Date: Wed, 1 Apr 2015 09:41:16 +0200 From: u-wsnj@...ey.se To: musl@...ts.openwall.com Cc: busybox <busybox@...ybox.net> Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817 On Tue, Mar 31, 2015 at 07:48:10PM -0400, Rich Felker wrote: > > > 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for > > > ping, which allows it to run without root. > > > > This seems to lead to a significantly larger code. > > I don't recall the exact amount, but given that busybox's suid > framework is not taking any precautions to mitigate the risks of suid > (not to mention that eliminating all suids is a goal of some > security-conscious systems integrators) Yes it is here (the goal). Suid is a very old and nowadays quite redundant tool, mostly holding ground due to its "simplicity" (say, compared to talking to a daemon) and to the tradition. Seen from a different perspective, it is from the pre-network epoch ("the computer is the universe") and enforces among others hardcoded paths - which is a PITA for reusable and globally placed software. > I think it would be worth it > even if it doubled the size of the ping utility (which it does not). +1 Rune
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.