On 30/09/13 11:54, Rich Felker wrote: > On Mon, Sep 30, 2013 at 08:30:01AM +1000, Ryan Mallon wrote: >> The wall applet is setuid and currently does no checking of the real >> user's read access to the message file. This allows the wall applet >> to be used to display files which are not readable by an >> unprivileged user. For example: >> >> $ wall /etc/shadow >> $ wall /proc/vmallocinfo >> >> Fix this issue by introducing the same check as used by the >> util-linux version of wall: only allow the file argument to be used >> if the user is root, or the real and effective uid/gids are equal. > > No, the fix is to make it so wall is not one of the suid applets. > There is no reason whatsoever for wall to be suid. Users who want wall > messages are supposed to make their terminal world-writable. Users who > don't (i.e. anyone sane) makes their terminal non-world-writable.
I need to check what busybox does, but my desktop (Ubuntu 12.04) has: -rwxr-sr-x 1 root tty 18976 Mar 30 2012 /usr/bin/wall And mesg y/n toggles the write permission for the tty group on the terminal. So, removing the setgid and using mesg would result in normal users (not in the tty group) not being able to write to other terminals. Making your terminal world-writable in order to be able to receive messages (assuming you have some reason you want this) seems more dangerous since other users can then do ioctl, etc on your terminal. The wall application is, from my understanding, a moderated access to writing to somebody else's terminal. I totally agree that the allowing user accounts to write to others terminals is in general dumb, but I'm guessing there is also someone out there who depends on this behaviour. I'm not sure that dropping the setgid is the right approach. > Idiotic bugs like this (utilities which have no business being suid > getting treated as one of the suid cases) are why I recommend not even > using the busybox suid feature at all, or at least making a separate > busybox binary with only the should-be-suid applets compiled in. Agreed. ~Ryan _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
