meson: allow to customize the access mode for tty/pts devices

Then, switch the default value to "0600", due to general security concerns about terminals being written to by other users. Closing #35599.
2025-01-18 10:04:04 +03:00 · 2024-12-16 11:50:53 +09:00 · 2024-12-16 11:50:53 +09:00 · a4d1891475
commit a4d1891475
parent 0543b02cf8
8 changed files with 27 additions and 7 deletions
--- a/5
+++ b/5
@ -4,6 +4,11 @@ CHANGES WITH 258 in spe:
        Incompatible changes:
        * The default access mode of tty/pts device nodes has been changed to
          0600, which was 0620 in the older releases, due to general security
          concerns about terminals being written to by other users. To restore
          the old default access mode, use '-Dtty-mode=0620' meson build option.
        * systemd-run's --expand-environment= switch, which was disabled
          by default when combined with --scope, has been changed to to be
          enabled by default. This brings cmdline expansion of transient
--- a/meson.build
+++ b/meson.build
@ -978,6 +978,16 @@ conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666')
 group_render_mode = get_option('group-render-mode')
 conf.set_quoted('GROUP_RENDER_MODE', group_render_mode)
 conf.set10('GROUP_RENDER_UACCESS', group_render_mode != '0666')
 tty_mode = get_option('tty-mode')
 # The setting is used as both octal integer and string through STRINGIFY().
 # Here, only check if the value starts with '06', and further check will be done in terminal-util.h.
 if not tty_mode.startswith('06')
        error('Unexpected access mode "@0@" is specified for TTY/PTS device nodes, it must be "06xx".'.format(tty_mode))
 elif tty_mode != '0600' and tty_mode != '0620'
        warning('Unexpected access mode "@0@" is specified for TTY/PTS device nodes, typically it should be "0600" or "0620", proceeding anyway.'.format(tty_mode))
 endif
 # Do not use set_quoted() here, so that the value is available as an integer.
 conf.set('TTY_MODE', tty_mode)
 kill_user_processes = get_option('default-kill-user-processes')
 conf.set10('KILL_USER_PROCESSES', kill_user_processes)
--- a/meson_options.txt
+++ b/meson_options.txt
@ -330,6 +330,8 @@ option('dev-kvm-mode', type : 'string', value : '0666',
       description : '/dev/kvm access mode')
 option('group-render-mode', type : 'string', value : '0666',
       description : 'Access mode for devices owned by render group (e.g. /dev/dri/renderD*, /dev/kfd).')
 option('tty-mode', type : 'string', value : '0600',
       description : 'Access mode for tty/pts device nodes.')
 option('default-kill-user-processes', type : 'boolean',
       description : 'the default value for KillUserProcesses= setting')
 option('gshadow', type : 'boolean',
--- a/rules.d/50-udev-default.rules.in
+++ b/rules.d/50-udev-default.rules.in
@ -37,7 +37,7 @@ ACTION!="add", GOTO="default_end"
 SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666"
 SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666"
-SUBSYSTEM=="tty", KERNEL=="tty[0-9]*|hvc[0-9]*|sclp_line[0-9]*|ttysclp[0-9]*|3270/tty[0-9]*", GROUP="tty", MODE="0620"
+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*|hvc[0-9]*|sclp_line[0-9]*|ttysclp[0-9]*|3270/tty[0-9]*", GROUP="tty", MODE="{{TTY_MODE}}"
 SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty"
 KERNEL=="tty[A-Z]*[0-9]|ttymxc[0-9]*|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout"
--- a/src/basic/terminal-util.h
+++ b/src/basic/terminal-util.h
@ -143,8 +143,9 @@ int vt_release(int fd, bool restore_vt);
 void get_log_colors(int priority, const char **on, const char **off, const char **highlight);
-/* This assumes there is a 'tty' group */
+/* Assume TTY_MODE is defined in config.h. Also, this assumes there is a 'tty' group. */
-#define TTY_MODE 0620
+assert_cc((TTY_MODE & ~0666) == 0);
 assert_cc((TTY_MODE & 0711) == 0600);
 void termios_disable_echo(struct termios *termios);
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -2399,13 +2399,13 @@ static int setup_pts(const char *dest) {
 #if HAVE_SELINUX
        if (arg_selinux_apifs_context)
                (void) asprintf(&options,
-                                "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT ",context=\"%s\"",
+                                "newinstance,ptmxmode=0666,mode=" STRINGIFY(TTY_MODE) ",gid=" GID_FMT ",context=\"%s\"",
                                arg_uid_shift + TTY_GID,
                                arg_selinux_apifs_context);
        else
 #endif
                (void) asprintf(&options,
-                                "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT,
+                                "newinstance,ptmxmode=0666,mode=" STRINGIFY(TTY_MODE) ",gid=" GID_FMT,
                                arg_uid_shift + TTY_GID);
        if (!options)
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@ -93,7 +93,7 @@ static const MountPoint mount_table[] = {
 #endif
        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=01777",                               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "devpts",      "/dev/pts",                  "devpts",     "mode=0620,gid=" STRINGIFY(TTY_GID),        MS_NOSUID|MS_NOEXEC,
+        { "devpts",      "/dev/pts",                  "devpts",     "mode=" STRINGIFY(TTY_MODE) ",gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
          NULL,          MNT_IN_CONTAINER           },
 #if ENABLE_SMACK
        { "tmpfs",       "/run",                      "tmpfs",      "mode=0755,smackfsroot=*" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
--- a/tools/meson-render-jinja2.py
+++ b/tools/meson-render-jinja2.py
@ -17,7 +17,9 @@ def parse_config_h(filename):
        if not m:
            continue
        a, b = m.groups()
-        if b and b[0] in '0123456789"':
+        # The function ast.literal_eval() cannot evaluate octal integers, e.g. 0600.
        # So, it is intentional that the string below does not contain '0'.
        if b and (b[0] in '123456789"' or b == '0'):
            b = ast.literal_eval(b)
        ans[a] = b
    return ans