[PATCH] ping: try SOCK_DGRAM if no root privileges
Laurent Bercot
ska-dietlibc at skarnet.org
Thu Jan 9 14:07:23 UTC 2014
>> making ping suid in the context of busybox basically means "make the
>> entire busybox binary suid" and that is definitely a bad idea (an
>> example that comes to mind is the wall vulnerability discovered
>> recently).
> Hi,
> Busybox drops suid privileges for applets that don't require it
> even before the applet code is called.
I never understood all the fuss about that or the chosen
Busybox solution. Gaining privileges is the single most dangerous
thing in Unix ; gaining privileges then dropping them if you didn't
need them after all is playing with fire for no reason.
Here is what I do:
* make a single busybox binary with all the applets I need. My
busybox binary is NEVER setuid.
* compile a separate small C program that tests whether
`basename $0` is in a list of accepted words, and if it is the
case, execs into "/bin/busybox `basename $0` $@". Make that separate
binary setuid root.
* the utilities that need to be setuid root are symlinks to that
binary, the other ones are direct symlinks to busybox.
This solution makes me trust 4 lines of code instead of the
whole busybox binary, and privileges are only gained if they
are really needed. Sure, I have to edit the list of setuid applets
in an additional place; this is a small price to pay for
correctness.
--
Laurent
More information about the busybox
mailing list