Denys Vlasenko wrote:
On Thu, Jan 9, 2014 at 1:35 PM, John Spencer
<[email protected]> wrote:
This seems to lead to a significantly larger code.
Making ping suid wasn't such a big problem before, so
why should we have all these complications now?
making ping suid in the context of busybox basically means "make the entire
busybox binary suid" and that is definitely a bad idea (an example that
comes to mind is the wall vulnerability discovered recently).
If you want to use wall applet, you will need to setuid the entire
why ? you can use wall as root. in fact using the applet as non-root
seems pretty insane. that way random users can spam your terminal with
nonsense.
binary anyway. Having ping applet to not need root privs won't
help one iota in avoiding triggering a bug in other applets (e.g. wall).
apart from ping and su there isn't anything that needs setuid or other
raised privileges, and shrinking that list down to one, just su, is
definitely an improvement. and as in my case, you can just as well use
another su replacement so your busybox binary is entirely suid-free.
The only thing which you save yourself from are possible
undiscovered bugs in ping applet.
no, i save myself from yet another tool that needs elevated privs
despite there being a kernel solution for not requiring them since 2.5
years.
A security-paranoid project conceivably would be willing to trade more code
and complexity for added security wrt bugs.
We are size-paranoid project, not security-paranoid one.
If you are concerned about posiible bugs in ping applet, feel free to audit
its code and let me know if you find one.
well if you cant be convinced to trade 100-200 bytes for a secure ping
implementation, than you should at least remove the existing bogus
SOCK_DGRAM "support" which doesn't work at all, but adds bloat (10 bytes
or so).
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
