[oe] [PATCH] Fix busybox SUID support
Bernhard Reutner-Fischer
rep.dot.nop at gmail.com
Fri Feb 26 23:06:43 UTC 2010
On Fri, Feb 26, 2010 at 10:42:30PM +0000, Phil Blundell wrote:
>If you're primarily worried about case (a) then building two copies of
>the frontend which share a common libbusybox, one setuid and one not,
>probably is a reasonable thing to do. However, as you say, busybox does
>already have a fairly robust mechanism in place for dropping privs when
>they are not wanted by a particular applet and hence the threat from
>this side seems to be quite low anyway.
Yes, and that's what i've read into Michaels mail that this was what he
was primarily concerned about, but rereading him he didn't actually say
that. My apologies.
>
>If you are primarily worried about case (b) then the easiest way to
>mitigate the threat is to reduce the amount of code which is linked in
indeed
More information about the Openembedded-devel
mailing list