[BusyBox] Got /etc/busybox.conf SUI SGID working at last

[gerald.bonne at axa.be]

I searched for a long time to get this working and found by experimenting
all kinds of combinations.
 
You need to compile BB with the support for SUID SGID at first.
Then after make install chmod the busybox executable to 4755. The fear to
have now suid root for everything is wrong (I tried it with some commands
not in /etc/busybox.conf, I also tried to vi and save a root writeable file
only too and it fails beautifully with another user as expected). I think
that the SUID SGID support does the trick on this.
The chmod u+s is needed so that BB can do the SUID SGID changes when needed
without that any properly configured command in /etc/busybox.conf will still
fail with a message saying that the suid (or sgid) failed.
 
How to configure /etc/busybox.conf properly:
The doc is almost right and almost clear on this.
You need a line [SUID] followed by the config lines (anything after a # is
disregarded as comments).
then the configured command followed by = then the flags and then the user
dot group that should be switched to during the command execution
(/bin/busybox should remain 4755 root root and not be configured in here).
Look at the make menuconfig help for the SUID SGID support for more details.
The doc is only unclear about the user.group... These are the user.group
that is switched to during suid sgid (i.e. this is as if the real command
file would be owned by user:group) and both are mandatory (the default empty
that results in root.root does not work and result in an errorr in BB 1.0
pre9).
 
Additional comment: I had to add more in it too! Else "more" results in
access denied on /dev/console.
 
Example working /etc/busybox.conf
> ------------------------------<
[SUID]
su = ssx root.root
passwd = ssx root.root
more = ssx root.root
> ------------------------------<
 
Note that though passwd is configured to suid and sguid to root:root and
though /bin/busybox is -rwsr-xr-x root root that an ordinary user will still
not be able to passwd on anyone else but himself, will still be forced to
use safe passswords etc...
This is (I think but Erik has to confim) because BB is compiled with the
option for SUID SGID support.
 
I hope this will help many to resolve their embedded system's gremlins.
 


-----Disclaimer-----

This message may contain confidential information intended solely for the use of the named addressee. If you are not the intended recipient, you should not read, use, disclose or reproduce the content of this message. If you have received this message by mistake, please notify the sender immediately. Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of AXA Belgium, AXA Bank Belgium, AXA Tech Belgium GIE - ESV or any other entity of the AXA Group, unless otherwise stated by the sender and duly authorized by the said companies.

---------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://busybox.net/lists/busybox/attachments/20040507/c2f90fdb/attachment.htm