[BusyBox] Division of work.

Alex King alex at milton.king.net.nz
Thu Mar 8 19:45:02 UTC 2001 

On Thu, Mar 08, 2001 at 11:40:16AM -0700, Mark Whitley wrote:
> On Thu, Mar 08, 2001 at 08:35:30PM +0300, Vladimir N. Oleynik wrote:
> > Mark Whitley wrote:
> > 
> > > One of the things Erik and I have discussed is converting the 'enum Location'
> > > set into a more general-purpose 'flags' listing, which would allow us to add
> > > an entry called _BB_DROP_PERMS to all of the applets that need to be +s. Then,
> > > in busybox_main we would have code like tinylogin that tests if that bit is
> > > set and drops permissions accordingly
> > 
> > Please, do not make it. Please!
> > As a last resort only through preprocessor brackets.
> > 
> > Example:
> > 
> > % ls -l reboot
> > -rwsr-x---   1 root     wheel          7432 Oct 14  1999 /sbin/reboot
> > 
> > After this all `wheel' group can reboot system.
> > After you idea I can`t make this even with suid-wrapper!
> 
> Vladimir, I'm having a little difficulty following you here.
> 
> For starters, in the example you gave above, if you're concerned about anyone
> in group 'wheel' being able to call reboot, you have two choices: 'chmod g-x
> /sbin/reboot' or 'chgrp root /sbin/reboot'. That should solve the problem of
> anyone in wheel being able to reboot the system.
> 
> How would dropping permissions be a problem in your above example? It's
> setuid, not setgid, so I don't see how 'wheel' would enter into it from the
> standpoint of +s.
> 
> Not every applet would be dropping permissions, just the ones that we
> explicitly set with _BB_DROP_PERMS in applets.h. Thus, if there isn't a need
> for reboot to drop perms, it won't. Simple.

I think the problem is that vlad wants admins in wheel group to be able
to be able to reboot the system.  If reboot drops perms, they won't be
able to, if it doesn't then anyone can "busybox reboot".

Personally I think that the build system should be able to build an
arbitary number of executables, eg, one non-suid, cat, ls etc., one
suid; ping etc, and another could be suid root and executable only by
wheel; reboot etc.  With shared libs, this need not have that much
overhead.  Nor does it mean your idea for a flag to test for dropping
permissions is a bad idea: this could be an alternative way for those
who want a single busybox, perhaps staticly linked.

Alex

More information about the busybox mailing list