[v2,1/2] classes/sanity: check for suid root command evility

Submitted by Paul Eggleton on Aug. 1, 2013, 5:17 p.m.


Message ID deb18987e98b4da42468cd8162ec9dd88e0d83ba.1375377305.git.paul.eggleton@linux.intel.com
State Accepted
Commit 08d61529f3c7a48ec82e1f8c9c28c7b2e5238934
Headers show

Commit Message

Paul Eggleton Aug. 1, 2013, 5:17 p.m.
Some users have been found to have an unnamed third-party piece of
software installed which sets chmod, chown and mknod as suid root as
part of its installation process. This interferes with the operation of
pseudo and can result in files really being owned by root within the
build output, and therefore breaks the build, apart from being a
security issue. Check for this and bail out if it is found.

Reported-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
 meta/classes/sanity.bbclass | 10 ++++++++++
 1 file changed, 10 insertions(+)

Patch hide | download patch | download mbox

diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 08ab1b7..cc67490 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -530,6 +530,16 @@  def check_sanity_version_change(status, d):
     tmpdir = d.getVar('TMPDIR', True)
     status.addresult(check_create_long_filename(tmpdir, "TMPDIR"))
+    # Some third-party software apparently relies on chmod etc. being suid root (!!)
+    import stat
+    suid_check_bins = "chown chmod mknod".split()
+    for bin_cmd in suid_check_bins:
+        bin_path = bb.utils.which(os.environ["PATH"], bin_cmd)
+        if bin_path:
+            bin_stat = os.stat(bin_path)
+            if bin_stat.st_uid == 0 and bin_stat.st_mode & stat.S_ISUID:
+                status.addresult('%s has the setuid bit set. This interferes with pseudo and may cause other issues that break the build process.\n' % bin_path)
     # Check that we can fetch from various network transports
     netcheck = check_connectivity(d)