Re: ptmx, /dev/pts support for 5.x

On Sun, Oct 05, 2003 at 09:25:53PM -0400, Robert Watson wrote:
> Last week, I did a bit of experimentation to look at privilege issues in
> the allocation of ptys on FreeBSD.  Right now, to safely allocate a
> pty/tty pair, you basically need privilege (otherwise you can't
> chown/chmod the slave node).  I took a look at some of the approaches used
> by other systems (specifically Linux, Solaris) and implemented basic ptmx
> support for FreeBSD:

>   http://www.watson.org/~robert/freebsd/pts/

> I took the existing tty_pty.c driver code and remunged most of the dev_t
> and clone handling, as well as open/close of both master and slave.  It's
> far from perfect -- more of an experiment really, but it has some notable
> benefits, including allowing programs like window, xterm, etc, to allocate
> ptys safely without privilege (although utmp still requires privilege if
> you're into that sort of thing).  pts/ttys are also GC'd to reset
> ownership/permissions/flags in a race-free manner. 

The current implementation could also be changed to make it safe. It
relies on an (ugly) setuid root helper /usr/libexec/pt_chown to chown
the slave device. A revoke() call on the slave should be added
somewhere after that in grantpt(), or in unlockpt().

A problem is that forking may confuse SIGCHLD handlers. grantpt() in
FreeBSD blocks SIGCHLD, but I don't know whether that's enough.
POSIX.1-2001 says that calling grantpt() with a SIGCHLD handler produces
undefined results. With openpty() programs may not expect that.

By the way, in System V the slave device is locked (cannot be opened)
when the master is opened. The unlockpt() call unlocks it, so it can be
opened, giving the user program time to chown and chmod the slave
device. So unlockpt() has little to do with STREAMS, and it should be
said in the manpage that this functionality is handled differently
(namely, revoke(2)) in FreeBSD, as the deeper purpose of avoiding the
race condition is as relevant in FreeBSD as in System V.

Jilles Tjoelker