Closed blueyed closed 9 years ago
From your error messages, it seems that urxvt
is trying to start the pt_chown
program to set the permissions on the new pty. This will fail under --noroot
as pt_chown
needs to be SUID root to run. With the --noroot
option, there is no root user to SUID to!
The manual page for pt_chown
says: "If you are using a 2.1 or newer Linux kernel with the 'devptsfs' or 'devfs' filesystems providing pty slaves, you don't need this program".
Therefore it might be possible to compile urxvt without pt_chown support. I'm not an expert in urxvt so you'd have to do some research.
The call to pt_chown
seems to happen through grantpt
in get_pty
(in libptytty/src/ptytty.C) (I have added the printf
):
#if defined(UNIX98_PTY)
static int
get_pty (int *fd_tty, char **ttydev)
{
int pfd;
# if defined(HAVE_GETPT)
pfd = getpt ();
# elif defined(HAVE_POSIX_OPENPT)
pfd = posix_openpt (O_RDWR | O_NOCTTY);
# else
# ifdef _AIX
pfd = open ("/dev/ptc", O_RDWR | O_NOCTTY, 0);
# else
pfd = open ("/dev/ptmx", O_RDWR | O_NOCTTY, 0);
# endif
# endif
if (pfd >= 0)
{
printf("pfd: %d, %d\n", grantpt(pfd), errno);
if (grantpt (pfd) == 0 /* change slave permissions */
&& unlockpt (pfd) == 0)
{
/* slave now unlocked */
*ttydev = strdup (ptsname (pfd)); /* get slave's name */
return pfd;
}
close (pfd);
}
return -1;
}
#elif defined(HAVE_OPENPTY)
errno is EAGAIN 11 Resource temporarily unavailable
, and while it is not in my manpage for grantpt
a search appears to indicate that it means [EAGAIN] The system has no available pseudo-terminal devices
.
btw: with firejail --noroot groups
I am only in my user's group and nogroup
. Is this expected?
It seems like the name --noroot
is a bit misleading, because it apparently does much more?!
Personally, I think the --noroot
option isn't misleading - it removes the root user. The pt_chown
program is attempting to change to the root user (as it's installed SUID root), but firejail has removed the root user! Therefore the pt_chown
program can't run, and the program can't allocate a pty.
This is basically exactly what firejail --noroot
is meant to do! You've told firejail to remove the root user and block anything it does, for security. All modern Linuxes can work perfectly fine without a SUID program managing pseudo-terminals, whereas your Linux is running a SUID binary in the background without your knowledge. This is a potential security hole and is exactly the kind of thing that firejail was written for.
TL;DR you told firejail to block root, it succeeded.
Well, grantpt
comes from glibc (so it should be pretty common?!).
And it uses pt_chown
as a (fallback) helper based on HAVE_PT_CHOWN.
The grantpt() function changes the mode and owner of the slave pseudoter‐
minal device corresponding to the master pseudoterminal referred to by fd.
The user ID of the slave is set to the real UID of the calling process.
The group ID is set to an unspecified value (e.g., tty). The mode of the
slave is set to 0620 (crw--w----).
It looks to me like the pt_chown
call gets only done, because the regular chown
fails, which is because with --noroot
the tty
group does not exist anymore:
% touch foo
% sudo chgrp tty foo
% chgrp tty foo
% firejail --noroot chgrp tty foo
Parent pid 31667, child pid 31668
Child process initialized
chgrp: changing group of ‘foo’: Invalid argument
parent is shutting down, bye...
% firejail chgrp tty foo
Parent pid 31801, child pid 31802
Child process initialized
parent is shutting down, bye...
chgrp
(and chmod
) succeed if the group is already set as expected.
Not all programs run in "firejail --noroot". In fact, lots of them crash. SUID programs will fail trying to execute root-only operations, because there is no root user in the namespace.
rxvt example on a Debian system:
$ firejail --noroot rxvt
Parent pid 5793, child pid 5794
Child process initialized
rxvt: can't open pseudo-tty
rxvt: aborting
parent is shutting down, bye...
rxvt is a SUID binary. Just don't use --noroot with SUID binaries.
Neither rxvt-unicode
nor gnome-terminal
is SUID on my system (I have not checked rxvt
- /etc/alternatives/rxvt
points at /usr/bin/urxvt
here, but I use /usr/local/bin/urxvt
usually).
gnome-terminal
fails with grantpt failed: Exec format error
when used in the vim-in-term
script (which gets called from Firefox via Vimperator). That appears to indicate the same issue.
The workaround seems to be using noroot
from the Firefox profile, but I've hoped that there was a better fix for this.
I still think that if the tty
group (id) was provided with --noroot
then it might work.
For what it's worth, my hack / workaround for this is currently this:
Index: src/ptytty.C
===================================================================
RCS file: /schmorpforge/libptytty/src/ptytty.C,v
retrieving revision 1.56
diff -u -r1.56 ptytty.C
--- src/ptytty.C 1 May 2015 13:12:17 -0000 1.56
+++ src/ptytty.C 19 Aug 2015 08:49:47 -0000
@@ -87,7 +87,7 @@
if (pfd >= 0)
{
- if (grantpt (pfd) == 0 /* change slave permissions */
+ if ((grantpt (pfd) == 0 || errno == ENOEXEC || errno == EAGAIN) /* change slave permissions */
&& unlockpt (pfd) == 0)
{
/* slave now unlocked */
A simple solution would be to use xterm
instead of rxvt
, as xterm
works fine in --noroot
mode. Is there any reason you can't use xterm instead? It would seem to be more secure than rxvt.
The issue with --noroot is like this:
I instruct the kernel to create a user namespace, with no root user in the namespace, just the current user and the group associated with the current user. I don't add any supplementary group to the namespace. The kernel code decides what is permitted or not, and it will crash the process according to its own rules. The easy fix is not to use --noroot with some programs. The real fix would be to argue with the kernel people and convince them to change user namespace code - good luck with that!
tty group: users in this group have permission to open /dev/tty. If I add tty group to noroot namespace, everybody will have permission to access /dev/tty directly. I don't think is a good idea . gnome-terminal has lots of problems related with the way they handle the terminal. Like Firefox, they also run a single instance of the program. I usually stay with xterm and lxterminal (from LXDE).
Thanks for your explanation and suggestion to use xterm
, which works.
However, my config is tailored for rxvt-unicode and its features in general, and therefore will keep using my above patch instead for now.
I am using Vimperator in Firefox and have
set editor=vim-in-term
, which is a script that callsurxvt ... vim
.The
noroot
option in/etc/firejail/firefox.profile
causes urxvt to fail:From reading the description of
noroot
this does not seem to be obvious:The code from rxvt-unicode is this, where
pty
appears to come from libptytty (CVS at:pserver:anonymous@cvs.schmorp.de/schmorpforge
):It can be reproduced using:
Using
firejail --noroot strace -f /usr/bin/rxvt-unicode
shows this at the end (group 5 beingtty
):Is this a issue with rxvt-unicode, or is there anything firejail can do to allow this still?