From cbf60bec6ff900e6759b439b782c8cef163b3046 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 24 May 2022 16:26:40 +0200 Subject: [PATCH 1/2] configure.ac: check for sandbox-shell's FEATURE_SH_STANDALONE See also: https://bugs.archlinux.org/task/73998. Busybox's FEATURE_SH_STANDALONE feature causes other busybox applets to leak into the sandbox, where system() calls will start preferring them over tools in $PATH. On arch, this even includes `ar`. Let's check for this evil feature and disallow using this as a sandbox shell. --- configure.ac | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/configure.ac b/configure.ac index 8a01c33ec..715c70de1 100644 --- a/configure.ac +++ b/configure.ac @@ -294,6 +294,17 @@ esac AC_ARG_WITH(sandbox-shell, AS_HELP_STRING([--with-sandbox-shell=PATH],[path of a statically-linked shell to use as /bin/sh in sandboxes]), sandbox_shell=$withval) AC_SUBST(sandbox_shell) +if ! test -z ${sandbox_shell+x}; then + AC_MSG_CHECKING([whether sandbox-shell has the standalone feature]) + # busybox shell sometimes allows executing other busybox applets, + # even if they are not in the path, breaking our sandbox + if PATH= $sandbox_shell -c "busybox" 2>&1 | grep -qv "not found"; then + AC_MSG_RESULT(enabled) + AC_MSG_ERROR([Please disable busybox FEATURE_SH_STANDALONE]) + else + AC_MSG_RESULT(disabled) + fi +fi # Expand all variables in config.status. test "$prefix" = NONE && prefix=$ac_default_prefix From 7e52472759bfecbbfc9146fd0992361ea930f195 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 24 May 2022 17:00:27 +0200 Subject: [PATCH 2/2] configure.ac: don't run sandbox-shell test when cross compiling --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 715c70de1..789dfdb3c 100644 --- a/configure.ac +++ b/configure.ac @@ -294,7 +294,7 @@ esac AC_ARG_WITH(sandbox-shell, AS_HELP_STRING([--with-sandbox-shell=PATH],[path of a statically-linked shell to use as /bin/sh in sandboxes]), sandbox_shell=$withval) AC_SUBST(sandbox_shell) -if ! test -z ${sandbox_shell+x}; then +if test ${cross_compiling:-no} = no && ! test -z ${sandbox_shell+x}; then AC_MSG_CHECKING([whether sandbox-shell has the standalone feature]) # busybox shell sometimes allows executing other busybox applets, # even if they are not in the path, breaking our sandbox