On 2014-01-10 19:27, Rich Felker wrote:
Note that this kind of approach STILL does not protect you from vulnerabilities in the dynamic linker (avoiding them would require making both the wrapper and busybox binary static-linked)
Which is the case for me.
or libc startup code (inevitable).
I'm using musl, it looked like a good, paranoid libc; maybe I was lied to ? :-O
[dangers of suid] This is why I want to see a ping that works without suid.
So do I. I also want to write a simple user database backend (with its own getpwent() implementation) so that passwd doesn't need to be setuid root. And a Unix-socket-based "su" daemon with credential passing, and terminal passing too. And rewrite qmail-queue as a Unix-socket-based daemon. And a non-setuid traceroute. And a pony. In the meantime, I also want a usable, working system. As Denys noted, cleansing the existing codebase of setuid is an energy- and time-consuming practice; in the name of good compromise between practicality and security, I will still use the setuid binaries I need until I've replaced them (or, better, until you and John have done all the hard work for me), while making sure privileges are only gained when they are strictly required. -- Laurent _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
