[oe] TinyLogin
Phil Blundell
pb at reciva.com
Mon Mar 30 10:08:01 UTC 2009
On Mon, 2009-03-30 at 10:18 +0100, Holger Schurig wrote:
> Is this a problem? After all, busybox can drop priviledges:
Indeed it can, and for some distros that might well be a fine solution.
However, for other distros the prospect of a setuid-root busybox is an
unwelcome one, typically for some combination of the following reasons:
- making busybox be setuid means that you need to trust all the applets
to drop privileges that they don't need;
- there's no way of telling, from inspection of the binary, which
applets will run as setuid and which won't, nor of changing the setuid
attribute on individual applets without recompiling;
- security auditing is difficult, since the large amount of code-sharing
in busybox makes it hard to determine which functions can potentially be
called from a setuid context;
- the relatively high rate of code churn, combined with the large amount
of code re-use and the fact that there's no inbuilt guard against
accidentally mixing privilege domains, means that any audit would be
likely to need repeating frequently.
> If you are really paranoid and don't want to do this, build two
> busybox binaries with different applets in them
That does help with the first two points above, but not with the latter
two. And, if you're going to build a separate binary for the login
utilities, you might just as well have gone on using tinylogin in the
first place.
p.
More information about the Openembedded-devel
mailing list