busybox/tinylogin suid security issues
chuckmeade at mindspring.com
Wed Dec 21 20:20:00 UTC 2005
I have been searching for information on the security aspects of the
tinylogin logic that was integrated into busybox.
In Karim Yaghmour's book "Building Embedded Linux Systems", Karim
states that he builds tinylogin as a separate component from busybox,
since it needs suid/root privileges. He does not want to give suid
privileges to the busybox binary itself, due to the security concerns
of running ls and cat (for example) at root level.
However, Busybox can have configurable suid privileges per applet,
using the file /etc/busybox.conf. This seems to be just as secure
as Karim's method. Plus it seems much smaller than his method of
adding more programs to the filesystem, so that they can have their
individual suid bits set.
Does anyone see any advantage of using Karim's method (separate
tinylogin apps with suid bits set) over the Busybox method (suid
configured in /etc/busybox.conf)?
More information about the busybox