From: u-wsnj@aetey.se
To: musl@lists.openwall.com
Cc: busybox <busybox@busybox.net>
Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817
Date: Wed, 1 Apr 2015 09:41:16 +0200 [thread overview]
Message-ID: <20150401074116.GN23636@example.net> (raw)
In-Reply-To: <20150331234810.GN6817@brightrain.aerifal.cx>
On Tue, Mar 31, 2015 at 07:48:10PM -0400, Rich Felker wrote:
> > > 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for
> > > ping, which allows it to run without root.
> >
> > This seems to lead to a significantly larger code.
>
> I don't recall the exact amount, but given that busybox's suid
> framework is not taking any precautions to mitigate the risks of suid
> (not to mention that eliminating all suids is a goal of some
> security-conscious systems integrators)
Yes it is here (the goal).
Suid is a very old and nowadays quite redundant tool, mostly holding
ground due to its "simplicity" (say, compared to talking to a daemon)
and to the tradition. Seen from a different perspective, it is from the
pre-network epoch ("the computer is the universe") and enforces among
others hardcoded paths - which is a PITA for reusable and globally
placed software.
> I think it would be worth it
> even if it doubled the size of the ping utility (which it does not).
+1
Rune
next prev parent reply other threads:[~2015-04-01 7:41 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-30 5:31 Rich Felker
2015-03-31 19:07 ` Denys Vlasenko
2015-03-31 23:11 ` Justin Cormack
2015-03-31 23:51 ` Rich Felker
2015-03-31 23:48 ` Rich Felker
2015-04-01 7:41 ` u-wsnj [this message]
2015-04-01 7:52 ` Raphael Cohn
2015-04-01 8:11 ` Harald Becker
2015-04-01 8:49 ` u-wsnj
2015-04-02 13:56 ` Harald Becker
2015-04-02 17:26 ` Рысь
2015-04-02 18:16 ` Harald Becker
2015-04-03 4:40 ` Рысь
2015-04-04 5:35 ` Harald Becker
2015-04-02 18:36 ` u-wsnj
2015-04-03 4:51 ` Рысь
2015-04-03 10:31 ` [OT] setuid (Re: Busybox on musl is affected by CVE-2015-1817) u-wsnj
2015-04-02 15:38 ` Re: Busybox on musl is affected by CVE-2015-1817 Rich Felker
2015-04-02 18:02 ` u-wsnj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150401074116.GN23636@example.net \
--to=u-wsnj@aetey.se \
--cc=busybox@busybox.net \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).