[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH 0/2] new applet (setpriv) + unshare typo fix
From: Assaf Gordon <assafgordon () gmail ! com>
Date: 2017-05-13 17:32:11
Message-ID: 690FAAC7-0329-4769-AE59-95DE2E6DCCC7 () gmail ! com
[Download RAW message or body]
Hello Walter,
> On May 13, 2017, at 06:11, walter harms <wharms@bfs.de> wrote:
>
> busybox is about size so its a good idea the post how large the increase is.
Without long options:
===
function old new delta
setpriv_main - 92 +92
.rodata 6148 6190 +42
applet_names 19 27 +8
applet_main 40 48 +8
opt_str - 2 +2
------------------------------------------------------------------------------
(add/remove: 3/0 grow/shrink: 3/0 up/down: 152/0) Total: 152 bytes
text data bss dec hex filename
60624 1334 1552 63510 f816 busybox_old
60830 1342 1552 63724 f8ec busybox_unstripped
===
With long options:
===
function old new delta
setpriv_main - 103 +103
.rodata 6148 6212 +64
setpriv_longopts - 22 +22
applet_names 19 27 +8
applet_main 40 48 +8
opt_str - 2 +2
------------------------------------------------------------------------------
(add/remove: 4/0 grow/shrink: 3/0 up/down: 207/0) Total: 207 bytes
text data bss dec hex filename
60624 1334 1552 63510 f816 busybox_old
60863 1342 1552 63757 f90d busybox_unstripped
===
> When adding a new item it is also good idea to give one or more use cases not
> everyone knows every command in util-linux.
Turning on Linux's "NO_NEW_PRIVS" bit prevents an un-privileged processes
from escalating privileges through setuid, setgid, and fcap-using binaries.
It is explained in details here:
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
Basically, the applet calls "prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)"
then execvp on which ever program you'd like to run.
Typical use case:
Escalating privileges with setuid:
$ sudo id
uid=0(root) gid=0(root) groups=0(root)
With "NO_NEW_PRIVS", 'setuid' is ignored and sudo is
executed with non-root privilege:
$ setpriv --nnp sudo id
sudo: effective uid is not 0, is /usr/bin/sudo on a file system
with the 'nosuid' option set or an NFS file system without root privileges?
The upstream "setpriv" has many more options (related to capabilities and requiring libcap-ng),
this applet does not implement any of them.
regards,
- assaf
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic