busybox/tinylogin suid security issues
Rob Landley
rob at landley.net
Wed Dec 21 21:22:21 UTC 2005
On Wednesday 21 December 2005 14:20, Chuck Meade wrote:
> I have been searching for information on the security aspects of the
> tinylogin logic that was integrated into busybox.
>
> In Karim Yaghmour's book "Building Embedded Linux Systems", Karim
> states that he builds tinylogin as a separate component from busybox,
> since it needs suid/root privileges.
You can still do that. Build one busybox with the suid applets, and another
with the non-suid applets, and have the relevant symlinks point to the
different executables.
> He does not want to give suid
> privileges to the busybox binary itself, due to the security concerns
> of running ls and cat (for example) at root level.
If you enable suid support, we drop privilidges first thing when running an
app that shouldn't be suid.
If you look at include/applets.h you'll see a lot of stuff like this:
#ifdef CONFIG_ADDGROUP
APPLET(addgroup, addgroup_main, _BB_DIR_BIN, _BB_SUID_NEVER)
#endif
The fourth field is for the SUID stuff. That indictes that the applet
"addgroup" should never inherit suid privs from busybox's main(). The actual
code that drop the privilidges is in applets/applets.c (if you want to audit
it yourself).
And if you grep applets.h for "SUID" and then filter out "NEVER" (which means
drop all priviledges), you get:
APPLET_NOUSAGE("busybox", busybox_main, _BB_DIR_BIN, _BB_SUID_MAYBE)
APPLET(crontab, crontab_main, _BB_DIR_USR_BIN, _BB_SUID_ALWAYS)
APPLET(ipcrm, ipcrm_main, _BB_DIR_USR_BIN, _BB_SUID_ALWAYS)
APPLET(ipcs, ipcs_main, _BB_DIR_USR_BIN, _BB_SUID_ALWAYS)
APPLET(login, login_main, _BB_DIR_BIN, _BB_SUID_ALWAYS)
APPLET(passwd, passwd_main, _BB_DIR_USR_BIN, _BB_SUID_ALWAYS)
APPLET(ping, ping_main, _BB_DIR_BIN, _BB_SUID_MAYBE)
APPLET(su, su_main, _BB_DIR_BIN, _BB_SUID_ALWAYS)
APPLET(traceroute, traceroute_main, _BB_DIR_USR_BIN, _BB_SUID_MAYBE)
APPLET(vlock, vlock_main, _BB_DIR_USR_BIN, _BB_SUID_ALWAYS)
Which really isn't that much.
Some quick analysis: busybox and traceroute are "MAYBE" (which means keep
privs if you have them) and crontab, ipcrm, ipcs, login, passwd, su, and
vlock are "ALWAYS" (meaning this app can't run as non-root).
Once I add "user" mount support, mount becomes another "ALWAYS".
> However, Busybox can have configurable suid privileges per applet,
> using the file /etc/busybox.conf. This seems to be just as secure
> as Karim's method. Plus it seems much smaller than his method of
> adding more programs to the filesystem, so that they can have their
> individual suid bits set.
We also have our own flags. The conf file is a bit like sudo, it specifies
who can run what. (To be honest, I think we should probably just bite the
bullet and have a sudo applet.)
By the way, the main downside of all this "drop priviledges" stuff is that if
you make a standalone shell, you can't get sudo _back_ without doing an exec.
(This is another reason we exec /proc/self/exe to run standalone shell
applets.)
This is all a 1.2 issue.
> Does anyone see any advantage of using Karim's method (separate
> tinylogin apps with suid bits set) over the Busybox method (suid
> configured in /etc/busybox.conf)?
Tinylogin is the old way of doing it. How old is his book?
> Thanks,
> Chuck
Rob
--
Steve Ballmer: Innovation! Inigo Montoya: You keep using that word.
I do not think it means what you think it means.
More information about the busybox
mailing list