<HTML xmlns:eXclaimer="http://www.exclaimer.co.uk">
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=UTF-16">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-16">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-16">
</HEAD><BODY style="FONT-SIZE: 10pt; FONT-FAMILY: Bitstream Vera Sans"><DIV>
<FONT FACE="Arial" SIZE="2">
<DIV><FONT face="Bitstream Vera Sans"></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<P>> Tito, others,</P>
<P>> </P>
<P>> Sorry about this, but those su and passwd comments were with my
initial</P>
<P>> patch applied.</P>
<P>> </P>
<P>> With original code, it is easiest to demonstrate using 'cat</P>
<P>> /proc/self/status' with a suid root bbox and as a regular user. Try
both</P>
<P>> with cat in bbox.conf as xxx and cat not present in bbox.conf.</P>
<P>> When cat is present as xxx, privileges are not dropped.</P>
<P>> </P>
<P>> I ran into this because my environment had ash and sh as ssx in</P>
<P>> bbox.conf. Which I changed to xxx. And then still had not proper</P>
<P>> uids/gids.</P>
<P>> </P>
<P>> -- Jan Evert </P>
<P>Hi,</P>
<P>mv busybox /bin/busybox</P>
<P>chown 0.0 /bin/busybox</P>
<P>chmod 4755 /bin/busybox</P>
<P></P>
<P>1 ) not in busybox.conf:</P>
<P>as normal user /bin/busybox cat /proc/self/status does not work<SPAN
class=509070208-01052007><FONT
face="Bitstream Vera Sans"> </FONT></SPAN></P></BLOCKQUOTE>
<P dir=ltr><SPAN class=509070208-01052007>Eh? </SPAN><SPAN
class=509070208-01052007>For me (1.4.1 and patches) it works just fine if
cat is not in bbox.conf. </SPAN></P>
<P dir=ltr><SPAN class=509070208-01052007>Dumb question of the day... what are
the permissions to your /etc/busybox.conf?</SPAN></P>
<P dir=ltr><SPAN class=509070208-01052007></SPAN> </P><SPAN
class=509070208-01052007></SPAN>
<P dir=ltr></P>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<P dir=ltr><SPAN class=509070208-01052007><FONT
face="Bitstream Vera Sans"> </FONT></SPAN>2) in
busybox.conf</P></BLOCKQUOTE>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<P>2a) as normal user and cat = ssx 0.0 in busybox.conf </P>
<P>/bin/busybox cat /proc/self/status works</P>
<P>Name: busybox</P>
<P>State: R (running)</P>
<P>SleepAVG: 88%</P>
<P>Tgid: 6937</P>
<P>Pid: 6937</P>
<P>PPid: 6416</P>
<P>TracerPid: 0</P>
<P>Uid: 1000 0 0 0</P>
<P>Gid: 1000 1000 1000 1000<SPAN class=509070208-01052007><FONT
face="Bitstream Vera Sans"> </FONT></SPAN></P></BLOCKQUOTE>
<P dir=ltr><SPAN class=509070208-01052007>Given the ssx, this result is somewhat
expected, except that I would expect gid to be '1000 0 0 0'? It seems that
bbox actually did sxx.</SPAN></P>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<P></P>
<P>2b) as normal user and cat = xxx 0.0 in busybox.conf </P>
<P>/bin/busybox cat /proc/self/status does not work</P>
<P></P>
<P>if in [SUID] stanza alphabetical order is respected</P>
<P>[SUID]</P>
<P>cat = xxx 0.0</P>
<P>passwd = ssx 0.0</P>
<P># applet su can be run by anyone and runs with euid=0/egid=0</P>
<P>su = ssx root.0</P>
<P># applet su can be run by anyone and runs with euid=0/egid=0</P>
<P></P>
<P>2c) as normal user and cat = xxx 0.0 in busybox.conf it works</P>
<P></P>
<P>/bin/busybox cat /proc/self/status works</P>
<P></P>
<P>if in [SUID] stanza alphabetical order is not respected</P>
<P>[SUID]</P>
<P>passwd = ssx 0.0</P>
<P># applet su can be run by anyone and runs with euid=0/egid=0</P>
<P>su = ssx root.0</P>
<P># applet su can be run by anyone and runs with euid=0/egid=0</P>
<P>cat = xxx 0.0</P>
<P></P>
<P>Name: busybox</P>
<P>State: R (running)</P>
<P>SleepAVG: 58%</P>
<P>Tgid: 6953</P>
<P>Pid: 6953</P>
<P>PPid: 6416</P>
<P>TracerPid: 0</P>
<P>Uid: 1000 0 0 0</P>
<P>Gid: 1000 1000 1000 1000</P>
<P></P>
<P>Seems that there is really something wrong here....</P>
<P></P>
<P>IMHO check_suid and parse_config_file should be totally rewritten,</P>
<P>the first to make it more readable and the second to reduce the bloat as
most of its features </P>
<P>are unused at the moment.<SPAN class=509070208-01052007><FONT
face="Bitstream Vera Sans"> </FONT></SPAN></P></BLOCKQUOTE>
<P dir=ltr><SPAN class=509070208-01052007>As for the ordering... my
bbox.conf appears to be in the same order as the applets are in 'make
menuconfig'. But that's just an impression. At least the applets are
grouped according to the submenus in make menuconfig. And withing the grouping
they are alfabetically ordered.</SPAN></P>
<P dir=ltr><SPAN class=509070208-01052007></SPAN><SPAN
class=509070208-01052007><FONT face="Bitstream Vera Sans">-- Jan
Evert</FONT></SPAN></P>
<P dir=ltr><SPAN class=509070208-01052007>PS: sorry if Outlook makes a mess of
this mail. I don't know how to make it behave. It seems impossible.</SPAN></P>
<P dir=ltr><SPAN class=509070208-01052007></SPAN> </P></FONT>
</DIV>
<DIV>
<FONT FACE="Arial" SIZE="2">
</FONT>
</DIV>
<DIV STYLE="FONT-SIZE: 7pt; COLOR: gray; FONT-FAMILY: verdana">The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. Vialis is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.<BR></DIV></BODY></HTML>