[BusyBox] vodz telnetd applet

Wed Sep 19 14:26:08 UTC 2001

I'm not sure if this has been suggested before, here goes.

The 'trustybox' patch I posted is neat, but it isn't the best use of space,
perhaps we can just adjust uid's.

We make busybox setuid root and for most applications we will drop
privilages right before calling the applet's main.  We have the same
amount of code that needs to be audited as the trustybox method
(busyobx.c, applets.c and then any privilaged applet's code).  I
looked around for discussions of what I could be missing, and
http://www.freebsd.org/security/ has a note:

  * Just because you drop privileges somewhere, it does not mean
that no exploit is possible. The attacker may put the necessary code
on the stack to regain the privileges before executing /bin/sh.

It isn't clear to me if that is relevant.

Thoughts?

-David

untested/incomplete patch for discussion:

Index: applets.c
===================================================================
RCS file: /var/cvs/busybox/applets.c,v
retrieving revision 1.9
diff -u -r1.9 applets.c

--- applets.c	2001/08/27 17:19:38	1.9
+++ applets.c	2001/09/19 20:15:58
@@ -96,11 +101,16 @@
 			been_there_done_that=1;
 			busybox_main(0, NULL);
 		}
+
+		if ( ! (applet_using->flags & BB_APPLET_FLAGS_UID0) ) {
+			if (setgid(getgid()) < 0 || setuid(getuid()) < 0)
+				error_msg_and_die ("could not drop privilege");
+		}
 		exit((*(applet_using->main)) (argc, argv));
 	}
 	/* Just in case they have renamed busybox - Check argv[1] */
 	if (recurse_level == 1) {
 	}
 	recurse_level--;
 }
Index: busybox.h
===================================================================
RCS file: /var/cvs/busybox/busybox.h,v
retrieving revision 1.46
diff -u -r1.46 busybox.h
--- busybox.h	2001/07/19 15:00:14	1.46
+++ busybox.h	2001/09/19 19:38:23
@@ -52,7 +73,9 @@
 	const	char*	name;
 	int	(*main)(int argc, char** argv);
 	enum	Location	location;
+	unsigned char flags;
 };
+#define BB_APPLET_FLAG_UID0 0x01
 /* From busybox.c */
 extern const struct BB_applet applets[];



