Re: Another system management tool to disappear.
Hi.
On Sun, 30 Aug 2015 21:16:32 +0900
Joel Rees <joel.rees@gmail.com> wrote:
<skip>
> >> Installed it, suid problems:
> >>
> >> gene@coyote:~$ busybox su amanda
> >> su: must be suid to work properly
> >> gene@coyote:~$ busybox su -
> >> su: must be suid to work properly
> >>
> >> Is it still finding the system su first?
> >
> > No. The 'problem' is exactly what it tolds. Meaning:
> >
> > 1) "Original" su is suid root-owned binary:
> >
> > $ ls -la /bin/su
> > -rwsr-xr-x 1 root root 40168 Nov 21 2014 /bin/su
> >
> > 2) Busybox, on the other hand - is not:
> >
> > $ ls -la /bin/busybox
> > -rwxr-xr-x 1 root root 1837008 Feb 19 2015 /bin/busybox
> >
> >
> > So, *root*-invoked "busybox su" should behave exactly like original
> > "su". Everyone other than root are told to get lost.
> >
> > Note that:
> >
> > 1) Setting suid bit on busybox is *extremely* bad idea. Don't do it
> > ever do it (as busybox provides *much* more than su).
> >>
> Being curious, myself, about this question, I did a web search on
> "suid busybox" and found this interesting tidbit:
>
> http://www.softforge.de/bb/suid.html
>
> which refers one compile-time configuration, and to a convenient
> configuration file:
>
> /etc/busybox.conf
Wow. Thank you very much, I was not aware about this.
> I would assume that, if you have installed busybox, you would have man
> pages that explain this, as well.
Actually, no. busybox(1) does not mention anything about busybox.conf
or CONFIG_FEATURE_SUID_CONFIG.
> But I don't have a debian system
> booted to check, at the moment, sorry. After a search on the web,
> maybe it is not easy to find in the man pages, after all.
The easy way here is to check busybox-static compile options, which
belong to debian/config/pkg/static file in this archive:
http://http.debian.net/debian/pool/main/b/busybox/busybox_1.20.0-7.debian.tar.gz
And, CONFIG_FEATURE_SUID_CONFIG is there indeed, with the value of "y".
A quick test (wheezy x86-64, just in case):
# cat > /etc/busybox.conf << EOF
[SUID]
su = ssx root.0
EOF
# chmod 600 /etc/busybox.conf
# chmod 4755 /bin/busybox
# su - user
$ busybox cat /etc/shadow
cat: can't open '/etc/shadow': Permission denied
$ busybox su -
Password:
Of course Debian-way implementation would require something like
dpkg-statoverride, but it's a small price to pay.
> I must say, my personal impression of busybox has always been that I
> would rather simply have enough persistent storage to have a proper
> userland -- that it would be indicated only on embedded stuff where
> flash RAM and other persistent storage is extremely limited for some
> reason or other.
To my big surprise, sometimes busybox provides a sane behavior, while
coreutils provide buggy one. An example is #765514 (note that they
managed to put buggy coreutils 8.23-3 in jessie).
And, bugs aside, busybox-static can be put in initrd, which is
invaluable for those crash-recovery scenarios.
Reco
Reply to: