[OE-core] [PATCH] busybox.inc: Add sanity check to test if the suid binary provides sh
Nathan Rossi
nathan at nathanrossi.com
Thu Nov 9 13:25:29 UTC 2017
Add a sanity check during the do_compile task to fail if the suid
busybox provides /bin/sh. This is considered as a hard fail since not
only is providing sh as suid problematic for security reasons but also
because the sh configured for suid is less functional than the nosuid
configured sh and breaks a number of required features (e.g. 64-bit
test).
Signed-off-by: Nathan Rossi <nathan at nathanrossi.com>
Cc: Ross Burton <ross.burton at intel.com>
---
meta/recipes-core/busybox/busybox.inc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index 4012f921c6..157aea3968 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -183,6 +183,12 @@ do_compile() {
oe_runmake busybox.links
mv busybox.links busybox.links.$s
done
+
+ # hard fail if sh is being linked to the suid busybox (detects bug 10346)
+ if grep -q -x "/bin/sh" busybox.links.suid; then
+ bbfatal "busybox suid binary incorrectly provides /bin/sh"
+ fi
+
# copy .config.orig back to .config, because the install process may check this file
cp .config.orig .config
# cleanup
--
2.14.2
More information about the Openembedded-core
mailing list