busybox/tinylogin suid security issues

Mike Frysinger vapier at gentoo.org
Wed Dec 21 20:37:02 UTC 2005


On Wed, Dec 21, 2005 at 03:20:00PM -0500, Chuck Meade wrote:
> In Karim Yaghmour's book "Building Embedded Linux Systems", Karim
> states that he builds tinylogin as a separate component from busybox,
> since it needs suid/root privileges.  He does not want to give suid
> privileges to the busybox binary itself, due to the security concerns
> of running ls and cat (for example) at root level.

that's because the book was written before busybox was updated to
include suid handling

> Does anyone see any advantage of using Karim's method (separate
> tinylogin apps with suid bits set) over the Busybox method (suid
> configured in /etc/busybox.conf)?

you waste space
-mike



More information about the busybox mailing list