mordak / playbook-dev-tools

gcc for the Blackberry Playbook, and maybe some other stuff..
55 stars 32 forks source link

Add mtr #16

Closed KireinaHoro closed 7 years ago

KireinaHoro commented 7 years ago

Ported mtr. (The header files sucks, though)

KireinaHoro commented 7 years ago

Zip seems to be eating setcap, setuid and uid settings.

mordak commented 7 years ago

It probably isn't zip - it is probably the kernel. An unprivileged process cannot create setuid files, or else privilege escalation would be trivial. When zip is unpacking files it tries to create them with the same permissions as the original, but since it is unprivileged (in the sandbox), it can only create files as itself and cannot setuid, so the files come out with their setuid and uid settings as unprivileged.

At least, that is the behavior I have seen before. I assume that mtr requires setuid root in order to get raw sockets for ICMP?

KireinaHoro commented 7 years ago
                                                                                  I've tried to deflate the zip directly, and get a normal mtr. It didn't work (mtr says that "mtr: unable to get raw sockets"). So... seems like it's really the permission here.                                                                                                                                                                                                                                                                                                                                        BlackBerry 10スマートフォンから送信済みです。                                                                                                                                                                                                                送信者: mordak送信: 2017年1月8日(日曜日) 21:21To: mordak/playbook-dev-tools返信先: mordak/playbook-dev-toolsCc: 綺麗な賢狼ホロ; Author件名: Re: [mordak/playbook-dev-tools] Add mtr (#16)It probably isn't zip - it is probably the kernel. An unprivileged process cannot create setuid files, or else privilege escalation would be trivial. When zip is unpacking files it tries to create them with the same permissions as the original, but since it is unprivileged (in the sandbox), it can only create files as itself and cannot setuid, so the files come out with their setuid and uid settings as unprivileged.

At least, that is the behavior I have seen before. I assume that mtr requires setuid root in order to get raw sockets for ICMP?

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/mordak/playbook-dev-tools","title":"mordak/playbook-dev-tools","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/mordak/playbook-dev-tools"}},"updates":{"snippets":[{"icon":"PERSON","message":"@mordak in #16: It probably isn't zip - it is probably the kernel. An unprivileged process cannot create setuid files, or else privilege escalation would be trivial. When zip is unpacking files it tries to create them with the same permissions as the original, but since it is unprivileged (in the sandbox), it can only create files as itself and cannot setuid, so the files come out with their setuid and uid settings as unprivileged. \r\n\r\nAt least, that is the behavior I have seen before. I assume that mtr requires setuid root in order to get raw sockets for ICMP?"}],"action":{"name":"View Pull Request","url":"https://github.com/mordak/playbook-dev-tools/pull/16#issuecomment-271150793"}}}

mordak commented 7 years ago

Yeah, that sounds about right. The binary comes out fine, but since the permissions are not correct it doesn't work. This is just the reality of being in the sandbox, and I do not know of any way to get around it.

If you can get mtr to work on the device then I will happily merge, but if it doesn't work on the device then it doesn't make sense to have it.