[oe] TinyLogin
Holger Schurig
hs4233 at mail.mn-solutions.de
Mon Mar 30 11:33:04 UTC 2009
> No, I think you misunderstood what I meant.
Okay.
> The issue is that, since all the applets are linked together
> into one monolithic binary, and hence have the ability in
> theory to call any function in that binary, it is difficult to
> tell by looking at the source code which functions might
> potentially be called (directly or indirectly) by one of the
> setuid applets and hence would need to be included in an audit
> for privilege-escalation vulnerabilities.
I'd have to cross-ref one specific busybox version with my
specific .config file and look the call graph below the
SUID-root applets. That would reveal if this is a substantial
claim or just a fear.
But hey, I am among those people that didn't do a
priviledge-escalation-verification of tinylogin. And so I'm not
inclined to do that now for busybox --- it's not something that
I care fore. The usage-scenarios of my devices don't call for
such measures.
However, I like to base fear on evidence, that's why I replied.
> > Except that TinyLogin is end-of-life and won't get bugfixes
> > from upstream.
>
> Yes, that's obviously the tradeoff.
The end-of-life argument is an argument for my
paranoid-suggestion ("create a tinylogin_1.13.3_bb file with
SRC_URI = busybox and a stripped down .config only for the
tinylogin-equivalent-applets").
> Tinylogin is simple enough, though, that fixing bugs locally
> would be easy enough if that became necessary.
Your point <smile>
Let's wait (some more years) for the security assessment of
tinylogin then <even bigger smile>.
More information about the Openembedded-devel
mailing list