|
»
« Return to Thread: Using fallback suid method
Re: Using fallback suid method
by Neil Shephard
::
Rate this Message:
--- In nslu2-linux@..., "slackline" <nshephard@...> wrote:
>
> I've just encountered this in my upgrade to 5.3 after having created a new user account (messages reported when first logging in).
>
> I searched the nslu2-linux archives (on nabble and yahoo and couldn't find anything other than this) and busybox archives and found this pointer --> http://lists.busybox.net/pipermail/busybox/2003-November/009851.html
>
> Downloaded the source and 'make menuconfig' to get into the help which reads as follows (posting here so that the solution can, hopefully, be found in the archives here)...
>
> CONFIG_FEATURE_SUID_CONFIG:
>
> Allow the SUID / SGID state of an applet to be determined at runtime
> by checking /etc/busybox.conf. (This is sort of a poor man's sudo.)
> The format of this file is as follows:
>
> <applet> = [Ssx-][Ssx-][x-] (<username>|<uid>).(<groupname>|<gid>)
>
> An example might help:
>
> [SUID]
> su = ssx root.0 # applet su can be run by anyone and runs with
> # euid=0/egid=0
> su = ssx # exactly the same
> │
> mount = sx- root.disk # applet mount can be run by root and members
> # of group disk and runs with euid=0
>
> cp = --- # disable applet cp for everyone
>
> The file has to be owned by user root, group root and has to be
> writeable only by root:│
> (chown 0.0 /etc/busybox.conf; chmod 600 /etc/busybox.conf)
> The busybox executable has to be owned by user root, group
> root and has to be setuid root for this to work:
> (chown 0.0 /bin/busybox; chmod 4755 /bin/busybox)
>
> Robert 'sandman' Griebl has more information here:
> <url: http://www.softforge.de/bb/suid.html >.
>
>
> I created the file (leaving it blank) and changed ownership and permissions as per above instructions, but no joy (yet), haven't tried rebooting yet though (will have to wait till I get home). Will update if I get it resolved.
>
Ok, I seem to have solved this using the solution suggested at http://lists.busybox.net/pipermail/busybox/2003-March/008115.html
Basically I needed to change the busybox binary such that the user or group ID is set on execution...
chmod +s /bin/busybox
Will find out later if this has resolved the permissions on mounting but suspect the suggested UUID approach is preferable (see http://tech.groups.yahoo.com/group/nslu2-linux/message/23830 )
Neil
>
> I've just encountered this in my upgrade to 5.3 after having created a new user account (messages reported when first logging in).
>
> I searched the nslu2-linux archives (on nabble and yahoo and couldn't find anything other than this) and busybox archives and found this pointer --> http://lists.busybox.net/pipermail/busybox/2003-November/009851.html
>
> Downloaded the source and 'make menuconfig' to get into the help which reads as follows (posting here so that the solution can, hopefully, be found in the archives here)...
>
> CONFIG_FEATURE_SUID_CONFIG:
>
> Allow the SUID / SGID state of an applet to be determined at runtime
> by checking /etc/busybox.conf. (This is sort of a poor man's sudo.)
> The format of this file is as follows:
>
> <applet> = [Ssx-][Ssx-][x-] (<username>|<uid>).(<groupname>|<gid>)
>
> An example might help:
>
> [SUID]
> su = ssx root.0 # applet su can be run by anyone and runs with
> # euid=0/egid=0
> su = ssx # exactly the same
> │
> mount = sx- root.disk # applet mount can be run by root and members
> # of group disk and runs with euid=0
>
> cp = --- # disable applet cp for everyone
>
> The file has to be owned by user root, group root and has to be
> writeable only by root:│
> (chown 0.0 /etc/busybox.conf; chmod 600 /etc/busybox.conf)
> The busybox executable has to be owned by user root, group
> root and has to be setuid root for this to work:
> (chown 0.0 /bin/busybox; chmod 4755 /bin/busybox)
>
> Robert 'sandman' Griebl has more information here:
> <url: http://www.softforge.de/bb/suid.html >.
>
>
> I created the file (leaving it blank) and changed ownership and permissions as per above instructions, but no joy (yet), haven't tried rebooting yet though (will have to wait till I get home). Will update if I get it resolved.
>
Ok, I seem to have solved this using the solution suggested at http://lists.busybox.net/pipermail/busybox/2003-March/008115.html
Basically I needed to change the busybox binary such that the user or group ID is set on execution...
chmod +s /bin/busybox
Will find out later if this has resolved the permissions on mounting but suspect the suggested UUID approach is preferable (see http://tech.groups.yahoo.com/group/nslu2-linux/message/23830 )
Neil
« Return to Thread: Using fallback suid method
| Free embeddable forum powered by Nabble | Forum Help |
