suid not working as I'd hope???

David Collier from_busybox_maillist at dexdyne.com
Fri Jan 21 17:45:00 UTC 2011


On my 1.17.4 sources I had to remove the equivalent line from CROND too -
then I could edit it.

TVM

David



In article <AANLkTik02bzJSuU1jAZv38F-_SsRCqGTGsWK-rVucL=Z at mail.gmail.com>,
vda.linux at googlemail.com (Denys Vlasenko) wrote:

> *From:* Denys Vlasenko <vda.linux at googlemail.com>
> *To:* from_busybox_maillist at dexdyne.com
> *CC:* busybox at busybox.net
> *Date:* Tue, 18 Jan 2011 13:52:11 +0100
> 
> On Tue, Jan 18, 2011 at 1:15 PM, David Collier
> <from_busybox_maillist at dexdyne.com> wrote:
> > Denys,
> >
> > If I want to reproduce the effect whereby setting the s bit on the
> > busybox exe allows all applets to run as root....
> >
> > is the best patch to simply comment out those 2 lines you pointed 
> > to?
> 
> The best practice is to switch off FEATURE_SUID. Here is its help 
> text:
> 
> config FEATURE_SUID
>         bool "Support for SUID/SGID handling"
>         default y
>         help
>           With this option you can install the busybox binary 
> belonging
>           to root with the suid bit set, enabling some applets to 
> perform
>           root-level operations even when run by ordinary users
>           (for example, mounting of user mounts in fstab needs 
> this).
> 
>           Busybox will automatically drop priviledges for applets
>           that don't need root access.
> 
>           If you are really paranoid and don't want to do this, 
> build two
>           busybox binaries with different applets in them (and the 
> appropriate
>           symlinks pointing to each binary), and only set the suid 
> bit on the
>           one that needs it.
> 
>           The applets which require root rights (need suid bit or
>           to be run by root) and will refuse to execute otherwise:
>           crontab, login, passwd, su, vlock, wall.
> 
>           The applets which will use root rights if they have them
>           (via suid bit, or because run by root), but would try to 
> work
>           without root right nevertheless:
>           findfs, ping[6], traceroute[6], mount.
> 
>           Note that if you DONT select this option, but DO make 
> busybox
>           suid root, ALL applets will run under root, which is a 
> huge
>           security hole (think "cp /some/file /etc/passwd").
> 
> 
> Unfortunately, there is a bug which prevents disabling EATURE_SUID
> in many cases.
> 
> Here is the fix:
> 
> http://busybox.net/downloads/fixes-1.18.2/busybox-1.18.2-buildsys.pa
> tch
> 
> -- 
> vda
> 


More information about the busybox mailing list