Commit Graph

14756 Commits

Author SHA1 Message Date
Denys Vlasenko
12a4f9afe7 libbb: do not die if setgid/setuid(real_id) on startup fails
Based on a patch from Steven McDonald <steven@steven-mcdonald.id.au>:

This makes 'unshare --user' work correctly in the case where the user's
shell is provided by busybox itself.

'unshare --user' creates a new user namespace without any uid mappings.
As a result, /bin/busybox is setuid nobody:nogroup within the
namespace, as that is the only user. However, since no uids are mapped,
attempting to call setgid/setuid fails, even though this would do
nothing:

  $ unshare --user ./busybox.broken ash
  ash: setgid: Invalid argument

'unshare --map-root-user' still works, but because Linux only allows
uid/gid mappings to be set up once, creating a root mapping makes such
a namespace useless for creating multi-user containers.

With this patch, setgid and setuid will not be called in the case where
they would do nothing, which is always the case inside a new user
namespace because all uids are effectively mapped to nobody:

  $ id -u
  1000
  $ ls -lh busybox.fixed
  -rwsr-xr-x    1 root     root      826.2K May 21 00:33 busybox.fixed
  $ unshare --user ./busybox.fixed ash
  $ id -u
  65534

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-10 09:17:43 +02:00
Denys Vlasenko
9de9c871bf shuf: fix random line selection. Closes 9971
"""
For example, given input file:

    foo
    bar
    baz

after shuffling the input file, foo will never end up back on the first line.
This came to light when I ran into a use-case where someone was selecting
a random line from a file using shuf | head -n 1, and the results on busybox
were showing a statistical anomaly (as in, the first line would never ever
be picked) vs the same process running on environments that had gnu coreutils
installed.

On line https://git.busybox.net/busybox/tree/coreutils/shuf.c#n56 it uses
r %= i, which will result in 0 <= r < i, while the algorithm specifies
0 <= r <= i.
"""

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-09 00:39:15 +02:00
Denys Vlasenko
d18b200096 crond: code shrink
function                                             old     new   delta
load_crontab                                         936     925     -11

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-09 00:08:13 +02:00
Denys Vlasenko
0b3b65fa91 crond: move misplaced comment
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-09 00:00:39 +02:00
Denys Vlasenko
75fbea3879 crond: support @daily etc
function                                             old     new   delta
start_jobs                                             -     348    +348
load_crontab                                         766     936    +170
static.SpecAry                                         -      96     +96
crond_main                                          1424    1134    -290
------------------------------------------------------------------------------
(add/remove: 2/0 grow/shrink: 1/1 up/down: 614/-290)          Total: 324 bytes

Based on patch by Jonathan Kolb <kolbyjack@gmail.com>

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-08 20:53:11 +02:00
Denys Vlasenko
1572f520cc watchdog: do not use argc, other cleanups
function                                             old     new   delta
watchdog_main                                        298     291      -7

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-08 18:53:49 +02:00
Matt Spinler
31c765081d watchdog: stop watchdog first on startup
Some watchdog implementations may do things other than issue
a reboot on a watchdog timeout.  In this case, there's the
possibility of restarting this program from the state of
the watchdog device not being properly stopped (done by writing
a 'V' and closing the device).  Since it wasn't stopped, the
driver may not be able to restart the watchdog when this program
reopens it and starts pinging it.

To fix this, the code will always first issue the stop when it
starts up.

function                                             old     new   delta
shutdown_on_signal                                     -      32     +32
watchdog_main                                        268     298     +30
shutdown_watchdog                                      -      25     +25
watchdog_shutdown                                     41       -     -41
------------------------------------------------------------------------------
(add/remove: 2/1 grow/shrink: 1/0 up/down: 87/-41)             Total: 46 bytes

Signed-off-by: Matt Spinler <spinler@us.ibm.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-08 18:35:25 +02:00
Denys Vlasenko
1b84f4a22a beep: disallow FEATURE_BEEP_FREQ = 0 in configuration
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-08 12:21:45 +02:00
Denys Vlasenko
13102634bb hush: explain why wait5.tests is failing
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-08 00:24:32 +02:00
Denys Vlasenko
840a4355d0 hush: fix "(sleep 1; exit 3) & sleep 2; echo $?; wait $!; echo $?"
function                                             old     new   delta
process_wait_result                                  414     426     +12
builtin_wait                                         283     291      +8
run_list                                             974     978      +4
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 3/0 up/down: 24/0)               Total: 24 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-07 22:56:02 +02:00
Denys Vlasenko
2db74610cd hush: fix two redirection testcase failures
function                                             old     new   delta
save_fds_on_redirect                                 183     256     +73
fcntl_F_DUPFD                                          -      46     +46
restore_redirects                                     74      96     +22
xdup_and_close                                        51      72     +21
setup_redirects                                      196     200      +4
hush_main                                            988     983      -5
static.C                                              12       -     -12
run_pipe                                            1595    1551     -44
------------------------------------------------------------------------------
(add/remove: 1/1 grow/shrink: 4/2 up/down: 166/-61)           Total: 105 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-07 22:07:28 +02:00
Denys Vlasenko
69a5ec9dcc main: fix the case where user has "halt" as login shell. Closes 9986
halt::0:0::/:/sbin/halt

function                                             old     new   delta
run_applet_and_exit                                  748     751      +3
run_applet_no_and_exit                               467     459      -8

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-07 19:08:56 +02:00
Denys Vlasenko
b0c0b6d5ba setpriv: remove dependency on libcap headers
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-07 17:59:40 +02:00
Denys Vlasenko
2bfe7838ab setpriv: factor out capability name printing
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-07 16:09:45 +02:00
Denys Vlasenko
cf5748cc89 setpriv: code shrink, and grouping capability code together
function                                             old     new   delta
static.versions                                        -       3      +3
getcaps                                              174     149     -25

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-07 16:00:07 +02:00
Patrick Steinhardt
6842d00ceb setpriv: allow modifying ambient capabilities
With Linux 4.3, a new set of capabilities has been introduced with the
ambient capabilities. These aim to solve the problem that it was
impossible to grant run programs with elevated privileges across
non-root users. Quoting from capabilities(7):

    This is a set of capabilities that are preserved across an execve(2)
    of a program that is not privileged.  The ambient capability set
    obeys the invariant that no capability can ever be ambient if it is
    not both permitted and inheritable.

With this new set of capabilities it is now possible to run an
executable with elevated privileges as a different user, making it much
easier to do proper privilege separation.

Note though that the `--ambient-caps` switch is not part of any released
version of util-linux, yet. It has been applied in 0c92194ee (setpriv:
support modifying the set of ambient capabilities, 2017-06-24) and will
probably be part of v2.31.

function                                             old     new   delta
parse_cap                                              -     174    +174
setpriv_main                                        1246    1301     +55
.rodata                                           146307  146347     +40
static.setpriv_longopts                               40      55     +15
packed_usage                                       32092   32079     -13

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-07 02:14:23 +02:00
Patrick Steinhardt
0f49f6f926 setpriv: allow modifying inheritable caps
The main use case of setpriv is to modify the current state of
privileges available to the calling process and spawn a new executable
with the modified, new state. Next to the already supported case of
modifying the no-new-privs flag, util-linux also supports to modify
capability sets.

This commit introduces to add or drop capabilities from the set of
inheritable capabilities. Quoting from capabilities(7):

    This is a set of capabilities preserved across an execve(2).
    Inheritable capabilities remain inheritable when executing any
    program, and inheritable capabilities are added to the permitted set
    when executing a program that has the corresponding bits set in the
    file inheritable set.

As such, inheritable capabilities enable executing files with certain
privileges if the file itself has these privileges set. Note though that
inheritable capabilities are dropped across execve when running as a
non-root user.

function                                             old     new   delta
getcaps                                                -     237    +237
setpriv_main                                        1129    1246    +117
.rodata                                           146198  146307    +109
static.setpriv_longopts                               29      40     +11
packed_usage                                       32107   32092     -15

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-07 01:59:45 +02:00
Patrick Steinhardt
5e0987405c setpriv: dump ambient capabilities
As with the previous commit, this commit introduces the ability to dump
the set of ambient capabilities.

function                                             old     new   delta
setpriv_main                                         982    1129    +147
.rodata                                           146148  146198     +50

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 23:02:33 +02:00
Patrick Steinhardt
f34c701fa8 setpriv: dump capability bounding set
As with the previous commit, this one implements the ability to dump the
capability bounding set.

function                                             old     new   delta
setpriv_main                                         838     982    +144
.rodata                                           146101  146148     +47

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 22:59:23 +02:00
Patrick Steinhardt
ad63102943 setpriv: dump inheritable capability set
The setpriv executable from util-linux also dumps out information on the
different capability sets known by the kernel. By default, these are the
inheritable capabilities, bounding capabilities and (not yet released)
the ambient capabilities, which have been introduced with Linux 4.3.
This patch introduces the ability to dump the set of inheritable
capabilities.

By default, setpriv(1) identifies capabilities by their human-readable
name, for example 'net_admin'. For unknown capabilities, though, it does
instead use the capability's value, for example 'cap_12', which is
equivalent to 'net_admin'. As there is no kernel interface to retrieve
capability names by their index, we have to declare these ourselves,
which adds to setpriv's size.

To counteract, using the human-readble name has been made configurable.
The following sizes are with the 'FEATURE_SETPRIV_CAPABILITY_NAMES'
enabled:

function                                             old     new   delta
.rodata                                           145969  146405    +436
setpriv_main                                         467     842    +375
capabilities                                           -     304    +304

And with 'FEATURE_SETPRIV_CAPABILITY_NAMES' disabled:

function                                             old     new   delta
setpriv_main                                         467     838    +371
.rodata                                           145969  146101    +132

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 22:47:16 +02:00
Patrick Steinhardt
10c53b85c9 setpriv: dump no-new-privs info
Introduce the ability to dump the state of the no-new-privs flag, which
states whethere it is allowed to grant new privileges.

function                                             old     new   delta
setpriv_main                                         419     467     +48
.rodata                                           145926  145969     +43

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 22:27:22 +02:00
Denys Vlasenko
111cdcf295 shell: sync redir/* tests
Note: hush-redir/redir_to_bad_fd.tests currently fails

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 21:01:50 +02:00
Denys Vlasenko
1ff1a75710 ash: rename redir5.tests (hush has redir5.tests which is different)
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 21:00:19 +02:00
Denys Vlasenko
50b8b2914b hush: add a TODO about redir3.tests failure
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 20:57:37 +02:00
Denys Vlasenko
a107ef2a6a hush: rename hush-redir/redir3.tests (ash has redir3.tests which id different)
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 20:36:40 +02:00
Denys Vlasenko
e59591a364 hush: Print error messages on shift -1
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 20:12:44 +02:00
Denys Vlasenko
74d20e6379 typo fix
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 19:50:42 +02:00
Denys Vlasenko
5dad7bdc3b hush: implement negative start in the ${v: -n[:m]} idiom
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 19:48:20 +02:00
Denys Vlasenko
3234045d07 hush: "adopt" ash var-utf8-length.tests
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 19:29:23 +02:00
Denys Vlasenko
7456298472 hush: "adopt" ash signal4.tests
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 18:40:45 +02:00
Denys Vlasenko
b18b04c8a8 shell: remove duplicate sigint1.tests (another copies are in signals/)
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 18:37:30 +02:00
Denys Vlasenko
cafb2d195d hush: add tickquote1.tests from ash testsuite
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 18:31:47 +02:00
Denys Vlasenko
bb963bda62 shell: syncronize ash and hush heredoc3.tests
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 18:19:35 +02:00
Denys Vlasenko
959cb67428 shell: syncronize ash and hush heredoc1.tests
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 18:16:18 +02:00
Denys Vlasenko
9a8ece5158 shell: syncronize ash_test/run-all and hush_test/run-all a bit
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 17:59:25 +02:00
Denys Vlasenko
3c9688e587 makedevs: code shrink
function                                             old     new   delta
makedevs_main                                       1071    1052     -19

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 02:17:24 +02:00
Denys Vlasenko
3532e60ca8 makedevs: allow much longer filenames
function                                             old     new   delta
makedevs_main                                       1056    1071     +15

Patch by Kang-Che Sung <explorer09@gmail.com>

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 02:04:32 +02:00
Denys Vlasenko
637982f5bb hush: correctly handle quoting in "case" even if !BASH_PATTERN_SUBST
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-06 01:52:23 +02:00
Peter Korsgaard
d13c1762a8 dpkg: fix CONFIG_FEATURE_CLEAN_UP handling
dpkg moved to away from dynamically allocating the hashtables in commit
c87339d584 (dpkg: trivial code shrinkage, and redo G trick correctly) almost
ten years ago, but the cleanup code was never adjusted to match.

Glibc loudly complains about this:

*** Error in `dpkg': free(): invalid pointer: 0x0000007fac3478c0 ***

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-05 23:15:13 +02:00
Denys Vlasenko
bd43c6784f hush: fix quoted_punct.tests failure
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-05 23:12:15 +02:00
Denys Vlasenko
4142f0187d ash: fix escaping of a few characters (broken by last commits)
Add a testcase which tests all ASCII punctuation escapes.
NB: hush is failing this test!

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-05 22:19:28 +02:00
Denys Vlasenko
ed79a63623 ash: tweak in comment
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-05 19:20:43 +02:00
Denys Vlasenko
92b8d9c9fa ash: note which versions of glibc exhibit "rho bug"
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-05 19:13:44 +02:00
Denys Vlasenko
fda9fafe27 ash: fix matching of unicode greek letter rho (cf 81) and similar cases
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-05 19:10:21 +02:00
Denys Vlasenko
6798486141 setpriv: dump user and group info
setpriv from util-linux has an option to dump the current state
regarding privilege settings via '--dump'. It prints out information on
the real and effective user and group IDs, supplementary groups, the
no-new-privs flag, the capability sets as well as secure bits.

This patch is the start of supporting this mode. To make introduction of
the '--dump' easier to reason about, its introduction has been split
into multiple patches. This particular one introduces the ability to
print out user and group information of the current process.

function                                             old     new   delta
setpriv_main                                          89     322    +233
getresuid                                              -      41     +41
getresgid                                              -      41     +41
static.setpriv_longopts                               22      29      +7
packed_usage                                       31675   31669      -6
------------------------------------------------------------------------------
(add/remove: 4/0 grow/shrink: 2/1 up/down: 322/-6)            Total: 316 bytes

Patch by Patrick Steinhardt <ps@pks.im>

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-04 18:59:11 +02:00
Denys Vlasenko
a8cf9c5a3f libbb: new function bb_getgroups() - allocating wrapper around getgroups()
function                                             old     new   delta
bb_getgroups                                           -     111    +111
nexpr                                                843     757     -86
------------------------------------------------------------------------------
(add/remove: 2/0 grow/shrink: 0/1 up/down: 111/-86)            Total: 25 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-04 18:56:45 +02:00
Patrick Steinhardt
6a3bcf340a setpriv: prepare option parsing logic for additional opts
The current option parsing logic of setpriv only supports the case where
we want to execute a sub-program and have at most one argument. Refactor
handling of options to solve these shortcomings to make it easy to
support 'setpriv --dump', which does not accept any additional
arguments, as well as the case where additional options are passed to
setpriv. This is done by handling 'argc' ourselves, throwing an error
when no program is specified, as well as introducing an enum for the
different option bitmasks.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-04 17:15:32 +02:00
Patrick Steinhardt
d253b557a3 setpriv: do not process remaining args
By default, the 'getopt32' call will continue parsing the command line
even after hitting a non-option string. But in setpriv, this should be
avoided, as all parameters following the initial non-option argument are
in fact arguments to the binary that is to be executed by setpriv.
Otherwise, calling e.g. 'busybox setpriv ls -l' would result in an error
due to the unknown parameter "-l".

Fix the issue by passing "+" as the first character in the options
string. This will cause 'getopt32' to stop processing after hitting the
first non-option.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-04 17:10:31 +02:00
Denys Vlasenko
558aae1a33 tls: use capped SNI len everywhere
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-04 16:52:45 +02:00
Denys Vlasenko
034ceabe82 bzcat: compile bunzip2_main() if BZCAT.
Currently, BZCAT (and BUNZIP2) selects FEATURE_BZIP2_DECOMPRESS,
thus, "#if ENABLE_FEATURE_BZIP2_DECOMPRESS" around bunzip2_main()
is sufficient. But let's robustify it.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-04 16:23:36 +02:00