From: John Stile <john@stilen.com>
To: buildroot@busybox.net
Subject: [Buildroot] how does buildroot avoid requireing root?
Date: Sat, 29 Jun 2013 10:08:44 -0700 [thread overview]
Message-ID: <1372525724.28302.168.camel@localhost> (raw)
In-Reply-To: <20130629104921.12fc15ea@skate>
That does answer my question very well.
Thank you.
On Sat, 2013-06-29 at 10:49 +0200, Thomas Petazzoni wrote:
> Dear John Stile,
>
> On Fri, 28 Jun 2013 17:47:16 -0700, John Stile wrote:
> > I am confused about how buildroot creates busybox.
> >
> > There are notes that one must ensure that busybox setuid root.
> >
> > Performing this operation must be performed as root:
> > chown 0.0 /bin/busybox; chmod 4755 /bin/busybox
> >
> > Yet when I use buildroot I never become root.
> >
> > How does buildroot accomplish this?
> >
> > In output/build/busybox-1.18.5 I see applets/install.sh calls:
> > install -m 755 busybox $prefix/bin/busybox || exit 1
> >
> > but I don't see how this becomes setuid?
> >
> > On my embedded system, I see:
> > -rwsr-xr-x 1 root root 605876 Jun 28 2013 /bin/busybox*
>
> We use a combination of 'fakeroot' and 'makedevs'. From
> http://man.he.net/man1/fakeroot:
>
> fakeroot runs a command in an environment wherein it
> appears to have root privileges for file
> manipulation. This is useful for allowing users to
> create archives (tar, ar, .deb etc.) with files in them
> with root permissions/ownership. Without fakeroot one
> would need to have root privileges to create the
> constituent files of the archives with the correct
> permissions and ownership, and then pack them up, or
> one would have to construct the archives directly,
> without using the archiver.
>
> fakeroot works by replacing the file manipulation library
> functions (chmod(2), stat(2) etc.) by ones that
> simulate the effect the real library functions would
> have had, had the user really been root. These wrapper
> functions are in a shared
> library /usr/lib/libfakeroot.so* which is loaded
> through the LD_PRELOAD mechanism of the dynamic loader.
> (See ld.so(8))
>
> Basically, we use fakeroot to run the following commands:
>
> makedevs
> tar cf rootfs.tar output/target
>
> And what makedevs does is that it reads some permission and device
> tables to create device files and adjust permissions. Those
> device/permission tables are constructed from system/device_table.txt
> (and system/device_table_dev.txt for devices) and also from individual
> package .mk files that use the <pkg>_PERMISSIONS and <pkg>_DEVICES
> mechanism. From package/busybox/busybox.mk:
>
> define BUSYBOX_PERMISSIONS
> /bin/busybox f 4755 0 0 - - - - -
> /usr/share/udhcpc/default.script f 755 0 0 - - - - -
> endef
>
> Here you see that we tell Buildroot to make Busybox a setuid binary.
>
> Does that answer your question?
>
> Best regards,
>
> Thomas
prev parent reply other threads:[~2013-06-29 17:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-29 0:47 [Buildroot] how does buildroot avoid requireing root? John Stile
2013-06-29 1:49 ` Charles Krinke
2013-06-29 8:49 ` Thomas Petazzoni
2013-06-29 17:08 ` John Stile [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1372525724.28302.168.camel@localhost \
--to=john@stilen.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox