diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2017-08-07 00:28:15 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2017-08-07 00:28:15 +0200 |
| commit | 7b8372b81926ef6aa8d91945a95261bbb93d0b9e (patch) | |
| tree | 9a125f00f6dc2c324e24c7f1bb2952ae78a1165a | |
| parent | bfc66d49806a4305014b12bbe078484b2da6f93f (diff) | |
| download | busybox-w32-7b8372b81926ef6aa8d91945a95261bbb93d0b9e.tar.gz busybox-w32-7b8372b81926ef6aa8d91945a95261bbb93d0b9e.tar.bz2 busybox-w32-7b8372b81926ef6aa8d91945a95261bbb93d0b9e.zip | |
add/remove-shell,add/deluser,add/delgroup: make them NOEXEC
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | NOFORK_NOEXEC.lst | 12 | ||||
| -rw-r--r-- | loginutils/add-remove-shell.c | 7 | ||||
| -rw-r--r-- | loginutils/addgroup.c | 2 | ||||
| -rw-r--r-- | loginutils/adduser.c | 2 | ||||
| -rw-r--r-- | loginutils/deluser.c | 5 |
5 files changed, 15 insertions, 13 deletions
diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst index 9c8df23ab..ac04f75da 100644 --- a/NOFORK_NOEXEC.lst +++ b/NOFORK_NOEXEC.lst | |||
| @@ -36,9 +36,9 @@ IOW: rm is "interactive", but not "longterm". | |||
| 36 | [ - NOFORK | 36 | [ - NOFORK |
| 37 | [[ - NOFORK | 37 | [[ - NOFORK |
| 38 | acpid - daemon | 38 | acpid - daemon |
| 39 | add-shell | 39 | add-shell - noexec. leaks: open+xfunc |
| 40 | addgroup | 40 | addgroup - noexec. leaks |
| 41 | adduser | 41 | adduser - noexec. leaks |
| 42 | adjtimex - NOFORK | 42 | adjtimex - NOFORK |
| 43 | ar - runner | 43 | ar - runner |
| 44 | arch - NOFORK | 44 | arch - NOFORK |
| @@ -86,8 +86,8 @@ date - noexec. nofork candidate(needs to stop messing up env, free xasprintf res | |||
| 86 | dc - runner (eats stdin if no params) | 86 | dc - runner (eats stdin if no params) |
| 87 | dd - noexec. runner | 87 | dd - noexec. runner |
| 88 | deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds | 88 | deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds |
| 89 | delgroup | 89 | delgroup - noexec. leaks |
| 90 | deluser | 90 | deluser - noexec. leaks |
| 91 | depmod - complex, rare | 91 | depmod - complex, rare |
| 92 | devmem - runner, complex (access to device memory may hang) | 92 | devmem - runner, complex (access to device memory may hang) |
| 93 | df - leaks: nested allocs | 93 | df - leaks: nested allocs |
| @@ -282,7 +282,7 @@ readprofile - reads /boot/System.map and /proc/profile, better to free more memo | |||
| 282 | realpath - NOFORK | 282 | realpath - NOFORK |
| 283 | reboot - rare | 283 | reboot - rare |
| 284 | reformime - runner | 284 | reformime - runner |
| 285 | remove-shell | 285 | remove-shell - noexec. leaks: open+xfunc |
| 286 | renice - nofork candidate(uses getpwnam, is that ok?) | 286 | renice - nofork candidate(uses getpwnam, is that ok?) |
| 287 | reset - noexec. spawner (execs "stty") | 287 | reset - noexec. spawner (execs "stty") |
| 288 | resize - noexec. changes state (signal handlers) | 288 | resize - noexec. changes state (signal handlers) |
diff --git a/loginutils/add-remove-shell.c b/loginutils/add-remove-shell.c index 750b44bd6..6d03de254 100644 --- a/loginutils/add-remove-shell.c +++ b/loginutils/add-remove-shell.c | |||
| @@ -19,9 +19,9 @@ | |||
| 19 | //config: help | 19 | //config: help |
| 20 | //config: Remove shells from /etc/shells. | 20 | //config: Remove shells from /etc/shells. |
| 21 | 21 | ||
| 22 | // APPLET_ODDNAME:name main location suid_type help | 22 | // APPLET_NOEXEC:name main location suid_type help |
| 23 | //applet:IF_ADD_SHELL( APPLET_ODDNAME(add-shell , add_remove_shell, BB_DIR_USR_SBIN, BB_SUID_DROP, add_shell )) | 23 | //applet:IF_ADD_SHELL( APPLET_NOEXEC(add-shell , add_remove_shell, BB_DIR_USR_SBIN, BB_SUID_DROP, add_shell )) |
| 24 | //applet:IF_REMOVE_SHELL(APPLET_ODDNAME(remove-shell, add_remove_shell, BB_DIR_USR_SBIN, BB_SUID_DROP, remove_shell)) | 24 | //applet:IF_REMOVE_SHELL(APPLET_NOEXEC(remove-shell, add_remove_shell, BB_DIR_USR_SBIN, BB_SUID_DROP, remove_shell)) |
| 25 | 25 | ||
| 26 | //kbuild:lib-$(CONFIG_ADD_SHELL) += add-remove-shell.o | 26 | //kbuild:lib-$(CONFIG_ADD_SHELL) += add-remove-shell.o |
| 27 | //kbuild:lib-$(CONFIG_REMOVE_SHELL) += add-remove-shell.o | 27 | //kbuild:lib-$(CONFIG_REMOVE_SHELL) += add-remove-shell.o |
| @@ -64,6 +64,7 @@ int add_remove_shell_main(int argc UNUSED_PARAM, char **argv) | |||
| 64 | if (orig_fp) | 64 | if (orig_fp) |
| 65 | xfstat(fileno(orig_fp), &sb, orig_fn); | 65 | xfstat(fileno(orig_fp), &sb, orig_fn); |
| 66 | 66 | ||
| 67 | |||
| 67 | new_fn = xasprintf("%s.tmp", orig_fn); | 68 | new_fn = xasprintf("%s.tmp", orig_fn); |
| 68 | /* | 69 | /* |
| 69 | * O_TRUNC or O_EXCL? At the first glance, O_EXCL looks better, | 70 | * O_TRUNC or O_EXCL? At the first glance, O_EXCL looks better, |
diff --git a/loginutils/addgroup.c b/loginutils/addgroup.c index b197fc149..30f7e72dc 100644 --- a/loginutils/addgroup.c +++ b/loginutils/addgroup.c | |||
| @@ -29,7 +29,7 @@ | |||
| 29 | //config: addgroup will add an existing user to an | 29 | //config: addgroup will add an existing user to an |
| 30 | //config: existing group. | 30 | //config: existing group. |
| 31 | 31 | ||
| 32 | //applet:IF_ADDGROUP(APPLET(addgroup, BB_DIR_USR_SBIN, BB_SUID_DROP)) | 32 | //applet:IF_ADDGROUP(APPLET_NOEXEC(addgroup, addgroup, BB_DIR_USR_SBIN, BB_SUID_DROP, addgroup)) |
| 33 | 33 | ||
| 34 | //kbuild:lib-$(CONFIG_ADDGROUP) += addgroup.o | 34 | //kbuild:lib-$(CONFIG_ADDGROUP) += addgroup.o |
| 35 | 35 | ||
diff --git a/loginutils/adduser.c b/loginutils/adduser.c index ef18278ac..913dbaf83 100644 --- a/loginutils/adduser.c +++ b/loginutils/adduser.c | |||
| @@ -53,7 +53,7 @@ | |||
| 53 | //config: help | 53 | //config: help |
| 54 | //config: Last valid system uid or gid for adduser and addgroup | 54 | //config: Last valid system uid or gid for adduser and addgroup |
| 55 | 55 | ||
| 56 | //applet:IF_ADDUSER(APPLET(adduser, BB_DIR_USR_SBIN, BB_SUID_DROP)) | 56 | //applet:IF_ADDUSER(APPLET_NOEXEC(adduser, adduser, BB_DIR_USR_SBIN, BB_SUID_DROP, adduser)) |
| 57 | 57 | ||
| 58 | //kbuild:lib-$(CONFIG_ADDUSER) += adduser.o | 58 | //kbuild:lib-$(CONFIG_ADDUSER) += adduser.o |
| 59 | 59 | ||
diff --git a/loginutils/deluser.c b/loginutils/deluser.c index 3b6bd952d..f5bc3c28a 100644 --- a/loginutils/deluser.c +++ b/loginutils/deluser.c | |||
| @@ -28,8 +28,9 @@ | |||
| 28 | //config: If called with two non-option arguments, deluser | 28 | //config: If called with two non-option arguments, deluser |
| 29 | //config: or delgroup will remove an user from a specified group. | 29 | //config: or delgroup will remove an user from a specified group. |
| 30 | 30 | ||
| 31 | //applet:IF_DELUSER(APPLET(deluser, BB_DIR_USR_SBIN, BB_SUID_DROP)) | 31 | // APPLET_NOEXEC:name main location suid_type help |
| 32 | //applet:IF_DELGROUP(APPLET_ODDNAME(delgroup, deluser, BB_DIR_USR_SBIN, BB_SUID_DROP, delgroup)) | 32 | //applet:IF_DELUSER( APPLET_NOEXEC(deluser, deluser, BB_DIR_USR_SBIN, BB_SUID_DROP, deluser)) |
| 33 | //applet:IF_DELGROUP(APPLET_NOEXEC(delgroup, deluser, BB_DIR_USR_SBIN, BB_SUID_DROP, delgroup)) | ||
| 33 | 34 | ||
| 34 | //kbuild:lib-$(CONFIG_DELUSER) += deluser.o | 35 | //kbuild:lib-$(CONFIG_DELUSER) += deluser.o |
| 35 | //kbuild:lib-$(CONFIG_DELGROUP) += deluser.o | 36 | //kbuild:lib-$(CONFIG_DELGROUP) += deluser.o |