emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

busybox.conf: USER.GROUP is _optional_

Browse Source 
function                                             old     new   delta
main                                                 785     809     +24

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2011-05-16 13:53:19 +02:00
parent 3770b6b061
commit d83aff1aed
2 changed files with 16 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Config.in
View File

@ -350,15 +350,17 @@ config FEATURE_SUID_CONFIG
by checking /etc/busybox.conf. (This is sort of a poor man's sudo.) by checking /etc/busybox.conf. (This is sort of a poor man's sudo.)
The format of this file is as follows: The format of this file is as follows:
APPLET = [Ssx-][Ssx-][x-] USER.GROUP APPLET = [Ssx-][Ssx-][x-] [USER.GROUP]
s: This user/group are allowed to execute APPLET. s: USER or GROUP is allowed to execute APPLET.
APPLET will run under USER or GROUP
(reagardless of who's running it).
S: USER or GROUP is NOT allowed to execute APPLET.
APPLET will run under USER or GROUP. APPLET will run under USER or GROUP.
x: User/group/others are allowed to execute APPLET. This option is not very sensical.
x: USER/GROUP/others are allowed to execute APPLET.
No UID/GID change will be done when it is run. No UID/GID change will be done when it is run.
S: This user/group are NOT allowed to execute APPLET. -: USER/GROUP/others are not allowed to execute APPLET.
APPLET will run under USER or GROUP.
-: User/group/others are not allowed to execute APPLET.
An example might help: An example might help:
@ -368,7 +370,8 @@ config FEATURE_SUID_CONFIG
su = ssx # exactly the same su = ssx # exactly the same
mount = sx- root.disk # applet mount can be run by root and members mount = sx- root.disk # applet mount can be run by root and members
# of group disk and runs with euid=0 # of group disk (but not anyone else)
# and runs with euid=0 (egid is not changed)
cp = --- # disable applet cp for everyone cp = --- # disable applet cp for everyone

13
libbb/appletlib.c
View File

@ -261,9 +261,7 @@ static int ingroup(uid_t u, gid_t g)
return 0; return 0;
} }
/* This should probably be a libbb routine. In that case, /* libbb candidate */
* I'd probably rename it to something like bb_trimmed_slice.
*/
static char *get_trimmed_slice(char *s, char *e) static char *get_trimmed_slice(char *s, char *e)
{ {
/* First, consider the value at e to be nul and back up until we /* First, consider the value at e to be nul and back up until we
@ -442,15 +440,16 @@ static void parse_config_file(void)
/* Now get the user/group info. */ /* Now get the user/group info. */
s = skip_whitespace(e); s = skip_whitespace(e);
if (*s == '\0')
s = strcpy(buffer, "0.0");
/* Note: we require whitespace between the mode and the /* We require whitespace between mode and USER.GROUP */
* user/group info. */
if ((s == e) || !(e = strchr(s, '.'))) { if ((s == e) || !(e = strchr(s, '.'))) {
errmsg = "uid.gid"; errmsg = "uid.gid";
goto pe_label; goto pe_label;
} }
*e = ':'; /* get_uidgid doesn't understand user.group */ *e = ':'; /* get_uidgid needs USER:GROUP syntax */
if (get_uidgid(&sct->m_ugid, s, /*allow_numeric:*/ 1) == 0) { if (get_uidgid(&sct->m_ugid, s, /*allow_numeric:*/ 1) == 0) {
errmsg = "unknown user/group"; errmsg = "unknown user/group";
goto pe_label; goto pe_label;
@ -518,7 +517,7 @@ static void check_suid(int applet_no)
/* same group / in group */ /* same group / in group */
m >>= 3; m >>= 3;
if (!(m & S_IXOTH)) /* is x bit not set? */ if (!(m & S_IXOTH)) /* is x bit not set? */
bb_error_msg_and_die("you have no permission to run this applet!"); bb_error_msg_and_die("you have no permission to run this applet");
/* We set effective AND saved ids. If saved-id is not set /* We set effective AND saved ids. If saved-id is not set
* like we do below, seteuid(0) can still later succeed! */ * like we do below, seteuid(0) can still later succeed! */