On my 1.17.4 sources I had to remove the equivalent line from CROND too - then I could edit it.
TVM David In article <[email protected]>, [email protected] (Denys Vlasenko) wrote: > *From:* Denys Vlasenko <[email protected]> > *To:* [email protected] > *CC:* [email protected] > *Date:* Tue, 18 Jan 2011 13:52:11 +0100 > > On Tue, Jan 18, 2011 at 1:15 PM, David Collier > <[email protected]> wrote: > > Denys, > > > > If I want to reproduce the effect whereby setting the s bit on the > > busybox exe allows all applets to run as root.... > > > > is the best patch to simply comment out those 2 lines you pointed > > to? > > The best practice is to switch off FEATURE_SUID. Here is its help > text: > > config FEATURE_SUID > bool "Support for SUID/SGID handling" > default y > help > With this option you can install the busybox binary > belonging > to root with the suid bit set, enabling some applets to > perform > root-level operations even when run by ordinary users > (for example, mounting of user mounts in fstab needs > this). > > Busybox will automatically drop priviledges for applets > that don't need root access. > > If you are really paranoid and don't want to do this, > build two > busybox binaries with different applets in them (and the > appropriate > symlinks pointing to each binary), and only set the suid > bit on the > one that needs it. > > The applets which require root rights (need suid bit or > to be run by root) and will refuse to execute otherwise: > crontab, login, passwd, su, vlock, wall. > > The applets which will use root rights if they have them > (via suid bit, or because run by root), but would try to > work > without root right nevertheless: > findfs, ping[6], traceroute[6], mount. > > Note that if you DONT select this option, but DO make > busybox > suid root, ALL applets will run under root, which is a > huge > security hole (think "cp /some/file /etc/passwd"). > > > Unfortunately, there is a bug which prevents disabling EATURE_SUID > in many cases. > > Here is the fix: > > http://busybox.net/downloads/fixes-1.18.2/busybox-1.18.2-buildsys.pa > tch > > -- > vda > _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
