[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Re: [PATCH 0/2] new applet (setpriv) + unshare typo fix
From:       Assaf Gordon <assafgordon () gmail ! com>
Date:       2017-05-13 17:32:11
Message-ID: 690FAAC7-0329-4769-AE59-95DE2E6DCCC7 () gmail ! com
[Download RAW message or body]

Hello Walter,

> On May 13, 2017, at 06:11, walter harms <wharms@bfs.de> wrote:
> 
> busybox is about size so its a good idea the post how large the increase is.

Without long options:
===
function                                             old     new   delta
setpriv_main                                           -      92     +92
.rodata                                             6148    6190     +42
applet_names                                          19      27      +8
applet_main                                           40      48      +8
opt_str                                                -       2      +2
------------------------------------------------------------------------------
(add/remove: 3/0 grow/shrink: 3/0 up/down: 152/0)             Total: 152 bytes
   text    data     bss     dec     hex filename
  60624    1334    1552   63510    f816 busybox_old
  60830    1342    1552   63724    f8ec busybox_unstripped
===

With long options:
===
function                                             old     new   delta
setpriv_main                                           -     103    +103
.rodata                                             6148    6212     +64
setpriv_longopts                                       -      22     +22
applet_names                                          19      27      +8
applet_main                                           40      48      +8
opt_str                                                -       2      +2
------------------------------------------------------------------------------
(add/remove: 4/0 grow/shrink: 3/0 up/down: 207/0)             Total: 207 bytes
   text    data     bss     dec     hex filename
  60624    1334    1552   63510    f816 busybox_old
  60863    1342    1552   63757    f90d busybox_unstripped
===


> When adding a new item it is also good idea to give one or more use cases not
> everyone knows every command in util-linux.

Turning on Linux's "NO_NEW_PRIVS" bit prevents an un-privileged processes
from escalating privileges through  setuid, setgid, and fcap-using binaries.

It is explained in details here:
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt

Basically, the applet calls "prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)"
then execvp on which ever program you'd like to run.

Typical use case:

Escalating privileges with setuid:

  $ sudo id
  uid=0(root) gid=0(root) groups=0(root)

With "NO_NEW_PRIVS", 'setuid' is ignored and sudo is
executed with non-root privilege:

  $ setpriv --nnp sudo id
  sudo: effective uid is not 0, is /usr/bin/sudo on a file system
  with the 'nosuid' option set or an NFS file system without root privileges?

The upstream "setpriv" has many more options (related to capabilities and requiring libcap-ng),
this applet does not implement any of them.

regards,
 - assaf




_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic