[BusyBox 0001175]: su does not require a password if /etc/busybox.conf is present and contains an su entry

bugs at busybox.net bugs at busybox.net
Thu Jan 25 23:02:50 UTC 2007 

The following issue has been SUBMITTED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=1175 
====================================================================== 
Reported By:                whitpa
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   1175
Category:                   Security
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             01-25-2007 15:02 PST
Last Modified:              01-25-2007 15:02 PST
====================================================================== 
Summary:                    su does not require a password if /etc/busybox.conf
is present and contains an su entry
Description: 
When busybox is setuid root (4755 root:root) and the following
/etc/busybox.conf is present (0600 root:root), Busybox 1.3.0 and later
will allow su to any user without a password from a nonprivileged account,
whereas Busybox 1.2.2.1 and earlier will require a password:

    [SUID]
    su=sxx root.root

If /etc/busybox.conf is present but the su entry is commented out, all
Busybox versions will (correctly) fail the su.  If /etc/busybox.conf is
not present, all Busybox versions will (correctly) allow the su but
require a password.

If this change is a feature rather than a bug, then as far as I can
determine it does not appear to be a documented one.  Possibly other SUID
applets are similarly affected (not tested).

====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-25-07 15:02  whitpa         New Issue                                    
01-25-07 15:02  whitpa         Status                   new => assigned     
01-25-07 15:02  whitpa         Assigned To               => BusyBox         
======================================================================

More information about the busybox-cvs mailing list