NOEXEC environment bug
Jack Schmidt
busybox at mowsey.org
Wed Nov 1 01:28:52 UTC 2017
I believe I have found a bug in the current version of busybox.
When:
* an applet is marked NOEXEC,
* busybox is configured with CONFIG_FEATURE_SH_STANDALONE=y, and
* busybox's ash is asked to do "ENV_VAR=newval no_exec_app"
Then the no_exec app is not called with the new environment.
This affects git master d5c1482fbac71c51e3add52632cdf1f9f9e6661b and 1:1.21.0-1ubuntu1
To reproduce from git (on linux):
git pull
make defconfig
sed -i 's/# CONFIG_FEATURE_SH_STANDALONE is not set/CONFIG_FEATURE_SH_STANDALONE=y/' .config
make
./busybox ash -c 'BUG=1 head /proc/self/environ | grep -q BUG && echo ok || echo bug'
./busybox ash -c 'BUG=1 ./busybox head /proc/self/environ | grep -q BUG && echo ok || echo bug'
The first echoes "bug" because the environment is not set. The second bypasses the NOEXEC and reports "ok" because the environment is set. If CONFIG_FEATURE_SH_STANDALONE is not set, then both echo "ok".
The bug is also in the ubuntu version of busybox (so its not a recent change).
$ docker run --rm busybox:1-ubuntu sh -c \
'BUG=1 head /proc/self/environ | grep -q BUG && echo ok || echo bug'
bug
$ docker run --rm busybox:1-ubuntu sh -c \
'BUG=1 /bin/head /proc/self/environ | grep -q BUG && echo ok || echo bug'
ok
Alpine linux uses a similar command to check if /proc is really mounted, or is just a semi-convincing fake. With CONFIG_FEATURE_SH_STANDALONE, real /proc registers as a fake.
More information about the busybox
mailing list