[oe-commits] [openembedded-core] 02/29: busybox.inc: Add sanity check to test if the suid binary provides sh
git at git.openembedded.org
git at git.openembedded.org
Mon Jan 29 08:50:35 UTC 2018
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch master
in repository openembedded-core.
commit b64807549569817c8f1921a0aad52c815af90731
Author: Nathan Rossi <nathan at nathanrossi.com>
AuthorDate: Wed Jan 24 22:59:28 2018 +1000
busybox.inc: Add sanity check to test if the suid binary provides sh
Add a sanity check during the do_compile task to fail if the suid
busybox provides /bin/sh. This is considered as a hard fail since not
only is providing sh as suid problematic for security reasons but also
because the sh configured for suid is less functional than the nosuid
configured sh and breaks a number of required features (e.g. 64-bit
test).
Signed-off-by: Nathan Rossi <nathan at nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
---
meta/recipes-core/busybox/busybox.inc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index 4012f92..157aea3 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -183,6 +183,12 @@ do_compile() {
oe_runmake busybox.links
mv busybox.links busybox.links.$s
done
+
+ # hard fail if sh is being linked to the suid busybox (detects bug 10346)
+ if grep -q -x "/bin/sh" busybox.links.suid; then
+ bbfatal "busybox suid binary incorrectly provides /bin/sh"
+ fi
+
# copy .config.orig back to .config, because the install process may check this file
cp .config.orig .config
# cleanup
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list