[PATCH 1/2] Allow BusyBox to be built without a list of applet names

Jody Lee Bruchon jody at jodybruchon.com
Sat Apr 30 14:55:48 UTC 2016


On April 30, 2016 10:07:46 AM EDT, James B <jamesbond3142 at gmail.com> wrote:

On Sat, 30 Apr 2016 09:36:02 -0400
Jody Lee Bruchon <jody at jodybruchon.com> wrote:

On April 30, 2016 9:07:42 AM EDT, Tito <farmatito at tiscali.it> wrote:



On 04/30/2016 02:58 PM, Jody Lee Bruchon wrote:

On April 30, 2016 8:39:24 AM EDT, Andreas Oberritter

<obi at opendreambox.org> wrote:

On 30.04.2016 09:16, Laurent Bercot wrote:

Even worse, consider a busybox binary that someone expects to

contain a

real command like cat or hexdump, which it doesn't. The colliding

hash

of this command could map to a command that accepts the same
command-line arguments but destroys data, like mkfs.* or rm.



It doesn't matter. If the user is throwing arbitrary command names at

BusyBox, the user deserves whatever they get as a result. 

Ummm, no. If a program isn't expected to destroy data (like "dd" or
"mkfs" do), then it should never fail in a way to destroy data.
Somebody who accidentally calls "busybox get-some-status /dev/sdb"
won't expect that it will end up mkfs-ing this disk, if this
"get-some-status" command is not implemented.


Why was there a symlink to busybox for a command that it doesn't implement? Why is someone calling 'busybox command' for a command that is not ever implemented in BusyBox? I understand what you're trying to say, but there are a lot of things that would have to be done intentionally to end up running a destructive command in the way you're supposing, including an unlikely hash collision that can be checked against the entire possible applet list at compile time. If the environment is tight enough that this optimization is being enabled, the risk tradeoff is worth it to the engineer that is putting it all together.

I'm not advocating for the inclusion of this change. I feel that the added complexity negates the minimal gains provided.


More information about the busybox mailing list