Background:
Debugging linux kernel 6.0 with qemu-system-x86_64. The start commandline is as follows:
qemu-system-x86_64 -kernel ./bzImage -initrd ./rootfs.img -serial stdio -append " console=ttyS0 nokaslr"
The initrd rootfs.img is made by busybox-1.35.0 using the following commands:
$ make menuconfig #choose [*] Build static binary (no shared libs)
$ make && make install
$ cd _install
$ ls
bin linuxrc sbin usr
$ mkdir -p dev proc etc sys\kernel\debug sys\dev
$ vim init
The init file is filled with:
#!/bin/sh
echo "{==DBG==} INIT SCRIPT"
mkdir /tmp
mount -t proc none /proc
mount -t sysfs none /sys
mount -t debugfs none /sys/kernel/debug
mount -t tmpfs none /tmp
mdev -s
echo -e "{==DBG==} Boot took $(cut -d' ' -f1 /proc/uptime) seconds"
# normal user
setsid /bin/cttyhack setuidgid 1000 /bin/sh
$ find . | cpio -o --format=newc > ./rootfs.img
================================================================
The problem:
When I runqemu-system-x86_64 -kernel ./bzImage -initrd ./rootfs.img -serial stdio -append " console=ttyS0 nokaslr" to start qemu. And enter the kernel successfully. But when I run "su" the problem occurs:
{==DBG==} INIT SCRIPT
{==DBG==} Boot took 2.63 seconds
/ $ su
su: must be suid to work properly
/ $
================================================================
What I tried:
I tried to google the problem. But only find to escalate the privilege.
Then I tried:
/ $ cd bin
/bin $ chmod u+s busybox
/bin $ ls -l busybox
-rwsr-xr-x 1 1000 1000 2408664 Oct 11 12:57 busybox
/bin $ su
su: must be suid to work properly
/bin $
Obviously the 'solution' failed.
================================================================
So what can I do to solve this problem? Or what causes this problem? Any help would be appreciated! Thanks in advance!
The suid bit that you added with chmod u+s busybox changes the current user to the owner of /bin/busybox, which as you can see is 1000.
So you want to change /bin/busybox to be owned by root:
$ chown root:root /bin/busybox
But you won't be able to do that from within your non-root shell; you must make this change in the root image rootfs.img.
It probably makes sense to have all files in the image owned by root. You don't need to change the ownership in the host file system, because you can do it while building the image:
$ find . | cpio -o --format=newc --owner=+0:+0 > ./rootfs.img
^^^^^^^^^^^^^
Related
I'm running in to what appears to be a bit of an odd one.
Base machine is Ubuntu 18.04. I'm experimenting with creating a custom initramfs + init script to use with custom compiled kernels that are being used with qemu instances.
From the directory I'm using as the base for the initramfs:
[~/initramfs] $ find .
.
./proc
./root
./dev
./dev/console
./dev/sda1
./dev/null
./dev/tty
./sbin
./init
./etc
./lib64
./mnt
./mnt/root
./lib
./bin
./bin/busybox
./sys
Just the basics needed for now. The busybox binary comes from the busybox-static package, and I've confirmed it's statically complied:
[~/initramfs]$ ldd bin/busybox
not a dynamic executable
In the init script, I have:
#!/bin/busybox sh
mount -t proc none /proc
mount -t sysfs none /sys
echo "Hi there"
umount /sys
umount /proc
poweroff
From there, create an initramfs.gz:
find . -print0 | cpio --null --create --verbose --format=newc | pigz --best > ~/initramfs.gz
When I set that as the target initrd for qemu, kernel starts up as expected, then:
[ 0.777443] Run /init as init process
/init: line 3: mount: not found
/init: line 4: mount: not found
Hi there
/init: line 8: umount: not found
/init: line 9: umount: not found
/init: line 11: poweroff: not found
mount is part of busybox. So that's strange.
If I modify the init script and put in /bin/busybox sh as the first command to be executed, that gets me to a busybox shell as you'd expect.
[ 0.789949] Run /init as init process
BusyBox v1.27.2 (Ubuntu 1:1.27.2-2ubuntu3.2) built-in shell (ash)
Enter 'help' for a list of built-in commands.
sh: can't access tty; job control turned off
/ # [ 1.364618] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3
[ 1.386482] tsc: Refined TSC clocksource calibration: 3392.105 MHz
[ 1.388387] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x30e52cb7a6c, max_idle_ns: 440795310382 ns
[ 1.391965] clocksource: Switched to clocksource tsc
/ #
And then help shows:
/ # help
Built-in commands:
------------------
. : [ [[ alias bg break cd chdir command continue echo eval exec[ 71.772009] random: fast init done
exit export false fg getopts hash help history jobs kill let
local printf pwd read readonly return set shift source test times
trap true type ulimit umask unalias unset wait [ [[ acpid adjtimex
ar arp arping ash awk basename blkdiscard blockdev brctl bunzip2
bzcat bzip2 cal cat chgrp chmod chown chpasswd chroot chvt clear
cmp cp cpio crond crontab cttyhack cut date dc dd deallocvt depmod
devmem df diff dirname dmesg dnsdomainname dos2unix dpkg dpkg-deb
du dumpkmap dumpleases echo ed egrep env expand expr factor fallocate
false fatattr fdisk fgrep find fold free freeramdisk fsfreeze
fstrim ftpget ftpput getopt getty grep groups gunzip gzip halt
head hexdump hostid hostname httpd hwclock i2cdetect i2cdump
i2cget i2cset id ifconfig ifdown ifup init insmod ionice ip ipcalc
ipneigh kill killall klogd last less link linux32 linux64 linuxrc
ln loadfont loadkmap logger login logname logread losetup ls
lsmod lsscsi lzcat lzma lzop md5sum mdev microcom mkdir mkdosfs
mke2fs mkfifo mknod mkpasswd mkswap mktemp modinfo modprobe more
mount mt mv nameif nc netstat nl nproc nsenter nslookup od openvt
partprobe passwd paste patch pidof ping ping6 pivot_root poweroff
printf ps pwd rdate readlink realpath reboot renice reset rev
rm rmdir rmmod route rpm rpm2cpio run-parts sed seq setkeycodes
setpriv setsid sh sha1sum sha256sum sha512sum shred shuf sleep
sort ssl_client start-stop-daemon stat static-sh strings stty
su sulogin svc swapoff swapon switch_root sync sysctl syslogd
tac tail tar taskset tee telnet telnetd test tftp time timeout
top touch tr traceroute traceroute6 true truncate tty tunctl
ubirename udhcpc udhcpd uevent umount uname uncompress unexpand
uniq unix2dos unlink unlzma unshare unxz unzip uptime usleep
uudecode uuencode vconfig vi w watch watchdog wc wget which who
whoami xargs xxd xz xzcat yes zcat
So I go looking for mount, and discover which isn't found either. Oh but it works if I prepend it with /bin/busybox to call it direct...:
/ # type mount
mount is mount
/ # which mount
sh: which: not found
/ # /bin/busybox which mount
/ #
and I can execute the commands successfully if I add /bin/busybox to them:
/ # /bin/busybox mount -t proc none /proc
/ #
It seems really random what will and what won't work from busybox, what does and what doesn't get found, e.g. find is fine:
/ # find
.
./test
./sys
./bin
./bin/busybox
./lib
./mnt
./mnt/root
./lib64
./etc
./init
./sbin
./proc
./root
./dev
./dev/tty
./dev/null
./dev/sda1
./dev/console
I can work around this by prepending every command in the init file with /bin/busybox, but I'd really rather not if I don't have to!
You have to symlink all the applets you want, e.g. ln -s /bin/busybox /bin/mount. See USAGE in the busybox docs:
USAGE
BusyBox is a multi-call binary. A multi-call binary is an
executable program that performs the same job as more than one utility
program. That means there is just a single BusyBox binary, but that
single binary acts like a large number of utilities. This allows
BusyBox to be smaller since all the built-in utility programs (we call
them applets) can share code for many common operations.
You can also invoke BusyBox by issuing a command as an argument on the
command line. For example, entering
/bin/busybox ls
will also cause BusyBox to behave as 'ls'.
Of course, adding '/bin/busybox' into every command would be painful.
So most people will invoke BusyBox using links to the BusyBox binary.
For example, entering
ln -s /bin/busybox ls
./ls
will cause BusyBox to behave as 'ls' (if the 'ls' command has been compiled into BusyBox). Generally speaking, you should never
need to make all these links yourself, as the BusyBox build system
will do this for you when you run the 'make install' command.
If you invoke BusyBox with no arguments, it will provide you with a
list of the applets that have been compiled into your BusyBox binary.
The commands that happen to work without it are the ones implemented as fork-free and therefore can be invoked as builtins.
could please someone explain to me why this happens?
# su - someone -s /bin/bash -c "ls -la /dev/tty"
crw-rw-rw- 1 nobody nogroup 5, 0 Dec 7 20:53 /dev/tty
# BUT:
# su - someone -s /bin/bash -c "echo hello > /dev/tty"
-su: /dev/tty: No such device or address
I'm trieng to build a docker Container which has two services inside. Those services a startet by a Shell-Script:
CMD ["./starter.sh"]
Withing the Dockerfile I have redirected the Logs to /dev/stderr or /dev/tty
# None of the following works:
RUN ln -sf /dev/tty /var/log/thelog.log
RUN ln -sf /dev/stdout /var/log/thelog.log
RUN ln -sf /dev/stderr /var/log/thelog.log
The problem is that I'm trying to run one of the services as not root (su -
someone -c "service"), which give's the following error:
unable to open log file [/var/log/thelog.log]: [6] No such device or address
How could I solve this problem? I want the logs to be linked to /dev/* AND want to run the User as non-root. Also I tried to add the User to the group tty, which did not work out.
Thanks.
The manpage for su states that the executed command will have no controlling terminal. Any writes to /dev/tty will return the ENXIO error:
$ errno ENXIO
ENXIO 6 No such device or address
sudo does allocate a controlling terminal:
sudo -u someone /bin/bash -c "echo hello > /dev/tty"
There's no need for you to make a symbolic link to /dev/tty (/dev/stdout and /dev/stderr is enough) or use sudo if you use the USER directive in the Dockerfile or supervisor.
I can't understand how exactly this works in Linux.
For example, I want only users in some group have access to execute some file (I hope this is possible without visudo).
I create a system user and system group like:
useradd -K UID_MIN=100 -K UID_MAX=499 -K GID_MIN=100 -K GID_MAX=499 -p \* -s /sbin/nologin -c "testusr daemon,,," -d "/var/testusr" testusr
I add my current user user to the group testusr (may be not cross platform):
adduser user testusr
I create some test shell file and set permissions:
touch test.sh
chmod ug+x test.sh
sudo chown testusr:testusr test.sh
But I still can't start test.sh as user:
./test.sh
-> Error
Now I look for some system groups like cdrom to check how they work. My user is in cdrom group and can use the cd rom on my computer:
$ ls -al /dev/cdrom
lrwxrwxrwx 1 root root 3 апр. 17 12:55 /dev/cdrom -> sr0
$ ls -al /dev/sr0
brw-rw----+ 1 root cdrom 11, 0 апр. 17 12:55 /dev/sr0
Addition:
./test.sh command starts to work as I want after system reboot. Strange...
I'm on Ubuntu Studio 15.10
The group changes are reflected only upon re-login.
trying to run a script on Ubuntu 14.04.
$ bash MirroirHome
runs fine
but
$ ./MirroirHome
bash: ./MirroirHome: Permission denied
$ ls -l
total 32
-rwxr-xr-x 1 gerald gerald 214 nov 14 15:44 MirroirHome
I am the owner of the file and the permission bit is on, what is going on??
Here is the script in case it matters.
#!/bin/bash
rsync \
--archive \
--verbose \
--compress \
--update \
--delete \
/home/ /media/Data/MirroirHome
This can happen if the partition is mounted with the noexec flag on. You can verify this by running mount: find the partition in the output, and in the list of flags, probably there will be noexec.
To resolve this, remount the partition without the noexec flag. Or, copy the script to another partition that's already mounted without noexec.
I am building my own Debian-based Linux with own kernel and software. One of the last steps of the make-process has to be done in a chrooted environment:
Install the custom kernel using dpkg
Create symbolic links to the kernel and initrd.img
Execute ldconfig
Set my custom theme for the splash screen using plymouth
Update the initrd.img
While the installation of the kernel succeeds and the symbolic links are acutally created, all other commands do not seem to work. If I boot into the system the splash screen is set to the default and the initrd.img cannot find the HDD nor the kernel. So the updating of the initrd.img inside the dpkg-installation process seems to fail somehow. The plymouth script to set the theme does not work either.
To fix this, I manually chroot into the system and do the following:
Set my custom theme for the splash screen using plymouth
Execute ldconfig
Update the initrd.img
This works perfectly fine. Next time I boot the system, my splash screen is shown and everything starts properly.
Here is my approach to get this done in my Makefile:
cp $(INTEGRATION_KERNEL_IMAGE) $(ROOTFS)/tmp/kernel.deb
cd $(ROOTFS); /usr/bin/sudo /bin/mount -t proc proc proc/; /usr/bin/sudo /bin/mount -t sysfs sys sys/; /usr/bin/sudo /bin/mount -o bind /dev dev/
/usr/sbin/chroot --userspec=0:0 $(ROOTFS) /usr/bin/env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin HOME=/root bash -c "/usr/bin/dpkg --force-not-root -i /tmp/kernel.deb"
/usr/sbin/chroot --userspec=0:0 $(ROOTFS) /usr/bin/env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin HOME=/root bash -c "/bin/ln -nsf vmlinuz-3.2.54-rt75custom /boot/vmlinuz"
/usr/sbin/chroot --userspec=0:0 $(ROOTFS) /usr/bin/env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin HOME=/root bash -c "/bin/ln -nsf initrd.img-3.2.54-rt75custom /boot/initrd.img"
/usr/sbin/chroot --userspec=0:0 $(ROOTFS) /usr/bin/env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin HOME=/root bash -c "/sbin/ldconfig"
/usr/sbin/chroot --userspec=0:0 $(ROOTFS) /usr/bin/env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin HOME=/root bash -c "/bin/bash /usr/sbin/plymouth-set-default-theme my_theme"
/usr/sbin/chroot --userspec=0:0 $(ROOTFS) /usr/bin/env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin HOME=/root bash -c "/bin/bash /usr/sbin/update-initramfs -u"
/usr/bin/sudo /bin/umount $(ROOTFS)/proc; /usr/bin/sudo /bin/umount $(ROOTFS)/sys; /usr/bin/sudo /bin/umount $(ROOTFS)/dev
The output of make does not provide any errors on this topic. Well, it possibly cannot do this because make does not know what is going on inside the chrooted environment. But how can I find out what is going wrong?
A possible workaround would be to put everything I mentioned above in a shell script and execute this in the chrooted environment. But I would prefer to do everything in the Makefile and I do not know if the workaround really works. I have not verified this yet.
Have you tried saving command output in the chroot environment and extracting it later? For example:
/usr/sbin/chroot [...] bash -c "/usr/bin/dpkg [...] >> /root/chroot.log"
or
/usr/sbin/chroot [...] bash -c "/usr/bin/dpkg [...] | tee -a /root/chroot.log"
followed by
cp $(ROOTFS)/root/chroot.log .
In the long run I would suggest to avoid code duplication and Makefile clutter, either by passing everything in a single chroot command or by copying over a script.
You should be able to get rid of most or all of the bash -c and /bin/bash invocations. That should simplify things even more.