busybox.conf: USER.GROUP is _optional_
function old new delta main 785 809 +24 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko
parent
3770b6b061
commit
d83aff1aed
17
Config.in
17
Config.in
@ -350,15 +350,17 @@ config FEATURE_SUID_CONFIG
|
||||
by checking /etc/busybox.conf. (This is sort of a poor man's sudo.)
|
||||
The format of this file is as follows:
|
||||
|
||||
APPLET = [Ssx-][Ssx-][x-] USER.GROUP
|
||||
APPLET = [Ssx-][Ssx-][x-] [USER.GROUP]
|
||||
|
||||
s: This user/group are allowed to execute APPLET.
|
||||
s: USER or GROUP is allowed to execute APPLET.
|
||||
APPLET will run under USER or GROUP
|
||||
(reagardless of who's running it).
|
||||
S: USER or GROUP is NOT allowed to execute APPLET.
|
||||
APPLET will run under USER or GROUP.
|
||||
x: User/group/others are allowed to execute APPLET.
|
||||
This option is not very sensical.
|
||||
x: USER/GROUP/others are allowed to execute APPLET.
|
||||
No UID/GID change will be done when it is run.
|
||||
S: This user/group are NOT allowed to execute APPLET.
|
||||
APPLET will run under USER or GROUP.
|
||||
-: User/group/others are not allowed to execute APPLET.
|
||||
-: USER/GROUP/others are not allowed to execute APPLET.
|
||||
|
||||
An example might help:
|
||||
|
||||
@ -368,7 +370,8 @@ config FEATURE_SUID_CONFIG
|
||||
su = ssx # exactly the same
|
||||
|
||||
mount = sx- root.disk # applet mount can be run by root and members
|
||||
# of group disk and runs with euid=0
|
||||
# of group disk (but not anyone else)
|
||||
# and runs with euid=0 (egid is not changed)
|
||||
|
||||
cp = --- # disable applet cp for everyone
|
||||
|
||||
|
||||
@ -261,9 +261,7 @@ static int ingroup(uid_t u, gid_t g)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* This should probably be a libbb routine. In that case,
|
||||
* I'd probably rename it to something like bb_trimmed_slice.
|
||||
*/
|
||||
/* libbb candidate */
|
||||
static char *get_trimmed_slice(char *s, char *e)
|
||||
{
|
||||
/* First, consider the value at e to be nul and back up until we
|
||||
@ -442,15 +440,16 @@ static void parse_config_file(void)
|
||||
/* Now get the user/group info. */
|
||||
|
||||
s = skip_whitespace(e);
|
||||
if (*s == '\0')
|
||||
s = strcpy(buffer, "0.0");
|
||||
|
||||
/* Note: we require whitespace between the mode and the
|
||||
* user/group info. */
|
||||
/* We require whitespace between mode and USER.GROUP */
|
||||
if ((s == e) || !(e = strchr(s, '.'))) {
|
||||
errmsg = "uid.gid";
|
||||
goto pe_label;
|
||||
}
|
||||
|
||||
*e = ':'; /* get_uidgid doesn't understand user.group */
|
||||
*e = ':'; /* get_uidgid needs USER:GROUP syntax */
|
||||
if (get_uidgid(&sct->m_ugid, s, /*allow_numeric:*/ 1) == 0) {
|
||||
errmsg = "unknown user/group";
|
||||
goto pe_label;
|
||||
@ -518,7 +517,7 @@ static void check_suid(int applet_no)
|
||||
/* same group / in group */
|
||||
m >>= 3;
|
||||
if (!(m & S_IXOTH)) /* is x bit not set? */
|
||||
bb_error_msg_and_die("you have no permission to run this applet!");
|
||||
bb_error_msg_and_die("you have no permission to run this applet");
|
||||
|
||||
/* We set effective AND saved ids. If saved-id is not set
|
||||
* like we do below, seteuid(0) can still later succeed! */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user