Seems now it is possible to stop setting suid for /usr/lib*/misc/glibc/pt_chown, but patching several packages is required.
all relevant info should be in the bug, not external forums, and stackexchange sucks balls. so here's the gist: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I administer a Gentoo Hardened box that uses file capabilities to eliminate most of the need for setuid-root binaries (e.g. /bin/ping has CAP_NET_RAW, etc). Infact, the only binary I have left is this one: abraxas ~ # find / -xdev -type f -perm -u=s /usr/lib64/misc/glibc/pt_chown abraxas ~ # If I remove the setuid bit, or remount my root filesystem nosuid, sshd and GNU Screen stop working, because they call grantpt(3) on their master pesudoterminals and glibc apparently executes this program to chown and chmod the slave pseudoterminal under /dev/pts/, and GNU Screen cares about when this function fails. The problem is, the manpage for grantpt(3) explicitly states that under Linux, with the devpts filesystem mounted, no such helper binary is required; the kernel will automatically set the UID & GID of the slave to the real UID & GID of the process that opened /dev/ptmx (by calling getpt(3)). <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
i don't think any patching of programs is required. the glibc code already has logic in grantpt() to say "if the file is already owned be the current user, and the group is already set to 'tty', and the perms are correct, then do nothing". you can see this in glibc/sysdeps/unix/grantpt.c. openrc specifically mounts /dev/pts with gid=5 and mode=620 (which is the gid of the tty group, and the perms glibc expects to set up). that means things should already "just work" if you `chmod -s pt_chown`. it seems to work for me: $ grep devpts /proc/mounts devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620 0 0 $ sudo chmod -s /usr/lib*/misc/glibc/pt_chown $ screen <works> if you have a system using glibc and you aren't mounting devpts correctly, well i guess that's your fault. i'll add USE=suid (which means it'll default to off for glibc) and have it do a sanity check on the mount options of devpts to make sure it is mounted correctly.
should be all set now in the tree; thanks for the report! Commit message: Add USE=suid to control pt_chown setuid behavior http://sources.gentoo.org/sys-libs/glibc/files/eblits/pkg_preinst.eblit?r1=1.8&r2=1.9 http://sources.gentoo.org/sys-libs/glibc/files/eblits/src_install.eblit?r1=1.28&r2=1.29 http://sources.gentoo.org/sys-libs/glibc/glibc-2.16.0.ebuild?r1=1.22&r2=1.23 http://sources.gentoo.org/sys-libs/glibc/glibc-2.17.ebuild?r1=1.11&r2=1.12 http://sources.gentoo.org/sys-libs/glibc/glibc-9999.ebuild?r1=1.20&r2=1.21 http://sources.gentoo.org/sys-libs/glibc/metadata.xml?r1=1.11&r2=1.12
