972708d (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO); Sun, 1 Aug 2021 16:52:28 +0000 (UTC) Date: Sun, 1 Aug 2021 18:52:15 +0200 From: Michael Gmelin To: "freebsd-current@freebsd.org" , "freebsd-virtualization@freebsd.org" Subject: Should we include ttyu* to devfs_ruleset 3 (devfsrules_unhide_login)? Message-ID: <20210801185215.645cf0c8@bsd64.grem.de> X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}> +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+ xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII= List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Gd6d74jkzz4mgy X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=grem.de header.s=20180501 header.b=uQ5mdze5; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@grem.de designates 213.239.217.29 as permitted sender) smtp.mailfrom=freebsd@grem.de X-Spamd-Result: default: False [-2.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[grem.de:s=20180501]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:213.239.217.29/32]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grem.de]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[grem.de:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.99)[-0.990]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current,freebsd-virtualization] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: N Hi, There are many TTY devices in devfsrules_unhide_login=3, but ttyu* (serial lines) are not part of it. As a result, certain things won't work as expected when connecting over a serial console, one example being connecting to a local bhyve vm over serial console (e.g., `vm console myvm' when using vm-bhyve). The example that brought this to my attention is using ssh within a jail that's running inside of a VM, while being connected to that VM over serial console. So the setup is: - FreeBSD 13 host - bhyve vm running FreeBSD 13 on top - Jail using mount.devfs running within the bhyve vm, using the default devfs_ruleset inside of the bhyve vm (which in turn loads devfsrules_jail=4, which includes devfsrules_unhide_login=3). Now, ssh within that jail won't work, as /dev/tty can't be accessed. Example (while being connected to the vm over a serial line): # jail -c path=/ mount.devfs ip4=inherit command=ssh localhost Host key verification failed. jail: ssh localhost: failed Now, adding in an extra rule to ruleset 3: # devfs rule -s 3 add 3250 path "ttyu*" unhide Things work as expected: # jail -c path=/ mount.devfs ip4=inherit command=ssh localhost The authenticity of host 'localhost (127.0.0.1)' can't be established... Are you sure you want to continue connecting (yes/no)? Now the question is, would it make sense to add ttyu* (or at least ttyu0) to [devfsrules_unhide_login=3] in /etc/defaults/devfs.rules, or are there any (security) reasons why this might be a bad idea? Best, Michael -- Michael Gmelin