 Relationships |
|
| Anonymous | Login | Signup for a new account | 11-10-2008 10:53 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0000549 | [BusyBox] Other | major | always | 11-17-05 04:42 | 04-27-06 16:42 | ||||
| Reporter | aforet | View Status | public | ||||||
| Assigned To | BusyBox | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | 1.00 | ||||||
| Summary | 0000549: Wrong SUID handling when invoking busybox binary directly | ||||||||
| Description |
I'm using the following configuration file /etc/busybox.conf (rw-r--r-- root:root): "[SUID] tar = sx- root.users" The Busybox binary has the SetUID bit. When invoking the tar applet (as an unprivileged user) using the following command line: $ busybox tar xvf file.tar [files to pack] Busybox first considers "busybox" as the applet name. When it tries to handle SUID settings, since there is no matching entry for this applet in the configuration file, it drops all its privileges (see check_suid() function in src/applets/applets.c). Then, it tries to look for the 2nd argument as the applet name ("tar" in this example). This time, the applet exists, and a matching entry is found in the configuration file, but it is too late, priviledges were already dropped during the previous round. As a consequence, calling an applet by running the busybox binary directly always lead to run the applet without taking into account the settings from the configuration file. |
||||||||
| Additional Information |
The patch provided hereafter helps to avoid this issue (only call check_suid() if the applet name is not "busybox"). diff -ur busybox-1.00/applets/applets.c busybox-1.00-new/applets/applets.c --- busybox-1.00/applets/applets.c 2004-04-14 19:51:07.000000000 +0200 +++ busybox-1.00-new/applets/applets.c 2005-11-17 11:44:09.000000000 +0100 @@ -158,7 +158,9 @@ busybox_main (0, NULL); } #ifdef CONFIG_FEATURE_SUID - check_suid (applet_using); + if (strcmp (applet_using->name, "busybox") != 0) { + check_suid (applet_using); + } #endif exit ((*(applet_using->main)) (argc, argv)); |
||||||||
| Attached Files | |||||||||
|
|
|||||||||
|
Relationships |
|
|
Notes |
|
|
(0000724) vodz 12-05-05 08:46 |
I can`t reproduce this. If /etc/busybox.conf have not line for applet, used hardcode suid configuration from include/applets.h. This file have MAYBE suid option for "busybox" applet and do not drop privilegies. |
|
(0000921) landley 01-10-06 19:27 |
If you're calling an applet via the "busybox" name, and you're not root, then you shouldn't become root. You're requesting a behavior change, and I don't think it's a good idea. |
|
(0001329) aforet 04-27-06 02:27 |
And if you're calling an applet via its real name, and you're not root, then you should become root? It does not make much more sense to me... Busybox should really parse its configuration file to always look for the name of the applet to get a consitent behaviour. |
|
(0001330) landley 04-27-06 16:42 |
Closed for a reason. |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 11-17-05 04:42 | aforet | New Issue | |
| 11-17-05 04:42 | aforet | Status | new => assigned |
| 11-17-05 04:42 | aforet | Assigned To | => BusyBox |
| 12-05-05 08:46 | vodz | Note Added: 0000724 | |
| 01-10-06 19:27 | landley | Status | assigned => closed |
| 01-10-06 19:27 | landley | Note Added: 0000921 | |
| 01-10-06 19:27 | landley | Resolution | open => no change required |
| 04-27-06 02:27 | aforet | Status | closed => feedback |
| 04-27-06 02:27 | aforet | Resolution | no change required => reopened |
| 04-27-06 02:27 | aforet | Note Added: 0001329 | |
| 04-27-06 16:42 | landley | Status | feedback => closed |
| 04-27-06 16:42 | landley | Note Added: 0001330 | |
| 04-27-06 16:42 | landley | Resolution | reopened => fixed |
| Copyright © 2000 - 2006 Mantis Group |  |
