Rich, Justin, Rune: Seconded. The need for a discussion here is deeply worrying. It's not smaller code if it's insecure code. And given two very viable techniques, it seems moot.

Personally, I'd be in favour of the SOCK_DGRAM approach, as it eliminates the need for setuid. How difficult would it be for someone to maintain this patch in a forked BusyBox, or as a compile option (turned on by default)? (I'd be happy to help with this). Is this something Alpine Linux might consider?

On 1 April 2015 at 08:41, <u-wsnj@aetey.se> wrote:

On Tue, Mar 31, 2015 at 07:48:10PM -0400, Rich Felker wrote:
> > > 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for
> > > ping, which allows it to run without root.
> >
> > This seems to lead to a significantly larger code.
>
> I don't recall the exact amount, but given that busybox's suid
> framework is not taking any precautions to mitigate the risks of suid
> (not to mention that eliminating all suids is a goal of some
> security-conscious systems integrators)

Yes it is here (the goal).

Suid is a very old and nowadays quite redundant tool, mostly holding
ground due to its "simplicity" (say, compared to talking to a daemon)
and to the tradition. Seen from a different perspective, it is from the
pre-network epoch ("the computer is the universe") and enforces among
others hardcoded paths - which is a PITA for reusable and globally
placed software.

> I think it would be worth it
> even if it doubled the size of the ping utility (which it does not).

+1

Rune