suid not working as I'd hope???

Denys Vlasenko vda.linux at googlemail.com
Tue Jan 18 12:52:11 UTC 2011


On Tue, Jan 18, 2011 at 1:15 PM, David Collier
<from_busybox_maillist at dexdyne.com> wrote:
> Denys,
>
> If I want to reproduce the effect whereby setting the s bit on the
> busybox exe allows all applets to run as root....
>
> is the best patch to simply comment out those 2 lines you pointed to?

The best practice is to switch off FEATURE_SUID. Here is its help text:

config FEATURE_SUID
        bool "Support for SUID/SGID handling"
        default y
        help
          With this option you can install the busybox binary belonging
          to root with the suid bit set, enabling some applets to perform
          root-level operations even when run by ordinary users
          (for example, mounting of user mounts in fstab needs this).

          Busybox will automatically drop priviledges for applets
          that don't need root access.

          If you are really paranoid and don't want to do this, build two
          busybox binaries with different applets in them (and the appropriate
          symlinks pointing to each binary), and only set the suid bit on the
          one that needs it.

          The applets which require root rights (need suid bit or
          to be run by root) and will refuse to execute otherwise:
          crontab, login, passwd, su, vlock, wall.

          The applets which will use root rights if they have them
          (via suid bit, or because run by root), but would try to work
          without root right nevertheless:
          findfs, ping[6], traceroute[6], mount.

          Note that if you DONT select this option, but DO make busybox
          suid root, ALL applets will run under root, which is a huge
          security hole (think "cp /some/file /etc/passwd").


Unfortunately, there is a bug which prevents disabling EATURE_SUID
in many cases.

Here is the fix:

http://busybox.net/downloads/fixes-1.18.2/busybox-1.18.2-buildsys.patch

-- 
vda


More information about the busybox mailing list