[PATCH] busybox: do not build SUID binary without an applet

[PATCH] busybox: do not build SUID binary without an applet

[Jörg Sommer]

From: Jörg Sommer <joerg.sommer@navimatix.de>

If the merge of all config snippets leads to a SUID binary without any
applets, do not build and install it to reduce the SUID binaries in the
system.

Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
---
 meta/recipes-core/busybox/busybox.inc | 31 +++++++++++++++------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index 355c019738..be11264459 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -172,6 +172,10 @@ do_compile() {
 		oe_runmake busybox.cfg.suid
 		oe_runmake busybox.cfg.nosuid
 
+		if [ -s busybox.cfg.suid ]; then
+			with_suid=y
+		fi
+
 		# workaround for suid bug 10346
 		if ! grep -q "CONFIG_SH_IS_NONE" busybox.cfg.nosuid; then
 			echo "CONFIG_SH_IS_NONE" >> busybox.cfg.suid
@@ -182,7 +186,7 @@ do_compile() {
 		done
 		merge_config.sh -m .config.orig .config.disable.apps
 		cp .config .config.nonapps
-		for s in suid nosuid; do
+		for s in ${with_suid:+suid} nosuid; do
 			cat busybox.cfg.$s | while read item; do
 				grep -w "$item" .config.orig
 			done > .config.app.$s
@@ -206,7 +210,7 @@ do_compile() {
 		fi
 
 		# cleanup
-		rm .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps
+		rm ${with_suid:+.config.app.suid} .config.app.nosuid .config.disable.apps .config.nonapps
 	else
 		oe_runmake busybox_unstripped
 		cp busybox_unstripped busybox
@@ -245,9 +249,13 @@ do_install () {
 		# can run. Let update-alternatives handle the rest.
 		install -d ${D}${base_bindir}
 		if [ "${BUSYBOX_SPLIT_SUID}" = "1" ]; then
-			install -m 4755 ${B}/busybox.suid ${D}${base_bindir}
+			if [ -e ${B}/busybox.suid ]; then
+				install -m 4755 ${B}/busybox.suid ${D}${base_bindir}
+			fi
 			install -m 0755 ${B}/busybox.nosuid ${D}${base_bindir}
-			install -m 0644 ${S}/busybox.links.suid ${D}${sysconfdir}
+			if [ -e ${S}/busybox.links.suid ]; then
+				install -m 0644 ${S}/busybox.links.suid ${D}${sysconfdir}
+			fi
 			install -m 0644 ${S}/busybox.links.nosuid ${D}${sysconfdir}
 			if grep -q "CONFIG_SH_IS_ASH=y" ${B}/.config; then
 				ln -sf busybox.nosuid ${D}${base_bindir}/sh
@@ -388,9 +396,11 @@ python do_package:prepend () {
 
     dvar = d.getVar('D')
     pn = d.getVar('PN')
-    def set_alternative_vars(links, target):
-        links = d.expand(links)
-        target = d.expand(target)
+    for suffix in ('', '.suid', '.nosuid'):
+        links = d.expand("${sysconfdir}/busybox.links" + suffix)
+        if not os.path.exists(links):
+            continue
+        target = d.expand("${base_bindir}/busybox" + suffix)
         f = open('%s%s' % (dvar, links), 'r')
         for alt_link_name in f:
             alt_link_name = alt_link_name.strip()
@@ -406,13 +416,6 @@ python do_package:prepend () {
             if os.path.exists('%s%s' % (dvar, target)):
                 d.setVarFlag('ALTERNATIVE_TARGET', alt_name, target)
         f.close()
-        return
-
-    if os.path.exists('%s/etc/busybox.links' % (dvar)):
-        set_alternative_vars("${sysconfdir}/busybox.links", "${base_bindir}/busybox")
-    else:
-        set_alternative_vars("${sysconfdir}/busybox.links.nosuid", "${base_bindir}/busybox.nosuid")
-        set_alternative_vars("${sysconfdir}/busybox.links.suid", "${base_bindir}/busybox.suid")
 }
 
 # This part of code is dedicated to the on target upgrade problem.  It's known
-- 
2.53.0

Re: [OE-core] [PATCH] busybox: do not build SUID binary without an applet

[Mathieu Dubois-Briand]

On Mon Mar 30, 2026 at 11:26 PM CEST, Jörg Sommer via lists.openembedded.org wrote:
> From: Jörg Sommer <joerg.sommer@navimatix.de>
>
> If the merge of all config snippets leads to a SUID binary without any
> applets, do not build and install it to reduce the SUID binaries in the
> system.
>
> Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
> ---

Hi Jörg,

Thanks for your patch.

It looks like this is making tests fail, as some busybox applets are not
found in test images:

Traceback (most recent call last):
  File "/srv/pokybuild/yocto-worker/qemux86-alt/build/layers/openembedded-core/meta/lib/oeqa/core/decorator/__init__.py", line 35, in wrapped_f
    return func(*args, **kwargs)
  File "/srv/pokybuild/yocto-worker/qemux86-alt/build/layers/openembedded-core/meta/lib/oeqa/core/decorator/__init__.py", line 35, in wrapped_f
    return func(*args, **kwargs)
  File "/srv/pokybuild/yocto-worker/qemux86-alt/build/layers/openembedded-core/meta/lib/oeqa/runtime/cases/ssh.py", line 36, in test_ssh
    self.fail("uname failed with \"%s\" (exit code %s)" % (output, status))
    ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError: uname failed with "sh: uname: not found" (exit code 127)

https://autobuilder.yoctoproject.org/valkyrie/#/builders/20/builds/3462
https://autobuilder.yoctoproject.org/valkyrie/#/builders/95/builds/3451
https://autobuilder.yoctoproject.org/valkyrie/#/builders/9/builds/3475

/bin/start_getty: line 9: readlink: not found
/bin/start_getty: line 20: /sbin/getty: not found
/bin/start_getty: line 9: readlink: not found

/bin/start_getty: line 20: /sbin/getty: not found
/bin/start_getty: line 20: /sbin/getty: not found
/bin/start_getty: line 9: readlink: not found
/bin/start_getty: line 20: /sbin/getty: not found
/bin/start_getty: line 9: /bin/start_getty: readlink: not foundline 9:
readlink: not found
/bin/start_getty: line 20: /sbin/getty: not found
/bin/start_getty: line 20: /sbin/getty: not found
/bin/start_getty: line 9: readlink: not found
/bin/start_getty: line 20: /sbin/getty: not found

INIT: Id "S0" respawning too fast: disabled for 5 minutes

/bin/start_getty: line 9: readlink: not found
/bin/start_getty: line 20: /sbin/getty: not found
/bin/start_getty: line 9: readlink: not found
/bin/start_getty: line 20: /sbin/getty: not found

https://autobuilder.yoctoproject.org/valkyrie/#/builders/11/builds/3461
https://autobuilder.yoctoproject.org/valkyrie/#/builders/11/builds/3461

Can you have a look at the issue?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[PATCH v2] busybox: do not build SUID binary without an applet

[Jörg Sommer]

From: Jörg Sommer <joerg.sommer@navimatix.de>

If the merge of all config snippets leads to a SUID binary without any
applets, do not build and install it to reduce the SUID binaries in the
system.

Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
---
 meta/recipes-core/busybox/busybox.inc | 35 +++++++++++++++------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index 355c019738..e03960a295 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -172,6 +172,10 @@ do_compile() {
 		oe_runmake busybox.cfg.suid
 		oe_runmake busybox.cfg.nosuid
 
+		if [ -s busybox.cfg.suid ]; then
+			with_suid=y
+		fi
+
 		# workaround for suid bug 10346
 		if ! grep -q "CONFIG_SH_IS_NONE" busybox.cfg.nosuid; then
 			echo "CONFIG_SH_IS_NONE" >> busybox.cfg.suid
@@ -182,7 +186,7 @@ do_compile() {
 		done
 		merge_config.sh -m .config.orig .config.disable.apps
 		cp .config .config.nonapps
-		for s in suid nosuid; do
+		for s in ${with_suid:+suid} nosuid; do
 			cat busybox.cfg.$s | while read item; do
 				grep -w "$item" .config.orig
 			done > .config.app.$s
@@ -206,7 +210,7 @@ do_compile() {
 		fi
 
 		# cleanup
-		rm .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps
+		rm ${with_suid:+.config.app.suid} .config.app.nosuid .config.disable.apps .config.nonapps
 	else
 		oe_runmake busybox_unstripped
 		cp busybox_unstripped busybox
@@ -245,9 +249,13 @@ do_install () {
 		# can run. Let update-alternatives handle the rest.
 		install -d ${D}${base_bindir}
 		if [ "${BUSYBOX_SPLIT_SUID}" = "1" ]; then
-			install -m 4755 ${B}/busybox.suid ${D}${base_bindir}
+			if [ -e ${B}/busybox.suid ]; then
+				install -m 4755 ${B}/busybox.suid ${D}${base_bindir}
+			fi
 			install -m 0755 ${B}/busybox.nosuid ${D}${base_bindir}
-			install -m 0644 ${S}/busybox.links.suid ${D}${sysconfdir}
+			if [ -e ${S}/busybox.links.suid ]; then
+				install -m 0644 ${S}/busybox.links.suid ${D}${sysconfdir}
+			fi
 			install -m 0644 ${S}/busybox.links.nosuid ${D}${sysconfdir}
 			if grep -q "CONFIG_SH_IS_ASH=y" ${B}/.config; then
 				ln -sf busybox.nosuid ${D}${base_bindir}/sh
@@ -388,10 +396,14 @@ python do_package:prepend () {
 
     dvar = d.getVar('D')
     pn = d.getVar('PN')
-    def set_alternative_vars(links, target):
-        links = d.expand(links)
-        target = d.expand(target)
-        f = open('%s%s' % (dvar, links), 'r')
+    links_prefix = d.expand("${D}${sysconfdir}/busybox.links")
+    target_prefix = d.expand("${base_bindir}/busybox")
+    for suffix in ('', '.suid', '.nosuid'):
+        links = links_prefix + suffix
+        if not os.path.exists(links):
+            continue
+        target = target_prefix + suffix
+        f = open(links, 'r')
         for alt_link_name in f:
             alt_link_name = alt_link_name.strip()
             alt_name = os.path.basename(alt_link_name)
@@ -406,13 +418,6 @@ python do_package:prepend () {
             if os.path.exists('%s%s' % (dvar, target)):
                 d.setVarFlag('ALTERNATIVE_TARGET', alt_name, target)
         f.close()
-        return
-
-    if os.path.exists('%s/etc/busybox.links' % (dvar)):
-        set_alternative_vars("${sysconfdir}/busybox.links", "${base_bindir}/busybox")
-    else:
-        set_alternative_vars("${sysconfdir}/busybox.links.nosuid", "${base_bindir}/busybox.nosuid")
-        set_alternative_vars("${sysconfdir}/busybox.links.suid", "${base_bindir}/busybox.suid")
 }
 
 # This part of code is dedicated to the on target upgrade problem.  It's known
-- 
2.53.0