We have an [Ubuntu 20.04] Docker image, used as part of a test system, in which I need to run pppd
(to test a dial-up connection), where pppd
is connected to the physical modem via a socat
loop. My problem is that, when the [non-root] user of the Docker container (let's call the user usera
) executes pppd
(which is setuid
, that part works fine), pppd
is unable to access the device that the same user has set up just a moment ago using socat
. usera
successfully executes:
socat pty,link=/tmp/ppp0,echo=0,raw,b115200 pty,link=/tmp/tty0,echo=0,raw,b115200
...which runs fine, where the Dockerfile has set up the permissions on /tmp
as:
chmod 1777 /tmp
...i.e. tmp
has permissions drwxrwxrwt
.
The socat
command-line successfully creates:
ls -l /tmp
total 0
lrwxrwxrwx 1 ubxlib ubxlib 10 Mar 8 15:33 ppp0 -> /dev/pts/1
lrwxrwxrwx 1 ubxlib ubxlib 10 Mar 8 15:33 tty0 -> /dev/pts/2
...but when usera
then executes pppd
to connect to one end of the loop, we get:
pppd /tmp/ppp0 115200 passive debug local nodetach
pppd: Couldn't stat /tmp/ppp0: Permission denied
If, instead, usera
knows the /dev/pts/x
that socat
just created, rather than using the link through /tmp/ppp0
, then pppd
works:
pppd /dev/pts/1 115200 passive debug local nodetach
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
...
How do I make pppd
work with the link that socat
provides, under the usera
user, rather than usera
having to know what socat
has done?
For completeness, the permissions of pppd
are -rwsr-xr-x
. sudo
not an option here as this is inside a Docker container run via SSH by Jenkins, so there is no TTY/responder for a password.
sudo sysctl fs.protected_symlinks=0
in the host Linux system (this seems to be something that must be set in the underlying file system, it is not something that Docker can do) fixes the problem. Question is, is that wise?