Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Thu 06 Jul 2006 - 12:10:51 BST
Message-ID: <20060706111050.GD18152@MAIL.13thfloor.at>

On Wed, Jul 05, 2006 at 11:44:54PM +0200, Robert Michel wrote:
> Salve Herbert, ML!
>
> Herbert Poetzl schrieb am Sonntag, den 02. Juli 2006 um 17:59h:
> > > What should I read to learn what fd,pts stands for and
> > > to know what /dev/pts/[14|20|21|31-34] are?
> >
> > *phew* good question, probably a lot of source code :)
> >
> > thing is, fd and pts (/14,/20 ...) are 'just' names
> > used for character and block device nodes, identified
> > by the unique major and minor identifiers ...
> >
> > so, basically c:136:14 means the 14th pseudo terminal
> > (regardless of the name, could as well be named hansi)
>
> > > > >Could it by that I'm allowed to remove devices, but
> > > > >not allowed to create one?
> > > >
> > > > Exactly. Giving guests the ability to create devices is a huge security
> > > > risk, basically equivalent to just giving access to the host directly.
>
> Whats about the pseudo terminals?
> sshd, screen ... and some others can create new ones
> as user@guest :)
> asterisk seems like to have an own terminal:
>
> # from [Asterist-Users] ML Tzafrir Cohen wrote on
> # Tue Jul 4 09:05:46 MST 2006
> # safe_asterisk has a flawed logic: it assumes that the tty device will
> # always exist. Thus it is not suited for use with screen.

> I used "ln -s /dev/pts/31 /dev/tty9" successful,

/dev/pts is very dynamic, i.e. it is assigned when
you ask /dev/ptmx for a new terminal, and it will
lose its connection and meaning when you close it

> but on the next day /usr/sbin/safe_asterisk does
> not found /dev/tty9..... /dev/pts/31 exist only
> for my bash, after exiting this bash, also
> /dev/pts/31 has been gone, and so this "hack"
> does not work... ;(

precisely, either you _want_ that output to go
somewhere, then you have to 'provide' a real vc
terminal or to make asterisk 'create' it on startup
(by requesting a new one, like e.g. screen does)

> How can I create with /etc/init.d/asterisk
> a new pseudo terminal, e.g. /dev/pts/ast
> and "ln -s /dev/pts/ast /dev/tty9"

you could, for example, use screen to provide that
pseudo terminal without modifying asterisk

> Dirty trick would be to start with /etc/init.d/asterisk
> a ssh or telnet connection to 127.0.0.1,
> is there a smart way to create pseudo terminal, especialy
> that this terminal is durable and do not fade away when
> something crashed?
>
> > device nodes are always local, so they cannot be
> > 'forwarded' to another host, OTOH, you are free to
> > create fifos (pipes) and symlinks to 'redirect'
> > stuff remotely and local
>
> root@guest# mknode ..... /dev/pts/asterisk
> root@guest# ln -s /dev/pts/asterisk /dev/tty9
> ???
>
> #mknod /dev/tty9 c 7 7
> mknod: »/dev/tty9«: Die Operation ist nicht erlaubt
> (operatin is not allowed)

better use /dev/vc/9 (c:4:9 or the udev equiv) but
basically you 'could' create the device for the guest
on the host side, and the guest will be able to use
it, just be careful _what_ you give to your guests :)

> And "mknod /dev/tty9 -p" as FIFO does not help
> to run asterisk with a console.
>
> I found this:
> # From: Herbert Poetzl <herbert_at_13thfloor.at>
> # Date: Wed 17 May 2006 - 18:13:50 BST
> # Message-ID: <20060517171350.GC4935@MAIL.13thfloor.at>
> # On Sun, May 14, 2006 at 09:48:20PM -0700, EKC wrote:
> #> I'm running a perl script inside of a linux vserver, and the script
> #> requires access to tty and pty devices. However /dev/MAKEDEV and
> #> mknod
> #> cannot create pty devices from within a vserver.
> [...]
> #> Is there a way to add devices from within a vserver itself?
> #pts/ptmx is auto created inside a guest, with proper
> #permissions and security (tty and pty are not required
> #inside a guest, unless you want to assign certain 'real'
> #consoles to the guest, like vt0/1/2 etc)
>
> ok and how can I use this magic auto creation inside a guest
> with/for /etc/init.d/asterisk?
> ;)
>
> man ptmx getpt(3), grantpt(3), ptsname(3), unlockpt(3)
> still a little bit too comlex for me ;(
> man expect
> man screen
>
> Well I could write
> #!/bin/sh
> # ttydumy.sh
> rm /dev/tty9
> ln -s $tty /dev/tty9
>
> and call screen .../ttydumy.sh inside safe_asterisk,
> but it seems that screen inside slows asterisk.
> (and this is ugly for ssh login and screen -r with
> multiple screens...)
>
> So root@guest can indirectly create dumy devices
> and there is still no tool like mknode for vserver
> - because it is not so neccessary and does not
> have such a high priority - right?

no, because it is a big can of worms and a security
issue, just imagine somebody creating a block device
which 'accidentially' is identical to your host's
root partition, and then starts modifying stuff at
a very low level :)

> Dont't get me wrong, I don't want to be unpolite
> and I don't want to be missunderstood that expecting
> support and including of that feature....
>
> It's just that I want to understand the power
> of vserver and to do the best with them and also
> try to document/promote them that it is possible
> to run an umpached asterisk with a colord CLI
> (Patching asterisk would be a second solution,
> would work for me but I think many vserver user
> would not do this...)

not only the power, also the responsibilites should
be known when you manage a system, btw, giving the
proper capability will allow the guest to create
arbitrary device nodes

HTH,
Herbert

PS: I assume you know that there is a project which
uses Linux-VServer to isolate several asterisk
instances on a single host

> Greetings,
> rob
>
>
>
>
> This is OT for Vserver ML,
> more for vserver+asterisk user:
>
> PS: My personal workaround at the moment:
> start screen and one of that terminal
> is used to get asterisk colored inside
> this terminal:
> tty > /etc/asterisk/tty
> ln -s /dev/pts/$tty /dev/tty9
>
> inside safe_asterisk a test if that
> device still exist... if yes
> TTY=tt9
> so when asterisk crash and there is
> no TTY9 it will run without a hangup ;)
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu Jul 6 15:36:46 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 06 Jul 2006 - 15:36:52 BST by hypermail 2.1.8