meson: allow to customize the access mode for tty/pts devices

Then, switch the default value to "0600", due to general security
concerns about terminals being written to by other users.

Closing #35599.

diff --git a/NEWS b/NEWS
index e6baa12c4054e28fe8a24d4e8536d4e88bc45d63..7563d63d9c919667aa6d27342500f506b9f3403a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,11 @@ CHANGES WITH 258 in spe:
 
         Incompatible changes:
 
+        * The default access mode of tty/pts device nodes has been changed to
+          0600, which was 0620 in the older releases, due to general security
+          concerns about terminals being written to by other users. To restore
+          the old default access mode, use '-Dtty-mode=0620' meson build option.
+
         * systemd-run's --expand-environment= switch, which was disabled
           by default when combined with --scope, has been changed to to be
           enabled by default. This brings cmdline expansion of transient

diff --git a/meson.build b/meson.build
index bffda86845b11d776cf49657a708b3d31dff6ea8..aa51a3aead3726bff5f43117bab05164afb0a69c 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -978,6 +978,16 @@ conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666')
 group_render_mode = get_option('group-render-mode')
 conf.set_quoted('GROUP_RENDER_MODE', group_render_mode)
 conf.set10('GROUP_RENDER_UACCESS', group_render_mode != '0666')
+tty_mode = get_option('tty-mode')
+# The setting is used as both octal integer and string through STRINGIFY().
+# Here, only check if the value starts with '06', and further check will be done in terminal-util.h.
+if not tty_mode.startswith('06')
+        error('Unexpected access mode "@0@" is specified for TTY/PTS device nodes, it must be "06xx".'.format(tty_mode))
+elif tty_mode != '0600' and tty_mode != '0620'
+        warning('Unexpected access mode "@0@" is specified for TTY/PTS device nodes, typically it should be "0600" or "0620", proceeding anyway.'.format(tty_mode))
+endif
+# Do not use set_quoted() here, so that the value is available as an integer.
+conf.set('TTY_MODE', tty_mode)
 
 kill_user_processes = get_option('default-kill-user-processes')
 conf.set10('KILL_USER_PROCESSES', kill_user_processes)

diff --git a/meson_options.txt b/meson_options.txt
index 78ec25bfa3c4b57b33135b84e3a1f04bc5279faa..d9242d3b30a115ae65bb7b7a787834dd6d578ea0 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -330,6 +330,8 @@ option('dev-kvm-mode', type : 'string', value : '0666',
        description : '/dev/kvm access mode')
 option('group-render-mode', type : 'string', value : '0666',
        description : 'Access mode for devices owned by render group (e.g. /dev/dri/renderD*, /dev/kfd).')
+option('tty-mode', type : 'string', value : '0600',
+       description : 'Access mode for tty/pts device nodes.')
 option('default-kill-user-processes', type : 'boolean',
        description : 'the default value for KillUserProcesses= setting')
 option('gshadow', type : 'boolean',

diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
index 6f80feeecf8ffe367f1bdc809d9a5f59c0175381..8fa518cd8f92152cd9138d6c120e2f9bafe01e15 100644 (file)
--- a/rules.d/50-udev-default.rules.in
+++ b/rules.d/50-udev-default.rules.in
@@ -37,7 +37,7 @@ ACTION!="add", GOTO="default_end"
 
 SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666"
 SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666"
-SUBSYSTEM=="tty", KERNEL=="tty[0-9]*|hvc[0-9]*|sclp_line[0-9]*|ttysclp[0-9]*|3270/tty[0-9]*", GROUP="tty", MODE="0620"
+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*|hvc[0-9]*|sclp_line[0-9]*|ttysclp[0-9]*|3270/tty[0-9]*", GROUP="tty", MODE="{{TTY_MODE}}"
 SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty"
 KERNEL=="tty[A-Z]*[0-9]|ttymxc[0-9]*|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout"
 

diff --git a/src/basic/terminal-util.h b/src/basic/terminal-util.h
index 782b0fed9dd6620a82c8324a2116178511f2049c..fc7a22e6a50d2a7dcebf59ca7765facf3af75f78 100644 (file)
--- a/src/basic/terminal-util.h
+++ b/src/basic/terminal-util.h
@@ -143,8 +143,9 @@ int vt_release(int fd, bool restore_vt);
 
 void get_log_colors(int priority, const char **on, const char **off, const char **highlight);
 
-/* This assumes there is a 'tty' group */
-#define TTY_MODE 0620
+/* Assume TTY_MODE is defined in config.h. Also, this assumes there is a 'tty' group. */
+assert_cc((TTY_MODE & ~0666) == 0);
+assert_cc((TTY_MODE & 0711) == 0600);
 
 void termios_disable_echo(struct termios *termios);
 

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 500725d35f651346cbee16c0fca2a4b45b6a5bb9..6f90f2f418d2954ce784ab9de213275631260a50 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2399,13 +2399,13 @@ static int setup_pts(const char *dest) {
 #if HAVE_SELINUX
         if (arg_selinux_apifs_context)
                 (void) asprintf(&options,
-                                "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT ",context=\"%s\"",
+                                "newinstance,ptmxmode=0666,mode=" STRINGIFY(TTY_MODE) ",gid=" GID_FMT ",context=\"%s\"",
                                 arg_uid_shift + TTY_GID,
                                 arg_selinux_apifs_context);
         else
 #endif
                 (void) asprintf(&options,
-                                "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT,
+                                "newinstance,ptmxmode=0666,mode=" STRINGIFY(TTY_MODE) ",gid=" GID_FMT,
                                 arg_uid_shift + TTY_GID);
 
         if (!options)

diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
index d5009fb59ed158da8017f197e817c693c8f85266..73be3b5dce72473acaeb3cb0282f8f5537945960 100644 (file)
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -93,7 +93,7 @@ static const MountPoint mount_table[] = {
 #endif
         { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=01777",                               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "devpts",      "/dev/pts",                  "devpts",     "mode=0620,gid=" STRINGIFY(TTY_GID),        MS_NOSUID|MS_NOEXEC,
+        { "devpts",      "/dev/pts",                  "devpts",     "mode=" STRINGIFY(TTY_MODE) ",gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
           NULL,          MNT_IN_CONTAINER           },
 #if ENABLE_SMACK
         { "tmpfs",       "/run",                      "tmpfs",      "mode=0755,smackfsroot=*" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,

diff --git a/tools/meson-render-jinja2.py b/tools/meson-render-jinja2.py
index 977de79378a96c1e528ce6ca4ea7a2fe4caae259..1f893ed9a429289779593034c54d39c725442055 100755 (executable)
--- a/tools/meson-render-jinja2.py
+++ b/tools/meson-render-jinja2.py
@@ -17,7 +17,9 @@ def parse_config_h(filename):
         if not m:
             continue
         a, b = m.groups()
-        if b and b[0] in '0123456789"':
+        # The function ast.literal_eval() cannot evaluate octal integers, e.g. 0600.
+        # So, it is intentional that the string below does not contain '0'.
+        if b and (b[0] in '123456789"' or b == '0'):
             b = ast.literal_eval(b)
         ans[a] = b
     return ans