[oe] tinylogin vs. busybox
Michael 'Mickey' Lauer
mickey at vanille-media.de
Fri Feb 15 11:46:44 UTC 2008
On Wednesday 13 February 2008 16:06:07 Koen Kooi wrote:
> Michael 'Mickey' Lauer schreef:
> | On Wednesday 13 February 2008 13:53:18 Koen Kooi wrote:
> |> Michael 'Mickey' Lauer schreef:
> |> | I just realized that we are still using tinylogin which has bugs and
> |>
> |> is dead.
> |>
> |> | Newer busybox releases contain all the functionality. Anyone know a
> |> | compelling reason to keep using tinylogin as the default in
>
> task-base? If
>
> |> | not, I'd like to switch to busybox (after changing its defconfig)
> |> | soon.
> |>
> |> Using busybox as login requires it being setuid root, with all the nasty
> |> security implications stemming from that.
> |
> | http://www.busybox.net/lists/busybox/2004-May/011551.html give me the
>
> opinion
>
> | that this is not a problem.
>
> If that email is true, we could dump tinylogin
Excellent. I will look into this and do some tests.
> , but frankly, I trust
> busybox as far as I can throw a piano (and toybox as far as I can throw
> a 21" crt) and SUID root binaries make my skin crawl, so we must be very
> carefull and do thorough tests before making this change.
> The last thing we want is $bigcompany to blame OE for the exploitabilty
> of their devices.
Sure, better safe than sorry. Of course this would not be the default in
OE.dev without being tested for quite some time.
:M:
--
Dr. Michael 'Mickey' Lauer | IT-Freelancer | http://www.vanille-media.de
More information about the Openembedded-devel
mailing list