[BusyBox 0001175]: su does not require a password if /etc/busybox.conf is present and contains an su entry

bugs at busybox.net bugs at busybox.net
Wed Feb 13 09:33:27 PST 2008 

The following issue has been CLOSED 
====================================================================== 
http://busybox.net/bugs/view.php?id=1175 
====================================================================== 
Reported By:                whitpa
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   1175
Category:                   Security
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     closed
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             01-25-2007 15:02 PST
Last Modified:              02-13-2008 09:33 PST
====================================================================== 
Summary:                    su does not require a password if /etc/busybox.conf
is present and contains an su entry
Description: 
When busybox is setuid root (4755 root:root) and the following
/etc/busybox.conf is present (0600 root:root), Busybox 1.3.0 and later
will allow su to any user without a password from a nonprivileged account,
whereas Busybox 1.2.2.1 and earlier will require a password:

    [SUID]
    su=sxx root.root

If /etc/busybox.conf is present but the su entry is commented out, all
Busybox versions will (correctly) fail the su.  If /etc/busybox.conf is
not present, all Busybox versions will (correctly) allow the su but
require a password.

If this change is a feature rather than a bug, then as far as I can
determine it does not appear to be a documented one.  Possibly other SUID
applets are similarly affected (not tested).

====================================================================== 

---------------------------------------------------------------------- 
 vda - 01-26-07 15:20  
---------------------------------------------------------------------- 
It is fixed in svn I think. 

---------------------------------------------------------------------- 
 vda - 02-13-08 09:33  
---------------------------------------------------------------------- 
Seems to be fixed (althoug reporter never got around to checking/confirming
it). 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-25-07 15:02  whitpa         New Issue                                    
01-25-07 15:02  whitpa         Status                   new => assigned     
01-25-07 15:02  whitpa         Assigned To               => BusyBox         
01-26-07 15:20  vda            Note Added: 0002053                          
02-13-08 09:33  vda            Status                   assigned => closed  
02-13-08 09:33  vda            Note Added: 0004514                          
======================================================================

More information about the busybox-cvs mailing list