[OE-core] [PATCH] busybox.inc: Add sanity check to test if the suid binary provides sh

Fri Nov 10 12:10:43 UTC 2017

*Nobody* wants /bin/sh to be suid root, and its been a recurring theme of
previous upgrades that a misconfiguration would result in just that.

Ross

On 10 November 2017 at 12:07, Andrej Valek <andrej.valek at siemens.com> wrote:

> Of course, I don't think so, that /bin/sh > /bin/busybox.suid is a good
> think. I am just thinking, why is necessary to cast a fatal message and
> stop build for some, who wants this.
>
> Andrej
>
> On 11/10/2017 12:57 PM, Burton, Ross wrote:
> > How is /bin/sh being busybox.suid a good thing?
> >
> > Ross
> >
> > On 10 November 2017 at 07:17, Andrej Valek <andrej.valek at siemens.com
> > <mailto:andrej.valek at siemens.com>> wrote:
> >
> >     I don't think so, that adding bbfatal into this recipe is a good
> >     solution. Someone could build the busybox with /bin/sh linking into
> >     .suid eg. for more secure. We can leave live with this one as before.
> >
> >     Andrej
> >
> >     On 11/09/2017 02:25 PM, Nathan Rossi wrote:
> >      > Add a sanity check during the do_compile task to fail if the suid
> >      > busybox provides /bin/sh. This is considered as a hard fail since
> not
> >      > only is providing sh as suid problematic for security reasons but
> also
> >      > because the sh configured for suid is less functional than the
> nosuid
> >      > configured sh and breaks a number of required features (e.g.
> 64-bit
> >      > test).
> >      >
> >      > Signed-off-by: Nathan Rossi <nathan at nathanrossi.com
> >     <mailto:nathan at nathanrossi.com>>
> >      > Cc: Ross Burton <ross.burton at intel.com <mailto:
> ross.burton at intel.com>>
> >      > ---
> >      >  meta/recipes-core/busybox/busybox.inc | 6 ++++++
> >      >  1 file changed, 6 insertions(+)
> >      >
> >      > diff --git a/meta/recipes-core/busybox/busybox.inc
> >     b/meta/recipes-core/busybox/busybox.inc
> >      > index 4012f921c6..157aea3968 100644
> >      > --- a/meta/recipes-core/busybox/busybox.inc
> >      > +++ b/meta/recipes-core/busybox/busybox.inc
> >      > @@ -183,6 +183,12 @@ do_compile() {
> >      >                       oe_runmake busybox.links
> >      >                       mv busybox.links busybox.links.$s
> >      >               done
> >      > +
> >      > +             # hard fail if sh is being linked to the suid
> busybox
> >     (detects bug 10346)
> >      > +             if grep -q -x "/bin/sh" busybox.links.suid; then
> >      > +                     bbfatal "busybox suid binary incorrectly
> provides
> >     /bin/sh"
> >      > +             fi
> >      > +
> >      >               # copy .config.orig back to .config, because the
> install
> >     process may check this file
> >      >               cp .config.orig .config
> >      >               # cleanup
> >      >
> >     --
> >     _______________________________________________
> >     Openembedded-core mailing list
> >     Openembedded-core at lists.openembedded.org
> >     <mailto:Openembedded-core at lists.openembedded.org>
> >     http://lists.openembedded.org/mailman/listinfo/openembedded-core
> >     <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20171110/c609c240/attachment-0002.html>