aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko <dvlasenk@redhat.com>2011-01-03 13:57:49 +0100
committerDenys Vlasenko <dvlasenk@redhat.com>2011-01-03 13:57:49 +0100
commit6100b51ca81721ac364f101a17cbce0d9f6fcb59 (patch)
tree7e60a35c25e27a43bb08a609de3ddf8fa65454eb
parent327d2885ecab7fb8e876026c428c2e415c5742c1 (diff)
downloadbusybox-w32-6100b51ca81721ac364f101a17cbce0d9f6fcb59.tar.gz
busybox-w32-6100b51ca81721ac364f101a17cbce0d9f6fcb59.tar.bz2
busybox-w32-6100b51ca81721ac364f101a17cbce0d9f6fcb59.zip
explain every non-SUID_DROP applet. No code changes
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Diffstat
-rw-r--r--include/applets.src.h19
-rw-r--r--networking/ping.c1
2 files changed, 19 insertions, 1 deletions
diff --git a/include/applets.src.h b/include/applets.src.h
index c2f90eac0..261ef2333 100644
--- a/include/applets.src.h
+++ b/include/applets.src.h
@@ -16,6 +16,8 @@ s - suid type:
16 and is run by non-root (applet_main() will not be called at all) 16 and is run by non-root (applet_main() will not be called at all)
17 _BB_SUID_DROP: will drop suid prior to applet_main() 17 _BB_SUID_DROP: will drop suid prior to applet_main()
18 _BB_SUID_MAYBE: neither of the above 18 _BB_SUID_MAYBE: neither of the above
19 (every instance of _BB_SUID_REQUIRE and _BB_SUID_MAYBE
20 needs to be justified in comment)
19*/ 21*/
20 22
21#if defined(PROTOTYPES) 23#if defined(PROTOTYPES)
@@ -100,6 +102,7 @@ IF_COMM(APPLET(comm, _BB_DIR_USR_BIN, _BB_SUID_DROP))
100IF_CP(APPLET_NOEXEC(cp, cp, _BB_DIR_BIN, _BB_SUID_DROP, cp)) 102IF_CP(APPLET_NOEXEC(cp, cp, _BB_DIR_BIN, _BB_SUID_DROP, cp))
101IF_CPIO(APPLET(cpio, _BB_DIR_BIN, _BB_SUID_DROP)) 103IF_CPIO(APPLET(cpio, _BB_DIR_BIN, _BB_SUID_DROP))
102IF_CROND(APPLET(crond, _BB_DIR_USR_SBIN, _BB_SUID_DROP)) 104IF_CROND(APPLET(crond, _BB_DIR_USR_SBIN, _BB_SUID_DROP))
105/* Needs to be run by root or be suid root - needs to change /var/spool/cron* files: */
103IF_CRONTAB(APPLET(crontab, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE)) 106IF_CRONTAB(APPLET(crontab, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE))
104IF_CRYPTPW(APPLET(cryptpw, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 107IF_CRYPTPW(APPLET(cryptpw, _BB_DIR_USR_BIN, _BB_SUID_DROP))
105IF_CUT(APPLET_NOEXEC(cut, cut, _BB_DIR_USR_BIN, _BB_SUID_DROP, cut)) 108IF_CUT(APPLET_NOEXEC(cut, cut, _BB_DIR_USR_BIN, _BB_SUID_DROP, cut))
@@ -115,6 +118,7 @@ IF_DHCPRELAY(APPLET(dhcprelay, _BB_DIR_USR_SBIN, _BB_SUID_DROP))
115IF_DIFF(APPLET(diff, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 118IF_DIFF(APPLET(diff, _BB_DIR_USR_BIN, _BB_SUID_DROP))
116IF_DIRNAME(APPLET_NOFORK(dirname, dirname, _BB_DIR_USR_BIN, _BB_SUID_DROP, dirname)) 119IF_DIRNAME(APPLET_NOFORK(dirname, dirname, _BB_DIR_USR_BIN, _BB_SUID_DROP, dirname))
117IF_DMESG(APPLET(dmesg, _BB_DIR_BIN, _BB_SUID_DROP)) 120IF_DMESG(APPLET(dmesg, _BB_DIR_BIN, _BB_SUID_DROP))
121/* Why _BB_SUID_REQUIRE? */
118IF_DNSD(APPLET(dnsd, _BB_DIR_USR_SBIN, _BB_SUID_REQUIRE)) 122IF_DNSD(APPLET(dnsd, _BB_DIR_USR_SBIN, _BB_SUID_REQUIRE))
119IF_HOSTNAME(APPLET_ODDNAME(dnsdomainname, hostname, _BB_DIR_BIN, _BB_SUID_DROP, dnsdomainname)) 123IF_HOSTNAME(APPLET_ODDNAME(dnsdomainname, hostname, _BB_DIR_BIN, _BB_SUID_DROP, dnsdomainname))
120IF_DOS2UNIX(APPLET_NOEXEC(dos2unix, dos2unix, _BB_DIR_USR_BIN, _BB_SUID_DROP, dos2unix)) 124IF_DOS2UNIX(APPLET_NOEXEC(dos2unix, dos2unix, _BB_DIR_USR_BIN, _BB_SUID_DROP, dos2unix))
@@ -142,6 +146,7 @@ IF_FDFLUSH(APPLET_ODDNAME(fdflush, freeramdisk, _BB_DIR_BIN, _BB_SUID_DROP, fdfl
142IF_FDFORMAT(APPLET(fdformat, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 146IF_FDFORMAT(APPLET(fdformat, _BB_DIR_USR_BIN, _BB_SUID_DROP))
143IF_FDISK(APPLET(fdisk, _BB_DIR_SBIN, _BB_SUID_DROP)) 147IF_FDISK(APPLET(fdisk, _BB_DIR_SBIN, _BB_SUID_DROP))
144IF_FGCONSOLE(APPLET(fgconsole, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 148IF_FGCONSOLE(APPLET(fgconsole, _BB_DIR_USR_BIN, _BB_SUID_DROP))
149/* Benefits from suid root: better access to /dev/BLOCKDEVs: */
145IF_FINDFS(APPLET(findfs, _BB_DIR_SBIN, _BB_SUID_MAYBE)) 150IF_FINDFS(APPLET(findfs, _BB_DIR_SBIN, _BB_SUID_MAYBE))
146IF_FLASH_ERASEALL(APPLET(flash_eraseall, _BB_DIR_USR_SBIN, _BB_SUID_DROP)) 151IF_FLASH_ERASEALL(APPLET(flash_eraseall, _BB_DIR_USR_SBIN, _BB_SUID_DROP))
147IF_FLASH_LOCK(APPLET_ODDNAME(flash_lock, flash_lock_unlock, _BB_DIR_USR_SBIN, _BB_SUID_DROP, flash_lock)) 152IF_FLASH_LOCK(APPLET_ODDNAME(flash_lock, flash_lock_unlock, _BB_DIR_USR_SBIN, _BB_SUID_DROP, flash_lock))
@@ -193,7 +198,9 @@ IF_IP(APPLET(ip, _BB_DIR_BIN, _BB_SUID_DROP))
193#endif 198#endif
194IF_IPADDR(APPLET(ipaddr, _BB_DIR_BIN, _BB_SUID_DROP)) 199IF_IPADDR(APPLET(ipaddr, _BB_DIR_BIN, _BB_SUID_DROP))
195IF_IPCALC(APPLET(ipcalc, _BB_DIR_BIN, _BB_SUID_DROP)) 200IF_IPCALC(APPLET(ipcalc, _BB_DIR_BIN, _BB_SUID_DROP))
201/* Why _BB_SUID_REQUIRE? On Fedora, it isn't suid root */
196IF_IPCRM(APPLET(ipcrm, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE)) 202IF_IPCRM(APPLET(ipcrm, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE))
203/* Why _BB_SUID_REQUIRE? On Fedora, it isn't suid root */
197IF_IPCS(APPLET(ipcs, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE)) 204IF_IPCS(APPLET(ipcs, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE))
198IF_IPLINK(APPLET(iplink, _BB_DIR_BIN, _BB_SUID_DROP)) 205IF_IPLINK(APPLET(iplink, _BB_DIR_BIN, _BB_SUID_DROP))
199IF_IPROUTE(APPLET(iproute, _BB_DIR_BIN, _BB_SUID_DROP)) 206IF_IPROUTE(APPLET(iproute, _BB_DIR_BIN, _BB_SUID_DROP))
@@ -214,6 +221,7 @@ IF_LOAD_POLICY(APPLET(load_policy, _BB_DIR_USR_SBIN, _BB_SUID_DROP))
214IF_LOADFONT(APPLET(loadfont, _BB_DIR_USR_SBIN, _BB_SUID_DROP)) 221IF_LOADFONT(APPLET(loadfont, _BB_DIR_USR_SBIN, _BB_SUID_DROP))
215IF_LOADKMAP(APPLET(loadkmap, _BB_DIR_SBIN, _BB_SUID_DROP)) 222IF_LOADKMAP(APPLET(loadkmap, _BB_DIR_SBIN, _BB_SUID_DROP))
216IF_LOGGER(APPLET(logger, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 223IF_LOGGER(APPLET(logger, _BB_DIR_USR_BIN, _BB_SUID_DROP))
224/* Needs to be run by root or be suid root - needs to change uid and gid: */
217IF_LOGIN(APPLET(login, _BB_DIR_BIN, _BB_SUID_REQUIRE)) 225IF_LOGIN(APPLET(login, _BB_DIR_BIN, _BB_SUID_REQUIRE))
218IF_LOGNAME(APPLET_NOFORK(logname, logname, _BB_DIR_USR_BIN, _BB_SUID_DROP, logname)) 226IF_LOGNAME(APPLET_NOFORK(logname, logname, _BB_DIR_USR_BIN, _BB_SUID_DROP, logname))
219IF_LOGREAD(APPLET(logread, _BB_DIR_SBIN, _BB_SUID_DROP)) 227IF_LOGREAD(APPLET(logread, _BB_DIR_SBIN, _BB_SUID_DROP))
@@ -250,6 +258,10 @@ IF_CRYPTPW(APPLET_ODDNAME(mkpasswd, cryptpw, _BB_DIR_USR_BIN, _BB_SUID_DROP, mkp
250IF_MKSWAP(APPLET(mkswap, _BB_DIR_SBIN, _BB_SUID_DROP)) 258IF_MKSWAP(APPLET(mkswap, _BB_DIR_SBIN, _BB_SUID_DROP))
251IF_MKTEMP(APPLET(mktemp, _BB_DIR_BIN, _BB_SUID_DROP)) 259IF_MKTEMP(APPLET(mktemp, _BB_DIR_BIN, _BB_SUID_DROP))
252IF_MORE(APPLET(more, _BB_DIR_BIN, _BB_SUID_DROP)) 260IF_MORE(APPLET(more, _BB_DIR_BIN, _BB_SUID_DROP))
261/* On full-blown systems, requires suid for user mounts.
262 * But it's not unthinkable to have it available in non-suid flavor on some systems,
263 * for viewing mount table.
264 * Therefore we use _BB_SUID_MAYBE instead of _BB_SUID_REQUIRE: */
253IF_MOUNT(APPLET(mount, _BB_DIR_BIN, IF_DESKTOP(_BB_SUID_MAYBE) IF_NOT_DESKTOP(_BB_SUID_DROP))) 265IF_MOUNT(APPLET(mount, _BB_DIR_BIN, IF_DESKTOP(_BB_SUID_MAYBE) IF_NOT_DESKTOP(_BB_SUID_DROP)))
254IF_MOUNTPOINT(APPLET(mountpoint, _BB_DIR_BIN, _BB_SUID_DROP)) 266IF_MOUNTPOINT(APPLET(mountpoint, _BB_DIR_BIN, _BB_SUID_DROP))
255IF_MT(APPLET(mt, _BB_DIR_BIN, _BB_SUID_DROP)) 267IF_MT(APPLET(mt, _BB_DIR_BIN, _BB_SUID_DROP))
@@ -264,6 +276,7 @@ IF_NTPD(APPLET(ntpd, _BB_DIR_USR_SBIN, _BB_SUID_DROP))
264IF_OD(APPLET(od, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 276IF_OD(APPLET(od, _BB_DIR_USR_BIN, _BB_SUID_DROP))
265IF_OPENVT(APPLET(openvt, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 277IF_OPENVT(APPLET(openvt, _BB_DIR_USR_BIN, _BB_SUID_DROP))
266//IF_PARSE(APPLET(parse, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 278//IF_PARSE(APPLET(parse, _BB_DIR_USR_BIN, _BB_SUID_DROP))
279/* Needs to be run by root or be suid root - needs to change /etc/{passwd,shadow}: */
267IF_PASSWD(APPLET(passwd, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE)) 280IF_PASSWD(APPLET(passwd, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE))
268IF_PGREP(APPLET(pgrep, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 281IF_PGREP(APPLET(pgrep, _BB_DIR_USR_BIN, _BB_SUID_DROP))
269IF_PIDOF(APPLET(pidof, _BB_DIR_BIN, _BB_SUID_DROP)) 282IF_PIDOF(APPLET(pidof, _BB_DIR_BIN, _BB_SUID_DROP))
@@ -323,7 +336,7 @@ IF_SHA256SUM(APPLET_NOEXEC(sha256sum, md5_sha1_sum, _BB_DIR_USR_BIN, _BB_SUID_DR
323IF_SHA512SUM(APPLET_NOEXEC(sha512sum, md5_sha1_sum, _BB_DIR_USR_BIN, _BB_SUID_DROP, sha512sum)) 336IF_SHA512SUM(APPLET_NOEXEC(sha512sum, md5_sha1_sum, _BB_DIR_USR_BIN, _BB_SUID_DROP, sha512sum))
324IF_SHOWKEY(APPLET(showkey, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 337IF_SHOWKEY(APPLET(showkey, _BB_DIR_USR_BIN, _BB_SUID_DROP))
325IF_SLATTACH(APPLET(slattach, _BB_DIR_SBIN, _BB_SUID_DROP)) 338IF_SLATTACH(APPLET(slattach, _BB_DIR_SBIN, _BB_SUID_DROP))
326/* Do not make this applet NOFORK. It breaks ^C-ing of pauses in shells */ 339/* Do not make this applet NOFORK. It breaks ^C-ing of pauses in shells: */
327IF_SLEEP(APPLET(sleep, _BB_DIR_BIN, _BB_SUID_DROP)) 340IF_SLEEP(APPLET(sleep, _BB_DIR_BIN, _BB_SUID_DROP))
328IF_SOFTLIMIT(APPLET_ODDNAME(softlimit, chpst, _BB_DIR_USR_BIN, _BB_SUID_DROP, softlimit)) 341IF_SOFTLIMIT(APPLET_ODDNAME(softlimit, chpst, _BB_DIR_USR_BIN, _BB_SUID_DROP, softlimit))
329IF_SORT(APPLET_NOEXEC(sort, sort, _BB_DIR_USR_BIN, _BB_SUID_DROP, sort)) 342IF_SORT(APPLET_NOEXEC(sort, sort, _BB_DIR_USR_BIN, _BB_SUID_DROP, sort))
@@ -332,6 +345,7 @@ IF_START_STOP_DAEMON(APPLET_ODDNAME(start-stop-daemon, start_stop_daemon, _BB_DI
332IF_STAT(APPLET(stat, _BB_DIR_BIN, _BB_SUID_DROP)) 345IF_STAT(APPLET(stat, _BB_DIR_BIN, _BB_SUID_DROP))
333IF_STRINGS(APPLET(strings, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 346IF_STRINGS(APPLET(strings, _BB_DIR_USR_BIN, _BB_SUID_DROP))
334IF_STTY(APPLET(stty, _BB_DIR_BIN, _BB_SUID_DROP)) 347IF_STTY(APPLET(stty, _BB_DIR_BIN, _BB_SUID_DROP))
348/* Needs to be run by root or be suid root - needs to change uid and gid: */
335IF_SU(APPLET(su, _BB_DIR_BIN, _BB_SUID_REQUIRE)) 349IF_SU(APPLET(su, _BB_DIR_BIN, _BB_SUID_REQUIRE))
336IF_SULOGIN(APPLET(sulogin, _BB_DIR_SBIN, _BB_SUID_DROP)) 350IF_SULOGIN(APPLET(sulogin, _BB_DIR_SBIN, _BB_SUID_DROP))
337IF_SUM(APPLET(sum, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 351IF_SUM(APPLET(sum, _BB_DIR_USR_BIN, _BB_SUID_DROP))
@@ -361,6 +375,7 @@ IF_TIME(APPLET(time, _BB_DIR_USR_BIN, _BB_SUID_DROP))
361IF_TIMEOUT(APPLET(timeout, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 375IF_TIMEOUT(APPLET(timeout, _BB_DIR_USR_BIN, _BB_SUID_DROP))
362IF_TOP(APPLET(top, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 376IF_TOP(APPLET(top, _BB_DIR_USR_BIN, _BB_SUID_DROP))
363IF_TR(APPLET(tr, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 377IF_TR(APPLET(tr, _BB_DIR_USR_BIN, _BB_SUID_DROP))
378/* Needs socket(AF_INET, SOCK_RAW, IPPROTO_ICMP), therefore _BB_SUID_MAYBE: */
364IF_TRACEROUTE(APPLET(traceroute, _BB_DIR_USR_BIN, _BB_SUID_MAYBE)) 379IF_TRACEROUTE(APPLET(traceroute, _BB_DIR_USR_BIN, _BB_SUID_MAYBE))
365IF_TRACEROUTE6(APPLET(traceroute6, _BB_DIR_USR_BIN, _BB_SUID_MAYBE)) 380IF_TRACEROUTE6(APPLET(traceroute6, _BB_DIR_USR_BIN, _BB_SUID_MAYBE))
366IF_TRUE(APPLET_NOFORK(true, true, _BB_DIR_BIN, _BB_SUID_DROP, true)) 381IF_TRUE(APPLET_NOFORK(true, true, _BB_DIR_BIN, _BB_SUID_DROP, true))
@@ -387,8 +402,10 @@ IF_UUDECODE(APPLET(uudecode, _BB_DIR_USR_BIN, _BB_SUID_DROP))
387IF_UUENCODE(APPLET(uuencode, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 402IF_UUENCODE(APPLET(uuencode, _BB_DIR_USR_BIN, _BB_SUID_DROP))
388IF_VCONFIG(APPLET(vconfig, _BB_DIR_SBIN, _BB_SUID_DROP)) 403IF_VCONFIG(APPLET(vconfig, _BB_DIR_SBIN, _BB_SUID_DROP))
389IF_VI(APPLET(vi, _BB_DIR_BIN, _BB_SUID_DROP)) 404IF_VI(APPLET(vi, _BB_DIR_BIN, _BB_SUID_DROP))
405/* Needs to be run by root or be suid root - needs to change uid and gid: */
390IF_VLOCK(APPLET(vlock, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE)) 406IF_VLOCK(APPLET(vlock, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE))
391IF_VOLNAME(APPLET(volname, _BB_DIR_USR_BIN, _BB_SUID_DROP)) 407IF_VOLNAME(APPLET(volname, _BB_DIR_USR_BIN, _BB_SUID_DROP))
408/* Needs to be run by root or be suid root - needs to write to /dev/TTY: */
392IF_WALL(APPLET(wall, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE)) 409IF_WALL(APPLET(wall, _BB_DIR_USR_BIN, _BB_SUID_REQUIRE))
393IF_WATCH(APPLET(watch, _BB_DIR_BIN, _BB_SUID_DROP)) 410IF_WATCH(APPLET(watch, _BB_DIR_BIN, _BB_SUID_DROP))
394IF_WATCHDOG(APPLET(watchdog, _BB_DIR_SBIN, _BB_SUID_DROP)) 411IF_WATCHDOG(APPLET(watchdog, _BB_DIR_SBIN, _BB_SUID_DROP))
diff --git a/networking/ping.c b/networking/ping.c
index 7f74c26fa..366a98668 100644
--- a/networking/ping.c
+++ b/networking/ping.c
@@ -52,6 +52,7 @@
52//config: Make the output from the ping applet include statistics, and at the 52//config: Make the output from the ping applet include statistics, and at the
53//config: same time provide full support for ICMP packets. 53//config: same time provide full support for ICMP packets.
54 54
55/* Needs socket(AF_INET, SOCK_RAW, IPPROTO_ICMP), therefore _BB_SUID_MAYBE: */
55//applet:IF_PING(APPLET(ping, _BB_DIR_BIN, _BB_SUID_MAYBE)) 56//applet:IF_PING(APPLET(ping, _BB_DIR_BIN, _BB_SUID_MAYBE))
56//applet:IF_PING6(APPLET(ping6, _BB_DIR_BIN, _BB_SUID_MAYBE)) 57//applet:IF_PING6(APPLET(ping6, _BB_DIR_BIN, _BB_SUID_MAYBE))
57 58
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 15:49:44 +0000