[oe] tinylogin vs. busybox
Mark Gollahon
golly at stellarwerx.com
Fri Feb 15 12:41:14 UTC 2008
Why not run two builds of busybox - once for the tinylogin functions and
again for all the rest?
Michael 'Mickey' Lauer wrote ..
> On Wednesday 13 February 2008 16:06:07 Koen Kooi wrote:
> > Michael 'Mickey' Lauer schreef:
> > | On Wednesday 13 February 2008 13:53:18 Koen Kooi wrote:
> > |> Michael 'Mickey' Lauer schreef:
> > |> | I just realized that we are still using tinylogin which has bugs
> and
> > |>
> > |> is dead.
> > |>
> > |> | Newer busybox releases contain all the functionality. Anyone know
> a
> > |> | compelling reason to keep using tinylogin as the default in
> >
> > task-base? If
> >
> > |> | not, I'd like to switch to busybox (after changing its defconfig)
> > |> | soon.
> > |>
> > |> Using busybox as login requires it being setuid root, with all the
> nasty
> > |> security implications stemming from that.
> > |
> > | http://www.busybox.net/lists/busybox/2004-May/011551.html give me the
> >
> > opinion
> >
> > | that this is not a problem.
> >
> > If that email is true, we could dump tinylogin
>
> Excellent. I will look into this and do some tests.
>
> > , but frankly, I trust
> > busybox as far as I can throw a piano (and toybox as far as I can throw
> > a 21" crt) and SUID root binaries make my skin crawl, so we must be very
> > carefull and do thorough tests before making this change.
> > The last thing we want is $bigcompany to blame OE for the exploitabilty
> > of their devices.
>
> Sure, better safe than sorry. Of course this would not be the default in
> OE.dev without being tested for quite some time.
>
> :M:
> --
> Dr. Michael 'Mickey' Lauer | IT-Freelancer | http://www.vanille-media.de
>
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel at lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
More information about the Openembedded-devel
mailing list