[oe] [PATCH] Fix busybox SUID support
Phil Blundell
philb at gnu.org
Fri Feb 26 22:42:30 UTC 2010
On Fri, 2010-02-26 at 23:26 +0100, Bernhard Reutner-Fischer wrote:
> SUID_DROP applets do just that before the individual applet_main is called,
> i.e. drops privs. But whatever..
> If you really think you want to build the thing twice then i'd try
> FEATURE_SHARED_BUSYBOX, fyi.
> $ size 0_lib/{busybox,libbusybox.so.1.17.0.git}
> text data bss dec hex filename
> 1379 520 16 1915 77b 0_lib/busybox
> 339569 6705 8552 354826 56a0a 0_lib/libbusybox.so.1.17.0.git
>
> duplicating 2k is better than duplicating all the innocent rest, but maybe
> that's just me..
Whether this is a good idea or not rather depends on what you're trying
to protect against. The threat scenarios for a setuid busybox basically
fall into two categories:
a) user invokes an applet which shouldn't be setuid, but busybox fails
(for whatever reason) to drop its privs and allows the applet to run in
root context
b) user invokes an applet which is intended to be setuid, busybox
correctly retains the elevated privs while running it, but there is some
bug or vulnerability in the code which causes unwanted results
If you're primarily worried about case (a) then building two copies of
the frontend which share a common libbusybox, one setuid and one not,
probably is a reasonable thing to do. However, as you say, busybox does
already have a fairly robust mechanism in place for dropping privs when
they are not wanted by a particular applet and hence the threat from
this side seems to be quite low anyway.
If you are primarily worried about case (b) then the easiest way to
mitigate the threat is to reduce the amount of code which is linked in
to the setuid binary (either statically or dynamically) and hence the
amount of code that you need to audit for security hazards. In that
situation, linking with a shared libbusybox would not help, since you
still have essentially the whole of busybox to worry about and you might
as well just stick with a single large binary. Instead you would be
better off making a minimal, standalone busybox binary which contained
the bare minimum of code that was required to fulfil its setuid
functions.
p.
More information about the Openembedded-devel
mailing list