[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Another system management tool to disappear.

 Hi.

On Sun, 30 Aug 2015 21:16:32 +0900
Joel Rees <joel.rees@gmail.com> wrote:

<skip>
> >> Installed it, suid problems:
> >>
> >> gene@coyote:~$ busybox su amanda
> >> su: must be suid to work properly
> >> gene@coyote:~$ busybox su -
> >> su: must be suid to work properly
> >>
> >> Is it still finding the system su first?
> >
> > No. The 'problem' is exactly what it tolds. Meaning:
> >
> > 1) "Original" su is suid root-owned binary:
> >
> > $ ls -la /bin/su
> > -rwsr-xr-x 1 root root 40168 Nov 21  2014 /bin/su
> >
> > 2) Busybox, on the other hand - is not:
> >
> > $ ls -la /bin/busybox
> > -rwxr-xr-x 1 root root 1837008 Feb 19  2015 /bin/busybox
> >
> >
> > So, *root*-invoked "busybox su" should behave exactly like original
> > "su". Everyone other than root are told to get lost.
> >
> > Note that:
> >
> > 1) Setting suid bit on busybox is *extremely* bad idea. Don't do it
> > ever do it (as busybox provides *much* more than su).
> >> 
> Being curious, myself, about this question, I did a web search on
> "suid busybox" and found this interesting tidbit:
> 
>     http://www.softforge.de/bb/suid.html
> 
> which refers one compile-time configuration, and to a convenient
> configuration file:
> 
>     /etc/busybox.conf

Wow. Thank you very much, I was not aware about this.

 
> I would assume that, if you have installed busybox, you would have man
> pages that explain this, as well. 

Actually, no. busybox(1) does not mention anything about busybox.conf
or CONFIG_FEATURE_SUID_CONFIG.

> But I don't have a debian system
> booted to check, at the moment, sorry. After a search on the web,
> maybe it is not easy to find in the man pages, after all.

The easy way here is to check busybox-static compile options, which
belong to debian/config/pkg/static file in this archive:

http://http.debian.net/debian/pool/main/b/busybox/busybox_1.20.0-7.debian.tar.gz

And, CONFIG_FEATURE_SUID_CONFIG is there indeed, with the value of "y".

A quick test (wheezy x86-64, just in case):

# cat > /etc/busybox.conf << EOF
[SUID]
su = ssx root.0
EOF
# chmod 600 /etc/busybox.conf
# chmod 4755 /bin/busybox

# su - user
$ busybox cat /etc/shadow
cat: can't open '/etc/shadow': Permission denied
$ busybox su -
Password:


Of course Debian-way implementation would require something like
dpkg-statoverride, but it's a small price to pay.


> I must say, my personal impression of busybox has always been that I
> would rather simply have enough persistent storage to have a proper
> userland -- that it would be indicated only on embedded stuff where
> flash RAM and other persistent storage is extremely limited for some
> reason or other.

To my big surprise, sometimes busybox provides a sane behavior, while
coreutils provide buggy one. An example is #765514 (note that they
managed to put buggy coreutils 8.23-3 in jessie).

And, bugs aside, busybox-static can be put in initrd, which is
invaluable for those crash-recovery scenarios.

Reco
Reply to: