A separate suid-exec relay utility is in fact exactly what
we use on our BB installation in our product, and have
for years. BB itself is not suid, I/we didn't trust it
enough. Here it is:
/*
** Relay execution program to setuid-root selected busybox functions.
** (We are expected to be suid-root, busybox is not.)
*/
#include <unistd.h>
#include <malloc.h>
#include <string.h>
int
main(int argc, char **argv, char **envp)
{
int ii;
char **nargv, *cp;
for (ii=0; argv[ii]; ii++)
;
nargv = calloc(ii + 2, sizeof *nargv);
while (ii >= 0) {
nargv[ii + 1] = argv[ii];
ii--;
}
nargv[0] = "busybox";
if ((cp = strrchr(argv[0], '/')))
nargv[1] = cp + 1;
execve("/bin/busybox", nargv, envp);
return 1;
}
-- Jim
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Laurent Bercot
Sent: Thursday, January 09, 2014 12:10 PM
To: Denys Vlasenko
Cc: busybox
Subject: Re: [PATCH] ping: try SOCK_DGRAM if no root privileges
> They were order of magnitude more problematic
> when multi-user machines were the norm.
True enough, but it is still the case, for a good definition of "user".
Most machines today only have one human user, but there are a lot
of uids and gids used to run daemons with separate privileges. It is
just as likely that an exploitable hole will be found in some daemon
code than in some code directly run under the human user's uid - and
there, a "user" exploit won't be a major problem, whereas a root
exploit will.
> It is not logical anymore to see root exploits as orders of magnitude
> more dangerous than user-level ones, and spend much more efforts
> to prevent specifically these exploits to be used.
>
> If you are afraid that ping may have a bug, spend time auditing ping,
> not making it more ugly just because you can make such bug
> impact "only lowly user".
I understand what you're saying, and agree with it, but my point is
that my solution:
* isn't much more effort. I probably spent 5-10 minutes writing the
additional 4 lines of C code. And theoretically, the privileged applet
list could be automatically generated from the Kconfig, to avoid any
additional configuration effort.
* isn't more ugly. Actually, there's less code in total than with the
busybox setuid-then-drop-privileges thing, and the general case execution
path is shorter.
It could totally be integrated into busybox itself and benefit everyone.
I just don't have time to work on a patch right now, so I'm just mentioning
the idea around.
--
Laurent
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
