/etc/busybox.conf confusion [secutiry?]
Tito
farmatito at tiscali.it
Tue May 1 00:58:26 PDT 2007
On Tuesday 01 May 2007 09:12:18 Jan Evert van Grootheest wrote:
> > On Friday 27 April 2007 13:44:46 Jan Evert van Grootheest wrote:
> > >
> > > > > All,
> > > > >
> > > > > I think this got introduced in applets.c:check_suid with 17508
> > > > > 'accumulated post-1.4.0 fixes'.
> > > > >
> > > > > This part of the diff seems responsible.
> > > > > - if ((sct->m_mode & (S_ISGID | S_IXGRP))
> > > > > == (S_ISGID | S_IXGRP)) { /* *both* have to be set
> > for sgid */
> > > > > - xsetgid(sct->m_gid);
> > > > > - } else xsetgid(rgid); /*
> > > > > no sgid -> drop */
> > > > > -
> > > > > - if (sct->m_mode & S_ISUID)
> > xsetuid(sct->m_uid);
> > > > > - else xsetuid(ruid); /*
> > > > > no suid -> drop */
> > > > > + if (sct->m_gid != 0) {
> > > > > + /* _both_ have to be
> > set for sgid */
> > > > > + if ((sct->m_mode & (S_ISGID |
> > > > > S_IXGRP)) == (S_ISGID | S_IXGRP)) {
> > > > > + xsetgid(sct->m_gid);
> > > > > + } else xsetgid(rgid); /* no
> > > > > sgid -> drop */
> > > > > + }
> > > > > + if (sct->m_uid != 0) {
> > > > > + if (sct->m_mode & S_ISUID)
> > > > > xsetuid(sct->m_uid);
> > > > > + else xsetuid(ruid); /* no suid
> > > > > -> drop */
> > > > > + }
> > > > >
> > > > > Previously if there was no sgid/suid, privileges would
> > always be
> > > > > dropped. Now they're only dropped if the uid/gid in
> > bb.conf is not
> > > > > 0.
> > > > >
> > > > > I would propose to revert this part of the patch.
> > > > > Adding an else to call xsetuid/xsetgid would seem to do
> > the right
> > > > > thing but, I guess, would only increase the size of the
> > > > > executable.
> > > > >
> > > > > This seems, by the way, to be a security bug? It leaves
> > processes
> > > > > with effective root all over!
> > > > >
> > > > > -- Jan Evert
> > > > >
> > > > >
> > > > > > -----Oorspronkelijk bericht-----
> > > > > > Van: busybox-bounces at busybox.net
> > > > > > [mailto:busybox-bounces at busybox.net] Namens Jan Evert van
> > > > Grootheest
> > > > > > Verzonden: vrijdag 27 april 2007 9:07
> > > > > > Aan: busybox at busybox.net
> > > > > > Onderwerp: /etc/busybox.conf confusion
> > > > > >
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > The confusion is mine (not bb).
> > > > > >
> > > > > > If I have sh not in /etc/busybox.conf and I login as user
> > > > > mysql I get
> > > > > > this:
> > > > > >
> > > > > > viking-be# cat /proc/self/status | egrep "id:|Name"
> > > > > > Name: sh
> > > > > > Tgid: 1192
> > > > > > Pid: 1192
> > > > > > PPid: 1173
> > > > > > TracerPid: 0
> > > > > > Uid: 500 500 500 500
> > > > > > Gid: 500 500 500 500
> > > > > > viking-be# cat /proc/1173/status | egrep "id:|Name"
> > > > > > Name: sh
> > > > > > Tgid: 1173
> > > > > > Pid: 1173
> > > > > > PPid: 1064
> > > > > > TracerPid: 0
> > > > > > Uid: 500 500 500 500
> > > > > > Gid: 500 500 500 500
> > > > > >
> > > > > >
> > > > > > Now, when I put sh in the busybox.conf file as using
> > > > > > sh = xxx 0.0
> > > > > > And login again and try the same this is the result
> > viking-be#
> > > > > > cat /proc/self/status | egrep "id:|Name"
> > > > > > Name: sh
> > > > > > Tgid: 1206
> > > > > > Pid: 1206
> > > > > > PPid: 1203
> > > > > > TracerPid: 0
> > > > > > Uid: 500 0 0 0
> > > > > > Gid: 500 0 0 0
> > > > > > viking-be# cat /proc/1203/status | egrep "id:|Name"
> > > > > > Name: sh
> > > > > > Tgid: 1203
> > > > > > Pid: 1203
> > > > > > PPid: 1064
> > > > > > TracerPid: 0
> > > > > > Uid: 500 0 0 0
> > > > > > Gid: 500 0 0 0
> > > > > >
> > > > > >
> > > > > > I am confused, because I was expecting the same output. I
> > > > > > thought
> > > > > > that xxx meant that the applet is a regular executable
> > > > that doesn't
> > > > > > change effective uid and gid. But apparently it does?
> > > > > >
> > > > > > So can anyone explain this?
> > > > > > Which part of the process do I not understand?
> > > > > > My guess would be that the problem, if at all, is with
> > > > the starting
> > > > > > shell, because busybox is suid root and bb.conf is read during
> > > > > > startup.
> > > > > >
> > > > > > This is a login via the bb telnetd (which is, of course,
> > > > running as
> > > > > > root) and using the bb login (which is xxx in
> > > > busybox.conf). And it
> > > > > > concerns bb 1.4.1 (with all patches, as far as I know)
> > > > using glibc
> > > > > > 2.3.6 on i386.
> > > > > >
> > > > > > Also note the 'Name' of cat. It is 'sh'. I would
> > guess this to
> > > > > > be
> > > > > > due to cat being a safe applet.
> > > > > >
> > > > > > Many thanks,
> > > > > > Jan Evert
> > > > > >
> > > >
> > > >
> > > > I think more changes are needed. Passwd and su are not really
> > > > behaving well:
> > > >
> > > > I'm now trying to change the password of a regular user
> > > > (mysql). If I have the passwd applet in bb.conf as xxx it,
> > > > obviously, is not able to read /etc/shadow. If I have the
> > > > passwd applet in bb.conf as sxx then it attempts to change
> > > > the password of root. If I have the passwd applet in bb.conf
> > > > as sxx and attempt 'passwd mysql' when logged in as mysql,
> > > > then the correct password is changed, but without asking for
> > > > the old password!
> > > >
> > > > Something comparable is happening to the su applet. When
> > > > executed as a regular user: With su as xxx, it asks for the
> > > > password and then fails to set groups. With su as sxx, it
> > > > doesn't ask for the password and drops straight into a shell
> > > > with the correct user (just as if root had executed it).
> > > >
> > > > Any ideas?
> > > >
> > > > Thanks,
> > > > Jan Evert
> > >
> > > I think I figured it out.
> > >
> > > A suid program has effective uid of the owner of the
> > program (usually
> > > that will be root). And the real uid is the uid of the
> > logged in user
> > > (for example, mysql). If a suid root program executes
> > setuid(x), the
> > > real and effective uids are changed to become x. Same goes for gid.
> > >
> > > And that is the bug. Busybox is suid root. If an applet is
> > supposed to
> > > be suid, a setuid is done changing the real uid to root. Thus, for
> > > example, su and passwd think they are executed by root and behave
> > > differently! However, bb doesn't need to setuid because the
> > effective
> > > uid is already root because the program is suid root.
> > >
> > > So I came up with this patch which I think does the right
> > thing. This
> > > is against 1.4.1.
> > >
> > > Thanks,
> > > Jan Evert
> > >
> >
> > Hi,
> > this seems to work for me:
> > busybox.conf is
> >
> > [SUID]
> > passwd = ssx 0.0
> > # applet su can be run by anyone and runs with euid=0/egid=0
> > su = ssx root.0
> > # applet su can be run by anyone and runs with euid=0/egid=0
> >
> >
> > root at localhost:~/Desktop/busybox# chown 0.0 /etc/busybox.conf
> > root at localhost:~/Desktop/busybox# chmod 600 /etc/busybox.conf
> >
> > root at localhost:~/Desktop/busybox# cp busybox /usr/bin/passwd
> > root at localhost:~/Desktop/busybox# chown 0.0 /usr/bin/passwd
> > root at localhost:~/Desktop/busybox# chmod 4755 /usr/bin/passwd
> >
> > Running as normal user:
> >
> > root at localhost:~/Desktop/busybox# cat /proc/18601/status
> > Name: passwd
> > State: S (sleeping)
> > SleepAVG: 88%
> > Tgid: 18601
> > Pid: 18601
> > PPid: 15912
> > TracerPid: 0
> > Uid: 1000 0 0 0
> > Gid: 1000 1000 1000 1000
> > FDSize: 256
> > Groups: 7 20 24 25 29 46 111 113 1000 1002 1003
> >
> > tito at localhost:~$ id
> > uid=1000(tito) gid=1000(tito)
> > groups=7(lp),20(dip),24(cdrom),25(floppy),29(audio),46(plugdev
> > ),111(admin),113(fuse),1000(tito),1002(vboxusers),1003(halt)
> > tito at localhost:~$ /usr/bin/passwd
> > ruid = 1000 /*debug */
> > busybox.conf readable /*debug */
> > found su /*debug */
> > found passwd /*debug */
> > requested uid 0 gid 0 /*debug */
> > Changing password for tito
> > Old password:
> > New password:
> > Bad password: too weak
> > passwd: password for tito is unchanged
> >
> > then changing busybox.conf to
> >
> > [SUID]
> > passwd = ssx 0.0
> >
> > tito at localhost:~$ /usr/bin/passwd
> > ruid = 1000
> > busybox.conf readable
> > found su
> > found passwd
> > requested uid 0 gid 0
> > Changing password for tito
> > Old password:
> > Incorrect password
> > passwd: password for tito is unchanged
> > tito at localhost:~$
> >
> >
> > it is not possible to change password.
> >
> > Running as root:
> >
> > root at localhost:~/Desktop# cat /proc/18582/status
> > Name: passwd
> > State: S (sleeping)
> > SleepAVG: 58%
> > Tgid: 18582
> > Pid: 18582
> > PPid: 12012
> > TracerPid: 0
> > Uid: 0 0 0 0
> > Gid: 0 0 0 0
> >
> > root at localhost:~/Desktop# /usr/bin/passwd
> > ruid = 0 /* debug */
> > Changing password for root
> > New password:
> > Bad password: too weak
> > Retype password:
> > Passwords don't match
> > passwd: password for root is unchanged
> > root at localhost:~/Desktop#
>
> Tito, others,
>
> Sorry about this, but those su and passwd comments were with my initial
> patch applied.
>
> With original code, it is easiest to demonstrate using 'cat
> /proc/self/status' with a suid root bbox and as a regular user. Try both
> with cat in bbox.conf as xxx and cat not present in bbox.conf.
> When cat is present as xxx, privileges are not dropped.
>
> I ran into this because my environment had ash and sh as ssx in
> bbox.conf. Which I changed to xxx. And then still had not proper
> uids/gids.
>
> -- Jan Evert
Hi,
mv busybox /bin/busybox
chown 0.0 /bin/busybox
chmod 4755 /bin/busybox
1 ) not in busybox.conf:
as normal user /bin/busybox cat /proc/self/status does not work
2) in busybox.conf
2a) as normal user and cat = ssx 0.0 in busybox.conf
/bin/busybox cat /proc/self/status works
Name: busybox
State: R (running)
SleepAVG: 88%
Tgid: 6937
Pid: 6937
PPid: 6416
TracerPid: 0
Uid: 1000 0 0 0
Gid: 1000 1000 1000 1000
2b) as normal user and cat = xxx 0.0 in busybox.conf
/bin/busybox cat /proc/self/status does not work
if in [SUID] stanza alphabetical order is respected
[SUID]
cat = xxx 0.0
passwd = ssx 0.0
# applet su can be run by anyone and runs with euid=0/egid=0
su = ssx root.0
# applet su can be run by anyone and runs with euid=0/egid=0
2c) as normal user and cat = xxx 0.0 in busybox.conf it works
/bin/busybox cat /proc/self/status works
if in [SUID] stanza alphabetical order is not respected
[SUID]
passwd = ssx 0.0
# applet su can be run by anyone and runs with euid=0/egid=0
su = ssx root.0
# applet su can be run by anyone and runs with euid=0/egid=0
cat = xxx 0.0
Name: busybox
State: R (running)
SleepAVG: 58%
Tgid: 6953
Pid: 6953
PPid: 6416
TracerPid: 0
Uid: 1000 0 0 0
Gid: 1000 1000 1000 1000
Seems that there is really something wrong here....
IMHO check_suid and parse_config_file should be totally rewritten,
the first to make it more readable and the second to reduce the bloat as most of its features
are unused at the moment.
Ciao,
Tito
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://busybox.net/lists/busybox/attachments/20070501/bb53669b/attachment-0001.htm
More information about the busybox
mailing list