Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

edit /etc/fstab to remove nosuid on /private/var/ #326

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

edit /etc/fstab to remove nosuid on /private/var/ #326

wants to merge 2 commits into from

Conversation

mwoolweaver
Copy link
Contributor

@mwoolweaver mwoolweaver commented Jan 31, 2017
edited
Loading

cause stashing. . . .

also might i suggest forcing a reboot so the changes to fstab will actually take effect?

Or can you ((@kpwn), or anyone else) remount /var and fstab changes take effect w/o a reboot?

@0neday
Copy link

0neday commented Jan 31, 2017

@mwoolweaver For security considerations, don't touch fstab file

@IvanoBilenchi
Copy link

Not sure of the security implications (I'm no security guy), however if /var is not remounted removing nosuid, any kind of stashing process breaks suid binaries (they cannot elevate privileges).

Pangu9 did remount /var to allow suid binaries, so I guess this is fine to do on a platform that's compromised anyway?

@kpwn
Copy link
Owner

kpwn commented Jan 31, 2017

Touching fstab is fine, the issue is that I am not sure this is best achieved with that.

Do you necessarily need the ability for nosuid to be removed while in non-jailbroken mode?

The code also runs sed every time, not just once, which doesn't seem like a great idea (does the .bak get overwritten?)

@IvanoBilenchi
Copy link

IvanoBilenchi commented Jan 31, 2017
edited
Loading

@kpwn Suid apps don't really need that while non jailbroken (they cannot run anyway), however some Cydia software uses suid launchd user agents / daemons in order to carry out root tasks. Can this be a problem?

Edit: that is, in the event that they are stashed to /var

@kpwn
Copy link
Owner

kpwn commented Jan 31, 2017

I am tempted to consider this a WONTFIX. Using setuid binaries is not something anyone should rely upon in iOS.

@nullpixel
Copy link
Contributor

@kpwn it allows stashing to work

@IvanoBilenchi
Copy link

@kpwn Could you elaborate on that? Cydia itself relies on setuid/setgid in order to work (was a suid app until last year, now uses cydo which is still a suid binary), and so do many jailbreak apps such as iFile, Filza and iCleaner. Am I missing something there?

@kpwn
Copy link
Owner

kpwn commented Jan 31, 2017

I am not convinced that stashing is a great idea either.

Using a helper design like Cydia does is fine, and / is not marked as nosuid, and said helpers are usually thin enough that stashing them is not a necessity.

@IvanoBilenchi
Copy link

@kpwn I agree with the stashing part, however it is sometimes a necessary evil since available space on / is really scarce. Even entire suid apps are generally small (cydo is in the hundreds of KBs, while apps are usually a few MBs large), which is the reason why I encouraged (many times :/) the devs of stashing software to simply avoid stashing suid binaries altogether, but this hasn't happened as of today. I think this is because suid permissions for /var are generally taken for granted when it comes to jailbreaks.

That being said, hey, it's your stuff and time we're talking about here. I think this would benefit the community, but if you feel like it's too much hassle to fix then by all means ignore it.

(OT: haven't had the means to do this via twitter, mainly because I don't want to contribute to the mention spam, but thanks a lot for delivering)

@mailinglists35
Copy link

@mwoolweaver @IvanoBilenchi are there many cases where suid is absolutely necessary and where sudo does not solve the need to run as root?

@mwoolweaver
Copy link
Contributor Author

mwoolweaver commented Jan 31, 2017
edited
Loading

@mailinglists35 sudo doesn't even work unless you install it, you'd have to use su and even still, if you have stashed iCleaner Pro you'd have to enter your password every time you ran it. That'd also require a popup for a password and a secure way of getting said password.

Some other points as to why this will have little over all effect on someone in a not jailbroken state is that, 1) suid has to be granted by root which installd can't even grant as it runs as mobile, 2) any unsigned app won't even run in a not jailbroken state, 3) an app calling setuid wouldn't make it through the AppStore review process.

The only real threat that is presented is when a user is jailbroken and an app can actually take advantage of setuid but the sandbox is already dead so a user is already exposed to an unknown number of threats

@mwoolweaver mwoolweaver reopened this Jan 31, 2017
@0neday
Copy link

0neday commented Jan 31, 2017
edited
Loading

@mwoolweaver nice analysis! If you just for modify some files rather than install various tweeks depend on mobilesubstrate, you can disable sandbox patch, just comment all code about sandbox part in jailbreak.m

@mwoolweaver
Copy link
Contributor Author

@0neday will the actual Jailbreak even work without the sandbox escape?

@0neday
Copy link

0neday commented Feb 1, 2017
edited
Loading

@mwoolweaver Yes, I test it. MTerminal and dropbear work fine for me. But mobilesubstrate doesn't work, it need sandbox escape, but it doesn't matter, I don't care

@0neday
Copy link

0neday commented Feb 1, 2017

@mwoolweaver Error like this https://twitter.com/clay_your/status/826260465617494016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mwoolweaver @0neday @IvanoBilenchi @kpwn @nullpixel @mailinglists35