On Wed, May 20, 2015 at 3:54 PM, Burton, Ross <[email protected]> wrote: > > On 20 May 2015 at 15:50, Laszlo Papp <[email protected]> wrote: >> >> Currently, I do not see any simple way without #ifdef jungle in the >> code around to it. It is not nice. > > > Looking at the busybox recipe reveals this: > > # Whether to split the suid apps into a seperate binary > BUSYBOX_SPLIT_SUID ?= "1" > > Just remember that the suid apps were being split out for good security > reasons. There's no need for sed to have suid rights!
I will not argue about security measure improvements as I agree about them with you. However, I will debate the way this security measure is implemented. It is distraction from the desktop world where you can also use busybox and many use. Now, all of a sudden, we have to handle them differently in code and scripts. I think a less intrusive approach to implement this could have been (and probably still not late) is to fix the rights underneath and not by such wrappers. Such wrappers will introduce this disruption which is not strictly needed. Well, you could say that if desktop distributions also implement it like this, then there is no disruption, but I think that is never going to happen if busybox itself does not enforce it. I think this is not a good implementation for security to remain consistent with the rest of the world. Could it be please reconsidered towards another solutions? It is also good if one call tell me how to solve this differentiation between desktop and Yocto without further code. -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
