diff options
| author |   Nathan Rossi <nathan@nathanrossi.com> | 2018-01-24 22:59:28 +1000 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-29 08:49:42 +0000 |
| commit | b64807549569817c8f1921a0aad52c815af90731 (patch) | |
| tree | aa2aeb3976d2d028416fde65eaf72385fdd73329 | |
| parent | 3d2c87c4f4115b01534ab198c27682c7e4c5f31f (diff) | |
| download | openembedded-core-contrib-b64807549569817c8f1921a0aad52c815af90731.tar.gz | |
busybox.inc: Add sanity check to test if the suid binary provides sh
Add a sanity check during the do_compile task to fail if the suid
busybox provides /bin/sh. This is considered as a hard fail since not
only is providing sh as suid problematic for security reasons but also
because the sh configured for suid is less functional than the nosuid
configured sh and breaks a number of required features (e.g. 64-bit
test).
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
| -rw-r--r-- | meta/recipes-core/busybox/busybox.inc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc index 4012f921c6..157aea3968 100644 --- a/meta/recipes-core/busybox/busybox.inc +++ b/meta/recipes-core/busybox/busybox.inc @@ -183,6 +183,12 @@ do_compile() { oe_runmake busybox.links mv busybox.links busybox.links.$s done + + # hard fail if sh is being linked to the suid busybox (detects bug 10346) + if grep -q -x "/bin/sh" busybox.links.suid; then + bbfatal "busybox suid binary incorrectly provides /bin/sh" + fi + # copy .config.orig back to .config, because the install process may check this file cp .config.orig .config # cleanup |