From nobody Fri Sep 22 11:44:33 2023 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RsVnx3yDvz4tlhX for ; Fri, 22 Sep 2023 11:45:41 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RsVnw2PR5z3D3l for ; Fri, 22 Sep 2023 11:45:40 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=oqupByEU; spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 2a00:1828:2000:313::1:5 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net; dmarc=pass (policy=quarantine) header.from=leidinger.net List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1695383124; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=aQMKJngXE52xoI5K1mK3Sv45xO4TEfNS2CJonna/oao=; b=oqupByEUBEWeu0JtyMGA3FoDy8KjqKyT2cqpoqZ2b0YitSZwZ5DTfgJEV77G/nNu7QuqqK +VzYkLKWX5oeW7nEjFMBt7MYOiHFhcrc/yZcioUoLkpH1bCOwCfITfMpRgOL5VM9y2RIcg u5StwGOuYBZOaH329lTyUP9JRGD17LK8PpHp/8OSTVizH7akWVLehI8F83SryhrxzP5Og9 m3cQH7U5qcUpBQsXgzwkejuAwQNhnbGi6kx9G5ox6wOaKArw/OyOaZ+yVMERiGBA/c7kWj 3GW/HkfCSytG1jJIlXsfhQWn16fXphjYZdzlpMLOZ46/20MpjDixOkZLVLM7MA== Date: Fri, 22 Sep 2023 13:44:33 +0200 From: Alexander Leidinger To: FreeBSD Jail ML Subject: Opening of /dev/pts/3 fails in jail (no such file), but it is visible in ls Message-ID: <1c9037e072f646e02082e143e42c70e0@Leidinger.net> X-Sender: Alexander@Leidinger.net Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_6624c69a29a91047f14f228d9c8d2f02"; micalg=pgp-sha256 X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.96 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.86)[-0.859]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org]; RCVD_COUNT_ZERO(0.00)[0]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; TO_DN_ALL(0.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; BLOCKLISTDE_FAIL(0.00)[2a00:1828:2000:313::1:5:server fail]; HAS_ATTACHMENT(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4RsVnw2PR5z3D3l This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_6624c69a29a91047f14f228d9c8d2f02 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, I'm trying to debug an issue with pinentry-tty. The reason is that I want to export a gpg secret key, but it fails when the gpg-agent tries to ask for the PW. An alternative way to export the key works, but the main way should work too. So I took the time now to dig deeper. This is inside a jail, I haven't tried if it is the same effect outside a jail. With the gpg developer Werner Koch I tried to debug this, and we went down to do a pinentry-wrapper which calls pinentry within ktrace. The important part is this: ---snip--- 79943 pinentry-tty RET write 1 79943 pinentry-tty CALL read(0x3,0x464697e00158,0x3ea) 79943 pinentry-tty GIO fd 3 read 7 bytes "GETPIN " 79943 pinentry-tty RET read 7 79943 pinentry-tty CALL sigaction(SIGALRM,0x3fee6ca161d0,0) 79943 pinentry-tty RET sigaction 0 79943 pinentry-tty CALL sigaction(SIGINT,0x3fee6ca161d0,0) 79943 pinentry-tty RET sigaction 0 79943 pinentry-tty CALL setitimer(ITIMER_REAL,0x3fee6ca16160,0x3fee6ca16140) 79943 pinentry-tty STRU itimerval { .interval = {0, 0}, .value = {60, 0} } 79943 pinentry-tty STRU itimerval { .interval = {0, 0}, .value = {0, 0} } 79943 pinentry-tty RET setitimer 0 79943 pinentry-tty CALL open(0x46469782c020,0) 79943 pinentry-tty NAMI "/dev/pts/3" 79943 pinentry-tty RET open -1 errno 2 No such file or directory 79943 pinentry-tty CALL write(0x4,0x3fee6ca16420,0x36) 79943 pinentry-tty GIO fd 4 wrote 54 bytes "ERR 83886179 Verarbeitung wurde abgebrochen " 79943 pinentry-tty RET write 54/0x36 79943 pinentry-tty CALL write(0x4,0x3fee6dd96326,0x1) 79943 pinentry-tty GIO fd 4 wrote 1 byte ---snip--- The file exists and I see it inside the jail: ---snip--- % ll /dev/pts/3 crw--w---- 1 netchild tty 0x180 22 Sep. 12:44 /dev/pts/3 ---snip--- The corresponding code is here: https://github.com/gpg/pinentry/blob/master/tty/pinentry-tty.c#L547 The ttyname comes from the env (set via "export GPG_TTY=$(tty)") set in my .zshenv when logging in (ssh to host, jexec into jail, "su - netchild" -> .zshenv -> GPG_TTY is set). If I do the same via ssh to this account, a new PTS is allocated and this works. So clearly, the jail is restricting the access to the pts which was allocated on the host side instead of the jail side. On one hand this is understandable, as it was not created inside the jail. On the other hand the expectation is if I see the pts inside the jail, I should be able to access it. I can see it with ls, but I can not open it with open(). There is a mismatch. The first question which comes to my mind now is, what the bug is... is it a bug that it is visible in ls, or is it a bug that I can not open it? What is the reason for the unexpected behavior I see? Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_6624c69a29a91047f14f228d9c8d2f02 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmUNfjEACgkQEg2wmwP4 2Ia6pA/+LMNGkz6ifGuSZMtFOmpR2aRYL6bHFu1kqP2wR4UZ9tNHoTbnWB7SajGA nhP1py0O1rfO1bpC62wxYGhqHSQxk6IsFHMcpjTZCjWPdXY01TwCSoZoG5RvbFv7 SCmRn5ZBdVLrBZOK3hApX572Iork79Q6UOEqAIwGGQNEwxPi5EUVOlJy4Cn92Jul Lg9khhNVo7spn6+g78rMOzQDMNLNT2XfVIoZJFv83RIVxezCzEfAh+BZrL9bs4Uf Yh/EpKFQddL2U/K5DxFrLICh9HcaR41KtVvCSFQkjodlaAYYFjDDoTWBTC3oOuRg g8ovvtBgLbUyajedJnXFD8zdiMCh23RusuQlOWeFcr2aMMS1qJmpROAsjcdPupaE Dal16yfRH+8NWjpWg1VTyhQRelNnNwtRT0DV5VKsewVlAetX9qZXhsytVfeQyDmL V0UYbhU4SLvY/aURwj1H4MvaBZCYU7H529iauNo4JlXsCbaHd0aAzI1514+PuI37 iuUtEP7zS9D75hXEfth5W+Q/LqOj+94VkuQl8/6dpX+mijk4IRRiZewMJ1w2ui3L P+ZsogxwYK6zAM2bjE0u3CAn1JHW1VflxARCVVoc4qE+wpXgGHi/cgiqP3Jd2+0d v8mKDQn4ZeqNrbix3E9A+Uo3Q6eqaN/7wkbSBxsJ/2wMQsqv7MA= =bhtx -----END PGP SIGNATURE----- --=_6624c69a29a91047f14f228d9c8d2f02--