yalu102
yalu102 copied to clipboard
kpwn
edit /etc/fstab to remove nosuid on /private/var/
cause stashing. . . .
also might i suggest forcing a reboot so the changes to fstab will actually take effect?
Or can you ((@kpwn), or anyone else) remount /var and fstab changes take effect w/o a reboot?
Not sure of the security implications (I'm no security guy), however if /var is not remounted removing nosuid, any kind of stashing process breaks suid binaries (they cannot elevate privileges).
Pangu9 did remount /var to allow suid binaries, so I guess this is fine to do on a platform that's compromised anyway?
Touching fstab is fine, the issue is that I am not sure this is best achieved with that.
Do you necessarily need the ability for nosuid to be removed while in non-jailbroken mode?
The code also runs sed every time, not just once, which doesn't seem like a great idea (does the .bak get overwritten?)
@kpwn Suid apps don't really need that while non jailbroken (they cannot run anyway), however some Cydia software uses suid launchd user agents / daemons in order to carry out root tasks. Can this be a problem?
Edit: that is, in the event that they are stashed to /var
I am tempted to consider this a WONTFIX. Using setuid binaries is not something anyone should rely upon in iOS.
@kpwn Could you elaborate on that? Cydia itself relies on setuid/setgid in order to work (was a suid app until last year, now uses cydo which is still a suid binary), and so do many jailbreak apps such as iFile, Filza and iCleaner. Am I missing something there?
I am not convinced that stashing is a great idea either.
Using a helper design like Cydia does is fine, and / is not marked as nosuid, and said helpers are usually thin enough that stashing them is not a necessity.
@kpwn I agree with the stashing part, however it is sometimes a necessary evil since available space on / is really scarce. Even entire suid apps are generally small (cydo is in the hundreds of KBs, while apps are usually a few MBs large), which is the reason why I encouraged (many times :/) the devs of stashing software to simply avoid stashing suid binaries altogether, but this hasn't happened as of today. I think this is because suid permissions for /var are generally taken for granted when it comes to jailbreaks.
That being said, hey, it's your stuff and time we're talking about here. I think this would benefit the community, but if you feel like it's too much hassle to fix then by all means ignore it.
(OT: haven't had the means to do this via twitter, mainly because I don't want to contribute to the mention spam, but thanks a lot for delivering)
@mwoolweaver @IvanoBilenchi are there many cases where suid is absolutely necessary and where sudo does not solve the need to run as root?
@mailinglists35 sudo doesn't even work unless you install it, you'd have to use su and even still, if you have stashed iCleaner Pro you'd have to enter your password every time you ran it. That'd also require a popup for a password and a secure way of getting said password.
Some other points as to why this will have little over all effect on someone in a not jailbroken state is that, 1) suid has to be granted by root which installd can't even grant as it runs as mobile, 2) any unsigned app won't even run in a not jailbroken state, 3) an app calling setuid wouldn't make it through the AppStore review process.
The only real threat that is presented is when a user is jailbroken and an app can actually take advantage of setuid but the sandbox is already dead so a user is already exposed to an unknown number of threats
@mwoolweaver nice analysis! If you just for modify some files rather than install various tweeks depend on mobilesubstrate, you can disable sandbox patch, just comment all code about sandbox part in jailbreak.m
@0neday will the actual Jailbreak even work without the sandbox escape?
@mwoolweaver Yes, I test it. MTerminal and dropbear work fine for me. But mobilesubstrate doesn't work, it need sandbox escape, but it doesn't matter, I don't care
@mwoolweaver Error like this https://twitter.com/clay_your/status/826260465617494016