[OE-core] [PATCH 3/3] busybox_%.bbappend: run ping and traceroute with file capabilities

Patrick Ohly patrick.ohly at intel.com
Wed Dec 9 19:14:31 UTC 2015 

ping, ping6 and traceroute are installed now so that when invoked by
normal users, the resulting process runs only with the new_raw
capability and not as root. This mitigates the effect when normal
invocations of these commands run into problems. A hardlink is used
to create the additional copy of the busybox binary, so the increase
in disk space is minimal.

However, a local attacker can still run these commands as root by
symlinking to the original busybox.suid. Fixing that would require
building busybox differently, which would cost more disk space.

Signed-off-by: Patrick Ohly <patrick.ohly at intel.com>
---
 meta/recipes-core/busybox/busybox_%.bbappend | 41 ++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox_%.bbappend

diff --git a/meta/recipes-core/busybox/busybox_%.bbappend b/meta/recipes-core/busybox/busybox_%.bbappend
new file mode 100644
index 0000000..c27b0cd
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox_%.bbappend
@@ -0,0 +1,41 @@
+inherit capabilities
+
+# This .bbappend  lowers privileges of certain commands from "runs as
+# root via suid" to "runs with a limited set of privileges via file
+# capabilities".
+#
+# The original list of symlinks to busybox.suid is, with (*) marking
+# commands which now can get executed with less privileges:
+#    /bin/ping (*)
+#    /bin/ping6 (*)
+#    /bin/login
+#    /usr/bin/passwd
+#    /bin/su
+#    /usr/bin/traceroute (*)
+#    /usr/bin/vock
+#
+# As it stands now, this change still leaves the "ping" and "traceroute"
+# code in the busybox.suid binary, where it can be executed as root by
+# a normal user by symlinking to it ("ln -s /bin/busybox.suid /tmp/ping;
+# /tmp/ping ...").
+#
+# To fix this, one would have to split up busybox even further, which
+# (somewhat) negates the space saving coming from implementing several
+# commands in the same binary.
+
+CAPABILITIES_${PN} = " \
+    ${base_bindir}/busybox.net_raw=net_raw \
+"
+
+do_install_append () {
+    ln ${D}/${base_bindir}/busybox.suid ${D}/${base_bindir}/busybox.net_raw
+    grep \
+       -e ping \
+       -e traceroute \
+       ${D}/${sysconfdir}/busybox.links.suid >${D}/${sysconfdir}/busybox.links.net_raw
+    grep -v \
+       -e ping \
+       -e traceroute \
+       ${D}/${sysconfdir}/busybox.links.suid >${D}/${sysconfdir}/busybox.links.suid.tmp
+    mv ${D}/${sysconfdir}/busybox.links.suid.tmp ${D}/${sysconfdir}/busybox.links.suid
+}
-- 
2.1.4

More information about the Openembedded-core mailing list