Busybox runtime restrictions
Rob Landley
rob at landley.net
Mon Feb 13 17:30:06 UTC 2006
On Sunday 12 February 2006 16:02, Michael S. Zick wrote:
> Group,
>
> Pardon a newbee question but I am either very
> confused or there is something missing...
The "something missing" is that busybox needs a real sudo applet.
> My test setup:
>
> A group name: 'users'
> A non-privileged user: vsguest
> The user 'vsguest' is a member of the group 'users'.
>
> The busybox runtime restriction file '/etc/busybox.conf'
> contains only the '[SUID]' section header.
You read the menuconfig help for CONFIG_FEATURE_SUID_CONFIG, right? (Seems to
be the only documentation we have on the subject.)
New todo item: collate configuration help, BusyBox.html,
examples/bootfloppy/*.txt, examples/udhcp/*.txt, the existing online FAQs,
the README...
> Test part 1:
>
> login vsguest
> <password>
>
> Make a test file: 'touch junk'
> Try to change the file mode: 'chmod 755 junk'
>
> response:
> chmod: junk: Operation not permitted
> (I.E: correct as I understand it)
Um, who owns "junk"? If vsguest owns it, vsguest should be able to modify it.
(This is chmod, not chown...)
> logout from vsguest;
>
> Test part 2:
>
> Append the following line to /etc/busybox.conf:
> 'chmod = ssx root.users'
>
> login vsguest
> <password>
>
> Try to change the file mode: 'chmod 755 junk'
> Works as expected.
> (I.E: correct as I understand it)
>
> The problem:
>
> chmod 755 /bin/busybox
> Works!
You said they can run chmod as root. That's what running chmod as root does.
> But of course, that turns off the ability of
> busybox supporting suid.
>
> Also, a similar thing can be done to /etc/busybox.conf
>
> With that control line, the regular user can trash
> the installation.
Sounds about right.
> Without that control line, the regular user can not
> change mode or ownership the their own files.
If they can't chmod, that's a bug. If they can't chown, that's working as
designed. (Giving away your own files to somebody else has security
implications, Linux doesn't allow it.)
> The question:
> Is this the intended behavior, a bug, or cockpit error
> on my part?
From current cvs:
landley at driftwood:~/busybox$ ls -l woot.sh
-rw-r--r-- 1 landley landley 5954 Feb 11 18:34 woot.sh
landley at driftwood:~/busybox$ ./busybox chmod +x woot.sh
landley at driftwood:~/busybox$ ls -l woot.sh
-rwxr-xr-x 1 landley landley 5954 Feb 11 18:34 woot.sh
landley at driftwood:~/busybox$
The rest sounds like pilot error, but I haven't looked that closely.
> Presuming no cockpit error:
>
> I suggest the addition of another pair field to the control
> line. Also the recognition of a wildcard ('*') for those fields.
We need support for real sudo as an applet. I'd rather implement that than
extend the halfway thing we've got now.
Rob
--
Steve Ballmer: Innovation! Inigo Montoya: You keep using that word.
I do not think it means what you think it means.
More information about the busybox
mailing list