making ping suid in the context of busybox basically means "make the
entire busybox binary suid" and that is definitely a bad idea (an
example that comes to mind is the wall vulnerability discovered
recently).
Hi,
Busybox drops suid privileges for applets that don't require it
even before the applet code is called.
I never understood all the fuss about that or the chosen
Busybox solution. Gaining privileges is the single most dangerous
thing in Unix ; gaining privileges then dropping them if you didn't
need them after all is playing with fire for no reason.
Here is what I do:
* make a single busybox binary with all the applets I need. My
busybox binary is NEVER setuid.
* compile a separate small C program that tests whether
`basename $0` is in a list of accepted words, and if it is the
case, execs into "/bin/busybox `basename $0` $@". Make that separate
binary setuid root.
* the utilities that need to be setuid root are symlinks to that
binary, the other ones are direct symlinks to busybox.
This solution makes me trust 4 lines of code instead of the
whole busybox binary, and privileges are only gained if they
are really needed. Sure, I have to edit the list of setuid applets
in an additional place; this is a small price to pay for
correctness.
--
Laurent
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
