[OE-core] [PATCH] tinylogin: use angstrom mirror for SRC_URI
Phil Blundell
pb at pbcl.net
Thu Jul 7 10:45:35 UTC 2011
On Thu, 2011-07-07 at 11:29 +0100, Richard Purdie wrote:
> Longer term, I wonder if we could make this recipe download and build
> busybox but only build the getty/login parts and rename the resulting
> static binary to be standalone from busybox itself?
>
> That would likely address the concerns people (rightly IMO) have about
> making busybox itself SUID...
I wondered about that too, but I'm still not very convinced that this is
a good solution. I continue to feel that having the setuid
login-related pieces as a separate source package is the best approach
and I've never entirely understood why the busybox folks have been so
determined to deprecate tinylogin in favour of the rolled-up version.
Just to recap, I think there are five main areas of concern around
having login and suchlike be part of busybox:
a) the risk that busybox's privilege-dropping code might malfunction and
lead to applets being run with more privs than they ought to have;
b) the risk that busybox might have vulnerabilities in the code which
runs before privileges are dropped;
c) the difficulty in auditing the codebase for vulnerabilities: given
that any part of busybox can (potentially) call any other function in
the executable, it is hard to determine for sure which lines of code
might be executed under setuid context and which might not;
d) the various pieces of low-level fallout which go with having busybox
itself be technically setuid (even if it drops the privileges
immediately), for example inability to strace /bin/sh as any user other
than root.
e) the relatively high level of churn in the busybox codebase, meaning
that any audit would need to be repeated frequently
I think your proposal would address issues (a), (b), (d), and
potentially (e), but it's not obvious to me that there is any way of
solving (c) that wouldn't introduce another maintenance headache. And
on the downside, I think (although I haven't tested it) that a
login-only busybox build would probably end up bigger than the tinylogin
binaries that we have today.
p.
More information about the Openembedded-core
mailing list