[oe] TinyLogin

[Phil Blundell]

On Mon, 2009-03-30 at 10:18 +0100, Holger Schurig wrote:
> Is this a problem?  After all, busybox can drop priviledges:

Indeed it can, and for some distros that might well be a fine solution.
However, for other distros the prospect of a setuid-root busybox is an
unwelcome one, typically for some combination of the following reasons:

- making busybox be setuid means that you need to trust all the applets
to drop privileges that they don't need;

- there's no way of telling, from inspection of the binary, which
applets will run as setuid and which won't, nor of changing the setuid
attribute on individual applets without recompiling;

- security auditing is difficult, since the large amount of code-sharing
in busybox makes it hard to determine which functions can potentially be
called from a setuid context;

- the relatively high rate of code churn, combined with the large amount
of code re-use and the fact that there's no inbuilt guard against
accidentally mixing privilege domains, means that any audit would be
likely to need repeating frequently.

> If you are really paranoid and don't want to do this, build two 
> busybox binaries with different applets in them

That does help with the first two points above, but not with the latter
two.  And, if you're going to build a separate binary for the login
utilities, you might just as well have gone on using tinylogin in the
first place.

p.