[BusyBox 0001175]: su does not require a password if /etc/busybox.conf is present and contains an su entry
bugs at busybox.net
bugs at busybox.net
Thu Jan 25 23:02:50 UTC 2007
The following issue has been SUBMITTED.
======================================================================
http://busybox.net/bugs/view.php?id=1175
======================================================================
Reported By: whitpa
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 1175
Category: Security
Reproducibility: always
Severity: major
Priority: normal
Status: assigned
======================================================================
Date Submitted: 01-25-2007 15:02 PST
Last Modified: 01-25-2007 15:02 PST
======================================================================
Summary: su does not require a password if /etc/busybox.conf
is present and contains an su entry
Description:
When busybox is setuid root (4755 root:root) and the following
/etc/busybox.conf is present (0600 root:root), Busybox 1.3.0 and later
will allow su to any user without a password from a nonprivileged account,
whereas Busybox 1.2.2.1 and earlier will require a password:
[SUID]
su=sxx root.root
If /etc/busybox.conf is present but the su entry is commented out, all
Busybox versions will (correctly) fail the su. If /etc/busybox.conf is
not present, all Busybox versions will (correctly) allow the su but
require a password.
If this change is a feature rather than a bug, then as far as I can
determine it does not appear to be a documented one. Possibly other SUID
applets are similarly affected (not tested).
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
01-25-07 15:02 whitpa New Issue
01-25-07 15:02 whitpa Status new => assigned
01-25-07 15:02 whitpa Assigned To => BusyBox
======================================================================
More information about the busybox-cvs
mailing list