embedded control panel - can this work?

Denys Vlasenko vda.linux at googlemail.com
Tue Jan 18 15:15:43 UTC 2011


On Tue, Jan 18, 2011 at 12:41 PM, David Collier
<from_busybox_maillist at dexdyne.com> wrote:
> Suppose a C program which is running as web, gains root uid, and then
> invokes a shell.
> Will that busybox in the shell refuse to allow the date to be set, as the
> user isn't "really" root? Or would the extra levels of obfuscation fool
> it into allowing it?

It depends on how exactly "gains root uid" step is done. For example:

$ busybox login
my_hostname login: root
Password:
# _

This is a "genuine" root environment, initialized from non-root.

The crucial function login, su etc use to achieve it is:

/* Become the user and group(s) specified by PW.  */
void FAST_FUNC change_identity(const struct passwd *pw)
{
        if (initgroups(pw->pw_name, pw->pw_gid) == -1)
                bb_perror_msg_and_die("can't set groups");
        endgrent(); /* helps to close a fd used internally by libc */
        xsetgid(pw->pw_gid);
        xsetuid(pw->pw_uid);
}

-- 
vda


More information about the busybox mailing list