Re: [OE-core] [PATCH] busybox.inc: Add sanity check to test if the suid binary provides sh

Fri, 10 Nov 2017 03:58:39 -0800 

How is /bin/sh being busybox.suid a good thing?

Ross

On 10 November 2017 at 07:17, Andrej Valek <andrej.va...@siemens.com> wrote:

> I don't think so, that adding bbfatal into this recipe is a good
> solution. Someone could build the busybox with /bin/sh linking into
> .suid eg. for more secure. We can leave live with this one as before.
>
> Andrej
>
> On 11/09/2017 02:25 PM, Nathan Rossi wrote:
> > Add a sanity check during the do_compile task to fail if the suid
> > busybox provides /bin/sh. This is considered as a hard fail since not
> > only is providing sh as suid problematic for security reasons but also
> > because the sh configured for suid is less functional than the nosuid
> > configured sh and breaks a number of required features (e.g. 64-bit
> > test).
> >
> > Signed-off-by: Nathan Rossi <nat...@nathanrossi.com>
> > Cc: Ross Burton <ross.bur...@intel.com>
> > ---
> >  meta/recipes-core/busybox/busybox.inc | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/meta/recipes-core/busybox/busybox.inc
> b/meta/recipes-core/busybox/busybox.inc
> > index 4012f921c6..157aea3968 100644
> > --- a/meta/recipes-core/busybox/busybox.inc
> > +++ b/meta/recipes-core/busybox/busybox.inc
> > @@ -183,6 +183,12 @@ do_compile() {
> >                       oe_runmake busybox.links
> >                       mv busybox.links busybox.links.$s
> >               done
> > +
> > +             # hard fail if sh is being linked to the suid busybox
> (detects bug 10346)
> > +             if grep -q -x "/bin/sh" busybox.links.suid; then
> > +                     bbfatal "busybox suid binary incorrectly provides
> /bin/sh"
> > +             fi
> > +
> >               # copy .config.orig back to .config, because the install
> process may check this file
> >               cp .config.orig .config
> >               # cleanup
> >
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to