From: Harald Becker <ralda@gmx.de>
To: musl@lists.openwall.com
Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817
Date: Wed, 01 Apr 2015 10:11:51 +0200 [thread overview]
Message-ID: <551BA847.3040609@gmx.de> (raw)
In-Reply-To: <20150401074116.GN23636@example.net>
Hi !
On 01.04.2015 09:41, u-wsnj@aetey.se wrote:
> Suid is a very old and nowadays quite redundant tool, mostly holding
> ground due to its "simplicity" (say, compared to talking to a daemon)
> and to the tradition. Seen from a different perspective, it is from the
> pre-network epoch ("the computer is the universe") and enforces among
> others hardcoded paths - which is a PITA for reusable and globally
> placed software.
IMO suid and sgid has there advantage over complex communication with
separate running daemons, but there is one topic, which is missed by so
many discussions about this: There is a big difference if you talk about
suid *root* programs or other suid usage.
The former is definitely very dangerous and should be used with extreme
care (I think this is the case we are talking about), the later use may
even be used to drop privileges (not to raise), or to temporarily hop to
the privileges of a different user (may be allowing access to some files
only by using specific commands).
When used with care and as intended, suid and sgid is a nice feature,
but nowadays there are too many Unix novices, who misunderstand or
misuse this, punching big holes in every security concern.
>> I think it would be worth it
>> even if it doubled the size of the ping utility (which it does not).
> +1
ACK +1
--
Harald
next prev parent reply other threads:[~2015-04-01 8:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-30 5:31 Rich Felker
2015-03-31 19:07 ` Denys Vlasenko
2015-03-31 23:11 ` Justin Cormack
2015-03-31 23:51 ` Rich Felker
2015-03-31 23:48 ` Rich Felker
2015-04-01 7:41 ` u-wsnj
2015-04-01 7:52 ` Raphael Cohn
2015-04-01 8:11 ` Harald Becker [this message]
2015-04-01 8:49 ` u-wsnj
2015-04-02 13:56 ` Harald Becker
2015-04-02 17:26 ` Рысь
2015-04-02 18:16 ` Harald Becker
2015-04-03 4:40 ` Рысь
2015-04-04 5:35 ` Harald Becker
2015-04-02 18:36 ` u-wsnj
2015-04-03 4:51 ` Рысь
2015-04-03 10:31 ` [OT] setuid (Re: Busybox on musl is affected by CVE-2015-1817) u-wsnj
2015-04-02 15:38 ` Re: Busybox on musl is affected by CVE-2015-1817 Rich Felker
2015-04-02 18:02 ` u-wsnj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=551BA847.3040609@gmx.de \
--to=ralda@gmx.de \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).