On Tue, Jan 18, 2011 at 12:41 PM, David Collier
<[email protected]> wrote:
> Suppose a C program which is running as web, gains root uid, and then
> invokes a shell.
> Will that busybox in the shell refuse to allow the date to be set, as the
> user isn't "really" root? Or would the extra levels of obfuscation fool
> it into allowing it?
It depends on how exactly "gains root uid" step is done. For example:
$ busybox login
my_hostname login: root
Password:
# _
This is a "genuine" root environment, initialized from non-root.
The crucial function login, su etc use to achieve it is:
/* Become the user and group(s) specified by PW. */
void FAST_FUNC change_identity(const struct passwd *pw)
{
if (initgroups(pw->pw_name, pw->pw_gid) == -1)
bb_perror_msg_and_die("can't set groups");
endgrent(); /* helps to close a fd used internally by libc */
xsetgid(pw->pw_gid);
xsetuid(pw->pw_uid);
}
--
vda
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
