0001175: su does not require a password if /etc/busybox.conf is present and contains an su entry

BusyBox Bug and Patch Tracking

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0001175

[BusyBox] Security

major

always

01-25-07 15:02

02-13-08 09:33

Reporter

whitpa

View Status

public

Assigned To

BusyBox

Priority

normal

Resolution

fixed

Status

closed

Product Version

1.3.x

Summary

0001175: su does not require a password if /etc/busybox.conf is present and contains an su entry

Description

When busybox is setuid root (4755 root:root) and the following /etc/busybox.conf is present (0600 root:root), Busybox 1.3.0 and later will allow su to any user without a password from a nonprivileged account, whereas Busybox 1.2.2.1 and earlier will require a password:

[SUID]
su=sxx root.root

If /etc/busybox.conf is present but the su entry is commented out, all Busybox versions will (correctly) fail the su. If /etc/busybox.conf is not present, all Busybox versions will (correctly) allow the su but require a password.

If this change is a feature rather than a bug, then as far as I can determine it does not appear to be a documented one. Possibly other SUID applets are similarly affected (not tested).

Additional Information

Attached Files

Relationships

Notes
(0002053) vda 01-26-07 15:20	It is fixed in svn I think.

(0004514) vda 02-13-08 09:33	Seems to be fixed (althoug reporter never got around to checking/confirming it).

Issue History
Date Modified	Username	Field	Change
01-25-07 15:02	whitpa	New Issue
01-25-07 15:02	whitpa	Status	new => assigned
01-25-07 15:02	whitpa	Assigned To	=> BusyBox
01-26-07 15:20	vda	Note Added: 0002053
02-13-08 09:33	vda	Status	assigned => closed
02-13-08 09:33	vda	Note Added: 0004514
02-13-08 09:33	vda	Resolution	open => fixed