We have an [Ubuntu 20.04] Docker image, used as part of a test system, in which I need to run pppd (to test a dial-up connection), where pppd is connected to the physical modem via a socat loop. My problem is that, when the [non-root] user of the Docker container (let's call the user usera) executes pppd (which is setuid, that part works fine), pppd is unable to access the device that the same user has set up just a moment ago using socat. usera successfully executes:
socat pty,link=/tmp/ppp0,echo=0,raw,b115200 pty,link=/tmp/tty0,echo=0,raw,b115200
...which runs fine, where the Dockerfile has set up the permissions on /tmp as:
chmod 1777 /tmp
...i.e. tmp has permissions drwxrwxrwt.
The socat command-line successfully creates:
ls -l /tmp
total 0
lrwxrwxrwx 1 ubxlib ubxlib 10 Mar 8 15:33 ppp0 -> /dev/pts/1
lrwxrwxrwx 1 ubxlib ubxlib 10 Mar 8 15:33 tty0 -> /dev/pts/2
...but when usera then executes pppd to connect to one end of the loop, we get:
pppd /tmp/ppp0 115200 passive debug local nodetach
pppd: Couldn't stat /tmp/ppp0: Permission denied
If, instead, usera knows the /dev/pts/x that socat just created, rather than using the link through /tmp/ppp0, then pppd works:
pppd /dev/pts/1 115200 passive debug local nodetach
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
...
How do I make pppd work with the link that socat provides, under the usera user, rather than usera having to know what socat has done?
For completeness, the permissions of pppd are -rwsr-xr-x. sudo not an option here as this is inside a Docker container run via SSH by Jenkins, so there is no TTY/responder for a password.
sudo sysctl fs.protected_symlinks=0in the host Linux system (this seems to be something that must be set in the underlying file system, it is not something that Docker can do) fixes the problem. Question is, is that wise?