dev/console catch 22

Mike Frysinger vapier at gentoo.org
Tue Jun 19 15:48:42 UTC 2007


On Tuesday 19 June 2007, Michael Cashwell wrote:
> On Tue, 2007-06-19 at 09:52 -0400, Mike Frysinger wrote:
> > On Tuesday 19 June 2007, Michael Cashwell wrote:
> > > So the file hierarchy served by the NFS server must be written by the a
> > > host process and I still have the issue of needing elevated privileges
> > > to do that for the special console node.
> >
> > i dont really buy this ... only the root user can set up NFS exports and
> > in order for it to be usable by the embedded machine, it has to have root
> > access
>
> I disagree. The NFS setup is only done once per NFS server. So while the
> exported space is insecure and it took elevated privileges to create,
> it's just developmental scratch space and has no security implication on
> other hosts.

sure it does ... the embedded machine is mounting the server as root and you 
have full access to the embedded machine ... what's stopping you from 
creating a .c program that simply executes /bin/sh, sending it to the board, 
the board sending it to the nfs server, and then giving it setuid perms ?  
cheap root shell hello

> I am left wondering if there isn't some way to get init to actually
> reexec itself without patching it. It seems that the inittab restart
> would do that if I could get init to exit. But given my inittab success
> I have back the main functionality I needed so further exploration will
> have to wait.

might be something to look into, but personally i just dont think this has 
relevance in any sort of actual deployed production system
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.busybox.net/pipermail/busybox/attachments/20070619/5f3c0f46/attachment-0002.pgp 


More information about the busybox mailing list