[BusyBox] Division of work.

Mark Whitley markw at lineo.com
Thu Mar 8 18:40:16 UTC 2001 

On Thu, Mar 08, 2001 at 08:35:30PM +0300, Vladimir N. Oleynik wrote:
> Mark Whitley wrote:
> 
> > One of the things Erik and I have discussed is converting the 'enum Location'
> > set into a more general-purpose 'flags' listing, which would allow us to add
> > an entry called _BB_DROP_PERMS to all of the applets that need to be +s. Then,
> > in busybox_main we would have code like tinylogin that tests if that bit is
> > set and drops permissions accordingly
> 
> Please, do not make it. Please!
> As a last resort only through preprocessor brackets.
> 
> Example:
> 
> % ls -l reboot
> -rwsr-x---   1 root     wheel          7432 Oct 14  1999 /sbin/reboot
> 
> After this all `wheel' group can reboot system.
> After you idea I can`t make this even with suid-wrapper!

Vladimir, I'm having a little difficulty following you here.

For starters, in the example you gave above, if you're concerned about anyone
in group 'wheel' being able to call reboot, you have two choices: 'chmod g-x
/sbin/reboot' or 'chgrp root /sbin/reboot'. That should solve the problem of
anyone in wheel being able to reboot the system.

How would dropping permissions be a problem in your above example? It's
setuid, not setgid, so I don't see how 'wheel' would enter into it from the
standpoint of +s.

Not every applet would be dropping permissions, just the ones that we
explicitly set with _BB_DROP_PERMS in applets.h. Thus, if there isn't a need
for reboot to drop perms, it won't. Simple.

The idea with dropping permissions is to eliminate the need for a
suid-wrapper.

Lastly, please keep in mind that the approach I described above is just an
idea that we've been talking about, it's not set in stone. If there's a
problem with the implementation details, they'll be treated as bugs and fixed.
If the approach turns out to be a bad design descision, then we'll scrap it
and come up with a better idea. Please don't worry too much about this. Just
like it says on the Hitchhiker's Guide: "Don't Panic".


Mark Whitley
markw at lineo.com

More information about the busybox mailing list