[OE-core] [PATCH] busybox.inc: Add sanity check to test if the suid binary provides sh
Burton, Ross
ross.burton at intel.com
Fri Nov 10 12:10:43 UTC 2017
*Nobody* wants /bin/sh to be suid root, and its been a recurring theme of
previous upgrades that a misconfiguration would result in just that.
Ross
On 10 November 2017 at 12:07, Andrej Valek <andrej.valek at siemens.com> wrote:
> Of course, I don't think so, that /bin/sh > /bin/busybox.suid is a good
> think. I am just thinking, why is necessary to cast a fatal message and
> stop build for some, who wants this.
>
> Andrej
>
> On 11/10/2017 12:57 PM, Burton, Ross wrote:
> > How is /bin/sh being busybox.suid a good thing?
> >
> > Ross
> >
> > On 10 November 2017 at 07:17, Andrej Valek <andrej.valek at siemens.com
> > <mailto:andrej.valek at siemens.com>> wrote:
> >
> > I don't think so, that adding bbfatal into this recipe is a good
> > solution. Someone could build the busybox with /bin/sh linking into
> > .suid eg. for more secure. We can leave live with this one as before.
> >
> > Andrej
> >
> > On 11/09/2017 02:25 PM, Nathan Rossi wrote:
> > > Add a sanity check during the do_compile task to fail if the suid
> > > busybox provides /bin/sh. This is considered as a hard fail since
> not
> > > only is providing sh as suid problematic for security reasons but
> also
> > > because the sh configured for suid is less functional than the
> nosuid
> > > configured sh and breaks a number of required features (e.g.
> 64-bit
> > > test).
> > >
> > > Signed-off-by: Nathan Rossi <nathan at nathanrossi.com
> > <mailto:nathan at nathanrossi.com>>
> > > Cc: Ross Burton <ross.burton at intel.com <mailto:
> ross.burton at intel.com>>
> > > ---
> > > meta/recipes-core/busybox/busybox.inc | 6 ++++++
> > > 1 file changed, 6 insertions(+)
> > >
> > > diff --git a/meta/recipes-core/busybox/busybox.inc
> > b/meta/recipes-core/busybox/busybox.inc
> > > index 4012f921c6..157aea3968 100644
> > > --- a/meta/recipes-core/busybox/busybox.inc
> > > +++ b/meta/recipes-core/busybox/busybox.inc
> > > @@ -183,6 +183,12 @@ do_compile() {
> > > oe_runmake busybox.links
> > > mv busybox.links busybox.links.$s
> > > done
> > > +
> > > + # hard fail if sh is being linked to the suid
> busybox
> > (detects bug 10346)
> > > + if grep -q -x "/bin/sh" busybox.links.suid; then
> > > + bbfatal "busybox suid binary incorrectly
> provides
> > /bin/sh"
> > > + fi
> > > +
> > > # copy .config.orig back to .config, because the
> install
> > process may check this file
> > > cp .config.orig .config
> > > # cleanup
> > >
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core at lists.openembedded.org
> > <mailto:Openembedded-core at lists.openembedded.org>
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> > <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20171110/c609c240/attachment-0002.html>
More information about the Openembedded-core
mailing list