suid not working as I'd hope???
from_busybox_maillist at dexdyne.com
Fri Jan 21 17:45:00 UTC 2011
On my 1.17.4 sources I had to remove the equivalent line from CROND too -
then I could edit it.
In article <AANLkTik02bzJSuU1jAZv38F-_SsRCqGTGsWK-rVucL=Z at mail.gmail.com>,
vda.linux at googlemail.com (Denys Vlasenko) wrote:
> *From:* Denys Vlasenko <vda.linux at googlemail.com>
> *To:* from_busybox_maillist at dexdyne.com
> *CC:* busybox at busybox.net
> *Date:* Tue, 18 Jan 2011 13:52:11 +0100
> On Tue, Jan 18, 2011 at 1:15 PM, David Collier
> <from_busybox_maillist at dexdyne.com> wrote:
> > Denys,
> > If I want to reproduce the effect whereby setting the s bit on the
> > busybox exe allows all applets to run as root....
> > is the best patch to simply comment out those 2 lines you pointed
> > to?
> The best practice is to switch off FEATURE_SUID. Here is its help
> config FEATURE_SUID
> bool "Support for SUID/SGID handling"
> default y
> With this option you can install the busybox binary
> to root with the suid bit set, enabling some applets to
> root-level operations even when run by ordinary users
> (for example, mounting of user mounts in fstab needs
> Busybox will automatically drop priviledges for applets
> that don't need root access.
> If you are really paranoid and don't want to do this,
> build two
> busybox binaries with different applets in them (and the
> symlinks pointing to each binary), and only set the suid
> bit on the
> one that needs it.
> The applets which require root rights (need suid bit or
> to be run by root) and will refuse to execute otherwise:
> crontab, login, passwd, su, vlock, wall.
> The applets which will use root rights if they have them
> (via suid bit, or because run by root), but would try to
> without root right nevertheless:
> findfs, ping, traceroute, mount.
> Note that if you DONT select this option, but DO make
> suid root, ALL applets will run under root, which is a
> security hole (think "cp /some/file /etc/passwd").
> Unfortunately, there is a bug which prevents disabling EATURE_SUID
> in many cases.
> Here is the fix:
More information about the busybox