LWN: Comments on "Containers, pseudo TTYs, and backward compatibility"

A couple of updates and clarifications.

ebiederm — Tue, 07 Jun 2016 12:26:33 +0000

The code was merged for 4.7-rc2

xen-create-image is not the only problematic piece of userspace code, but rather a concrete example of a mistake that is easy to make.

Confusing a setuid pt_chown has been possible since multiple instances of devpts were introduced.

The reasons for changing the behavior of what happens when devpts is mounted go beyond any concerns about a setuid pt_chown. The need for the newinstance option to devpts has been an imperfect solution from the start.

distro usage of pt_chown

TheJH — Thu, 02 Jun 2016 18:03:15 +0000

Debian did it until a few months ago, and I thiiink Ubuntu only pulled that change from them. See Debian's changelog:

http://metadata.ftp-master.debian.org/changelogs//main/g/...

glibc (2.19-18+deb8u4) stable; urgency=medium

[ Aurelien Jarno ]
[...]
* sysdeps/linux.mk: don't build pt_chown (CVE-2013-2207). Closes: #717544.

-- Aurelien Jarno <aurel32@debian.org> Sat, 27 Feb 2016 23:17:33 +0100

distro usage of pt_chown

vapier — Thu, 02 Jun 2016 04:24:47 +0000

setuid pt_chown as a bad idea isn't a new discovery. CVE-2013-2207 documents this, and the solution in glibc was to stop building & installing it by default:
https://sourceware.org/bugzilla/show_bug.cgi?id=15755
this has been the behavior with the glibc-2.18+ release.

somewhat fortuitously, Gentoo dropped pt_chown a few months before to be proactive along the lines of "set*id is bad". this was applied to glibc-2.16+ versions.
https://bugs.gentoo.org/465308

so what current distros are still passing --enable-pt_chown ? i'm not seeing it in Fedora's rpm spec files, nor in Debian's file list for libc-bin (which is based on glibc-2.19). Ubuntu has it up through wily, but looks like they finally dropped it in xenial.