ping, ping6 and traceroute are installed now so that when invoked by normal users, the resulting process runs only with the new_raw capability and not as root. This mitigates the effect when normal invocations of these commands run into problems. A hardlink is used to create the additional copy of the busybox binary, so the increase in disk space is minimal.
However, a local attacker can still run these commands as root by symlinking to the original busybox.suid. Fixing that would require building busybox differently, which would cost more disk space. Signed-off-by: Patrick Ohly <[email protected]> --- meta/recipes-core/busybox/busybox_%.bbappend | 41 ++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox_%.bbappend diff --git a/meta/recipes-core/busybox/busybox_%.bbappend b/meta/recipes-core/busybox/busybox_%.bbappend new file mode 100644 index 0000000..c27b0cd --- /dev/null +++ b/meta/recipes-core/busybox/busybox_%.bbappend @@ -0,0 +1,41 @@ +inherit capabilities + +# This .bbappend lowers privileges of certain commands from "runs as +# root via suid" to "runs with a limited set of privileges via file +# capabilities". +# +# The original list of symlinks to busybox.suid is, with (*) marking +# commands which now can get executed with less privileges: +# /bin/ping (*) +# /bin/ping6 (*) +# /bin/login +# /usr/bin/passwd +# /bin/su +# /usr/bin/traceroute (*) +# /usr/bin/vock +# +# As it stands now, this change still leaves the "ping" and "traceroute" +# code in the busybox.suid binary, where it can be executed as root by +# a normal user by symlinking to it ("ln -s /bin/busybox.suid /tmp/ping; +# /tmp/ping ..."). +# +# To fix this, one would have to split up busybox even further, which +# (somewhat) negates the space saving coming from implementing several +# commands in the same binary. + +CAPABILITIES_${PN} = " \ + ${base_bindir}/busybox.net_raw=net_raw \ +" + +do_install_append () { + ln ${D}/${base_bindir}/busybox.suid ${D}/${base_bindir}/busybox.net_raw + grep \ + -e ping \ + -e traceroute \ + ${D}/${sysconfdir}/busybox.links.suid >${D}/${sysconfdir}/busybox.links.net_raw + grep -v \ + -e ping \ + -e traceroute \ + ${D}/${sysconfdir}/busybox.links.suid >${D}/${sysconfdir}/busybox.links.suid.tmp + mv ${D}/${sysconfdir}/busybox.links.suid.tmp ${D}/${sysconfdir}/busybox.links.suid +} -- 2.1.4 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
