From b8bd1f71638e3eb61e0caef926d59d41f012bc1a Mon Sep 17 00:00:00 2001 From: Nathan Rossi Date: Wed, 24 Jan 2018 22:59:28 +1000 Subject: busybox.inc: Add sanity check to test if the suid binary provides sh Add a sanity check during the do_compile task to fail if the suid busybox provides /bin/sh. This is considered as a hard fail since not only is providing sh as suid problematic for security reasons but also because the sh configured for suid is less functional than the nosuid configured sh and breaks a number of required features (e.g. 64-bit test). (From OE-Core rev: b64807549569817c8f1921a0aad52c815af90731) Signed-off-by: Nathan Rossi Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/recipes-core/busybox/busybox.inc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'meta/recipes-core') diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc index 4012f921c6..157aea3968 100644 --- a/meta/recipes-core/busybox/busybox.inc +++ b/meta/recipes-core/busybox/busybox.inc @@ -183,6 +183,12 @@ do_compile() { oe_runmake busybox.links mv busybox.links busybox.links.$s done + + # hard fail if sh is being linked to the suid busybox (detects bug 10346) + if grep -q -x "/bin/sh" busybox.links.suid; then + bbfatal "busybox suid binary incorrectly provides /bin/sh" + fi + # copy .config.orig back to .config, because the install process may check this file cp .config.orig .config # cleanup -- cgit v1.2.3-54-g00ecf