On Fri, Jan 10, 2014 at 12:06:27PM -0500, Michael Conrad wrote: > On 1/10/2014 12:37 AM, Laurent Bercot wrote: > > > > You're performing too much work copying your argument list. :P > > The wrapper should be entirely transparent: busybox shouldn't > >even notice it has been run through it, so it should be called > >with the exact same argv. Here's what I do > >[...] > > If you didn't want to have to maintain the list within the binary, > and want to depend on the filesystem to declare which applets are > allowed, you could write the wrapper to stat "/bin/$NAME" to verify > that it (and "/" and "/bin") are > * owned by root > * not writable by other users > * on the root filesystem (compare device number to device number of "/") > * has set-uid bit > > This would be authorization-by-the-filesystem that you could rely > on, and is intuitive to configure. > > It's a lot more code to write, but would still be a small binary.
Note that this kind of approach STILL does not protect you from vulnerabilities in the dynamic linker (avoiding them would require making both the wrapper and busybox binary static-linked) or libc startup code (inevitable). Unlike other methods (e.g. logging into a daemon via a local or network socket) by which initially non-privileged users/clients get control of a privileged process, the legacy setuid mechanism simply has too many potentially dangerous inputs to account for: - environment variables - inherited file descriptors (possibly to files in /proc which behave differently depending on the uid of the process accessing them) - resource limits (which can cause failure in syscalls the program expected not to be able to fail). - controlling terminal and other process group and session mess. - ... Playing whack-a-mole trying to make sure your suids are safe against all of these is an exercise in futility. If you want a system that's secure against local attacks, you have to ensure that no user account that might be compromised is able to execute an suid binary. And the easiest way to do this is not to have any. This is why I want to see a ping that works without suid. Rich _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
