Defect report from : Ed Schouten , The FreeBSD Project
(Please direct followup comments direct to austin-group-l@opengroup.org)
@ page 0 line 0 section posix_openpt comment {n/a}
Problem:
Edition of Specification (Year): 2008
Defect code : 3. Clarification required
I guess a small change to the spec could be made to make implementing
pseudo-terminals on various operating systems more simple and more secure:
The posix_openpt() is often used in combination with grantpt() and unlockpt().
Many operating systems will create a pseudo-terminal on demand, instead of
recycling it. Linux uses /dev/ptmx and a file system called devpts, mounted on
/dev/pts. In FreeBSD CURRENT, posix_openpt() is implemented as a system call,
which allocates a TTY and exposes its device node in devfs.
I haven't seen a single piece of software that calls grantpt() on a file
descriptor multiple times, or changes the real UID before calling grantpt(). I
guess it would be a lot simpler for operating systems to implement this, if
there was some kind of provision that if posix_openpt() already performs the
necessary steps to change the owner/group of the pseudo-terminal and performs
an action similar to unlockpt(), the grantpt() and unlockpt() functions may be
implemented as no-ops. I would almost advise to mark grantpt() and unlockpt()
as obsolete, but that would break a lot of stuff, I guess.
Right now some operating systems use setuid binaries to change the owner of the
pseudo-terminal. By changing the specification as described above, operating
systems will never need some `supernatural' function to bypass UNIX permissions
to chown()/chmod() a character device they don't own.
Action:
Change grantpt() and unlockpt() to mention:
These functions may have no effect on implementations where similar actions are
already performed by posix_openpt().
|