I still want to verify that it's impossible to steal a tty from a process in a parent namespace, but if that checks out and the patch looks good to you I'll send it upstream.
I do think however that upstart should also be issuing TIOCNOTTY after opening /dev/console. It seems fairly clear from the code that the intention is to not own the console device.
Serge: I've got a patch that fixes the problem. I've uploaded a test build along with the patch to:
http:// people. canonical. com/~sforshee/ lp1263738/ linux-3. 13.0-3. 18~lp1263738v20 1401152110/
I still want to verify that it's impossible to steal a tty from a process in a parent namespace, but if that checks out and the patch looks good to you I'll send it upstream.
I do think however that upstart should also be issuing TIOCNOTTY after opening /dev/console. It seems fairly clear from the code that the intention is to not own the console device.