Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

login fails with "FATAL: bad tty" inside LXC container #645

Open
ava1ar opened this issue Jun 3, 2018 · 2 comments
Open

login fails with "FATAL: bad tty" inside LXC container #645

ava1ar opened this issue Jun 3, 2018 · 2 comments
Labels
NEEDINFO Need more information from reporter

Comments

@ava1ar
Copy link

ava1ar commented Jun 3, 2018

This is related to security restrictions inside the container and well known for while. login from util-linux checks the output of ttyname(fd) and doesn't accept null value (which is valid value for tty inside the unprivileged tty container). As a result on any Linux distribution, which use login from util-linux following command fails:
lxc exec <container_name> -- /bin/login -f <user_name>
with "FATAL: bad tty" inside container's log. However, debian and ubuntu are using login implementation from shadow project, which works fine for this case (login from shadow doesn't espect tty name is not null and simply assign it to UNKNOWN in this case).
@karelzak karelzak added the NEEDINFO Need more information from reporter label Jun 4, 2018
@karelzak
Copy link
Collaborator

karelzak commented Jun 4, 2018

I don't understand how NULL could be a valid value from ttyname().

Anyway, login(1) calls vhangup() and re-opens the tty. We need the name to initialize the session. The name is also used for PAM, etc.

So, I don't think we can change the current behaviour. Maybe we can add extra option (e.g. --keep-tty) for special use-cases like containers.

@ava1ar
Copy link
Author

ava1ar commented Jun 4, 2018
edited
Loading

This comment actually describes how it happens that tty has NULL name. This problem looks complex, assosiated with 3 big projects at a time: util-linux, lxc and glibc and I am not sure where the proper fix should be (most likely, something need to be addressed in all of this projects). I entered the bug with the following reasoning:

  • lxc exec <container_name> -- /bin/login -f <user_name> fails for ArchLinux and Fedora but works for Debian and Ubuntu
  • Debian and Ubuntu work since they are using login from shadow project, when Arch and Fedora are using util-linux version
  • replacing login on Arch with version from shadow works
  • get_terminal_name from ttyutils.c currently reports name, path and number for tty inside lxc as null, null, null, most likely since it dereferences the symlink, which points to the tty not created in container's namespace, however tty itself is fully workable.

I have some time for hacking this or testing possible fixes, but I am asking for direction to look for possible fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NEEDINFO Need more information from reporter
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karelzak @ava1ar