/etc/busybox.conf confusion [secutiry?]
Tito
farmatito at tiscali.it
Fri Apr 27 06:56:29 PDT 2007
On Friday 27 April 2007 13:44:46 Jan Evert van Grootheest wrote:
>
> > > All,
> > >
> > > I think this got introduced in applets.c:check_suid with
> > > 17508 'accumulated post-1.4.0 fixes'.
> > >
> > > This part of the diff seems responsible.
> > > - if ((sct->m_mode & (S_ISGID | S_IXGRP))
> > > == (S_ISGID | S_IXGRP)) { /* *both* have to be set for sgid */
> > > - xsetgid(sct->m_gid);
> > > - } else xsetgid(rgid); /*
> > > no sgid -> drop */
> > > -
> > > - if (sct->m_mode & S_ISUID) xsetuid(sct->m_uid);
> > > - else xsetuid(ruid); /*
> > > no suid -> drop */
> > > + if (sct->m_gid != 0) {
> > > + /* _both_ have to be set for sgid */
> > > + if ((sct->m_mode & (S_ISGID |
> > > S_IXGRP)) == (S_ISGID | S_IXGRP)) {
> > > + xsetgid(sct->m_gid);
> > > + } else xsetgid(rgid); /* no
> > > sgid -> drop */
> > > + }
> > > + if (sct->m_uid != 0) {
> > > + if (sct->m_mode & S_ISUID)
> > > xsetuid(sct->m_uid);
> > > + else xsetuid(ruid); /* no suid
> > > -> drop */
> > > + }
> > >
> > > Previously if there was no sgid/suid, privileges would always
> > > be dropped. Now they're only dropped if the uid/gid in
> > > bb.conf is not 0.
> > >
> > > I would propose to revert this part of the patch.
> > > Adding an else to call xsetuid/xsetgid would seem to do the
> > > right thing but, I guess, would only increase the size of the
> > > executable.
> > >
> > > This seems, by the way, to be a security bug? It leaves
> > > processes with effective root all over!
> > >
> > > -- Jan Evert
> > >
> > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: busybox-bounces at busybox.net
> > > > [mailto:busybox-bounces at busybox.net] Namens Jan Evert van
> > Grootheest
> > > > Verzonden: vrijdag 27 april 2007 9:07
> > > > Aan: busybox at busybox.net
> > > > Onderwerp: /etc/busybox.conf confusion
> > > >
> > > >
> > > > Hi,
> > > >
> > > > The confusion is mine (not bb).
> > > >
> > > > If I have sh not in /etc/busybox.conf and I login as user
> > > mysql I get
> > > > this:
> > > >
> > > > viking-be# cat /proc/self/status | egrep "id:|Name"
> > > > Name: sh
> > > > Tgid: 1192
> > > > Pid: 1192
> > > > PPid: 1173
> > > > TracerPid: 0
> > > > Uid: 500 500 500 500
> > > > Gid: 500 500 500 500
> > > > viking-be# cat /proc/1173/status | egrep "id:|Name"
> > > > Name: sh
> > > > Tgid: 1173
> > > > Pid: 1173
> > > > PPid: 1064
> > > > TracerPid: 0
> > > > Uid: 500 500 500 500
> > > > Gid: 500 500 500 500
> > > >
> > > >
> > > > Now, when I put sh in the busybox.conf file as using
> > > > sh = xxx 0.0
> > > > And login again and try the same this is the result viking-be# cat
> > > > /proc/self/status | egrep "id:|Name"
> > > > Name: sh
> > > > Tgid: 1206
> > > > Pid: 1206
> > > > PPid: 1203
> > > > TracerPid: 0
> > > > Uid: 500 0 0 0
> > > > Gid: 500 0 0 0
> > > > viking-be# cat /proc/1203/status | egrep "id:|Name"
> > > > Name: sh
> > > > Tgid: 1203
> > > > Pid: 1203
> > > > PPid: 1064
> > > > TracerPid: 0
> > > > Uid: 500 0 0 0
> > > > Gid: 500 0 0 0
> > > >
> > > >
> > > > I am confused, because I was expecting the same output. I thought
> > > > that xxx meant that the applet is a regular executable
> > that doesn't
> > > > change effective uid and gid. But apparently it does?
> > > >
> > > > So can anyone explain this?
> > > > Which part of the process do I not understand?
> > > > My guess would be that the problem, if at all, is with
> > the starting
> > > > shell, because busybox is suid root and bb.conf is read during
> > > > startup.
> > > >
> > > > This is a login via the bb telnetd (which is, of course,
> > running as
> > > > root) and using the bb login (which is xxx in
> > busybox.conf). And it
> > > > concerns bb 1.4.1 (with all patches, as far as I know)
> > using glibc
> > > > 2.3.6 on i386.
> > > >
> > > > Also note the 'Name' of cat. It is 'sh'. I would guess this to be
> > > > due to cat being a safe applet.
> > > >
> > > > Many thanks,
> > > > Jan Evert
> > > >
> >
> >
> > I think more changes are needed. Passwd and su are not really
> > behaving well:
> >
> > I'm now trying to change the password of a regular user
> > (mysql). If I have the passwd applet in bb.conf as xxx it,
> > obviously, is not able to read /etc/shadow. If I have the
> > passwd applet in bb.conf as sxx then it attempts to change
> > the password of root. If I have the passwd applet in bb.conf
> > as sxx and attempt 'passwd mysql' when logged in as mysql,
> > then the correct password is changed, but without asking for
> > the old password!
> >
> > Something comparable is happening to the su applet. When
> > executed as a regular user: With su as xxx, it asks for the
> > password and then fails to set groups. With su as sxx, it
> > doesn't ask for the password and drops straight into a shell
> > with the correct user (just as if root had executed it).
> >
> > Any ideas?
> >
> > Thanks,
> > Jan Evert
>
> I think I figured it out.
>
> A suid program has effective uid of the owner of the program (usually
> that will be root). And the real uid is the uid of the logged in user
> (for example, mysql). If a suid root program executes setuid(x), the
> real and effective uids are changed to become x.
> Same goes for gid.
>
> And that is the bug. Busybox is suid root. If an applet is supposed to
> be suid, a setuid is done changing the real uid to root.
> Thus, for example, su and passwd think they are executed by root and
> behave differently!
> However, bb doesn't need to setuid because the effective uid is already
> root because the program is suid root.
>
> So I came up with this patch which I think does the right thing. This is
> against 1.4.1.
>
> Thanks,
> Jan Evert
>
Hi,
this seems to work for me:
busybox.conf is
[SUID]
passwd = ssx 0.0
# applet su can be run by anyone and runs with euid=0/egid=0
su = ssx root.0
# applet su can be run by anyone and runs with euid=0/egid=0
root at localhost:~/Desktop/busybox# chown 0.0 /etc/busybox.conf
root at localhost:~/Desktop/busybox# chmod 600 /etc/busybox.conf
root at localhost:~/Desktop/busybox# cp busybox /usr/bin/passwd
root at localhost:~/Desktop/busybox# chown 0.0 /usr/bin/passwd
root at localhost:~/Desktop/busybox# chmod 4755 /usr/bin/passwd
Running as normal user:
root at localhost:~/Desktop/busybox# cat /proc/18601/status
Name: passwd
State: S (sleeping)
SleepAVG: 88%
Tgid: 18601
Pid: 18601
PPid: 15912
TracerPid: 0
Uid: 1000 0 0 0
Gid: 1000 1000 1000 1000
FDSize: 256
Groups: 7 20 24 25 29 46 111 113 1000 1002 1003
tito at localhost:~$ id
uid=1000(tito) gid=1000(tito) groups=7(lp),20(dip),24(cdrom),25(floppy),29(audio),46(plugdev),111(admin),113(fuse),1000(tito),1002(vboxusers),1003(halt)
tito at localhost:~$ /usr/bin/passwd
ruid = 1000 /*debug */
busybox.conf readable /*debug */
found su /*debug */
found passwd /*debug */
requested uid 0 gid 0 /*debug */
Changing password for tito
Old password:
New password:
Bad password: too weak
passwd: password for tito is unchanged
then changing busybox.conf to
[SUID]
passwd = ssx 0.0
tito at localhost:~$ /usr/bin/passwd
ruid = 1000
busybox.conf readable
found su
found passwd
requested uid 0 gid 0
Changing password for tito
Old password:
Incorrect password
passwd: password for tito is unchanged
tito at localhost:~$
it is not possible to change password.
Running as root:
root at localhost:~/Desktop# cat /proc/18582/status
Name: passwd
State: S (sleeping)
SleepAVG: 58%
Tgid: 18582
Pid: 18582
PPid: 12012
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
root at localhost:~/Desktop# /usr/bin/passwd
ruid = 0 /* debug */
Changing password for root
New password:
Bad password: too weak
Retype password:
Passwords don't match
passwd: password for root is unchanged
root at localhost:~/Desktop#
Ciao,
Tito
More information about the busybox
mailing list