[OE-core] [PATCH 3/3] busybox_%.bbappend: run ping and traceroute with file capabilities
Patrick Ohly
patrick.ohly at intel.com
Wed Dec 9 19:14:31 UTC 2015
ping, ping6 and traceroute are installed now so that when invoked by
normal users, the resulting process runs only with the new_raw
capability and not as root. This mitigates the effect when normal
invocations of these commands run into problems. A hardlink is used
to create the additional copy of the busybox binary, so the increase
in disk space is minimal.
However, a local attacker can still run these commands as root by
symlinking to the original busybox.suid. Fixing that would require
building busybox differently, which would cost more disk space.
Signed-off-by: Patrick Ohly <patrick.ohly at intel.com>
---
meta/recipes-core/busybox/busybox_%.bbappend | 41 ++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox_%.bbappend
diff --git a/meta/recipes-core/busybox/busybox_%.bbappend b/meta/recipes-core/busybox/busybox_%.bbappend
new file mode 100644
index 0000000..c27b0cd
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox_%.bbappend
@@ -0,0 +1,41 @@
+inherit capabilities
+
+# This .bbappend lowers privileges of certain commands from "runs as
+# root via suid" to "runs with a limited set of privileges via file
+# capabilities".
+#
+# The original list of symlinks to busybox.suid is, with (*) marking
+# commands which now can get executed with less privileges:
+# /bin/ping (*)
+# /bin/ping6 (*)
+# /bin/login
+# /usr/bin/passwd
+# /bin/su
+# /usr/bin/traceroute (*)
+# /usr/bin/vock
+#
+# As it stands now, this change still leaves the "ping" and "traceroute"
+# code in the busybox.suid binary, where it can be executed as root by
+# a normal user by symlinking to it ("ln -s /bin/busybox.suid /tmp/ping;
+# /tmp/ping ...").
+#
+# To fix this, one would have to split up busybox even further, which
+# (somewhat) negates the space saving coming from implementing several
+# commands in the same binary.
+
+CAPABILITIES_${PN} = " \
+ ${base_bindir}/busybox.net_raw=net_raw \
+"
+
+do_install_append () {
+ ln ${D}/${base_bindir}/busybox.suid ${D}/${base_bindir}/busybox.net_raw
+ grep \
+ -e ping \
+ -e traceroute \
+ ${D}/${sysconfdir}/busybox.links.suid >${D}/${sysconfdir}/busybox.links.net_raw
+ grep -v \
+ -e ping \
+ -e traceroute \
+ ${D}/${sysconfdir}/busybox.links.suid >${D}/${sysconfdir}/busybox.links.suid.tmp
+ mv ${D}/${sysconfdir}/busybox.links.suid.tmp ${D}/${sysconfdir}/busybox.links.suid
+}
--
2.1.4
More information about the Openembedded-core
mailing list