+config BUSYBOX_CONFIG_FEATURE_SUID_CONFIG
+ bool "Enable SUID configuration via /etc/busybox.conf"
+ default BUSYBOX_DEFAULT_FEATURE_SUID_CONFIG
+ depends on BUSYBOX_CONFIG_FEATURE_SUID
+ help
+ Allow the SUID/SGID state of an applet to be determined at runtime
+ by checking /etc/busybox.conf. (This is sort of a poor man's sudo.)
+ The format of this file is as follows:
+
+ APPLET = [Ssx-][Ssx-][x-] [USER.GROUP]
+
+ s: USER or GROUP is allowed to execute APPLET.
+ APPLET will run under USER or GROUP
+ (regardless of who's running it).
+ S: USER or GROUP is NOT allowed to execute APPLET.
+ APPLET will run under USER or GROUP.
+ This option is not very sensical.
+ x: USER/GROUP/others are allowed to execute APPLET.
+ No UID/GID change will be done when it is run.
+ -: USER/GROUP/others are not allowed to execute APPLET.
+
+ An example might help:
+
+ |[SUID]
+ |su = ssx root.0 # applet su can be run by anyone and runs with
+ | # euid=0,egid=0
+ |su = ssx # exactly the same
+ |
+ |mount = sx- root.disk # applet mount can be run by root and members
+ | # of group disk (but not anyone else)
+ | # and runs with euid=0 (egid is not changed)
+ |
+ |cp = --- # disable applet cp for everyone
+
+ The file has to be owned by user root, group root and has to be
+ writeable only by root:
+ (chown 0.0 /etc/busybox.conf; chmod 600 /etc/busybox.conf)
+ The busybox executable has to be owned by user root, group
+ root and has to be setuid root for this to work:
+ (chown 0.0 /bin/busybox; chmod 4755 /bin/busybox)
+
+ Robert 'sandman' Griebl has more information here:
+ <url: http://www.softforge.de/bb/suid.html >.