[PATCH] ping: try SOCK_DGRAM if no root privileges

[John Spencer]

Denys Vlasenko wrote:
> On Thu, Jan 9, 2014 at 1:35 PM, John Spencer
> <maillist-busybox at barfooze.de> wrote:
>>> This seems to lead to a significantly larger code.
>>>
>>> Making ping suid wasn't such a big problem before, so
>>> why should we have all these complications now?
>>>
>> making ping suid in the context of busybox basically means "make the entire
>> busybox binary suid" and that is definitely a bad idea (an example that
>> comes to mind is the wall vulnerability discovered recently).
> 
> If you want to use wall applet, you will need to setuid the entire

why ? you can use wall as root. in fact using the applet as non-root 
seems pretty insane. that way random users can spam your terminal with 
nonsense.

> binary anyway. Having ping applet to not need root privs won't
> help one iota in avoiding triggering a bug in other applets (e.g. wall).

apart from ping and su there isn't anything that needs setuid or other 
raised privileges, and shrinking that list down to one, just su, is 
definitely an improvement. and as in my case, you can just as well use 
another su replacement so your busybox binary is entirely suid-free.

> 
> The only thing which you save yourself from are possible
> undiscovered bugs in ping applet.

no, i save myself from yet another tool that needs elevated privs 
despite there being a kernel solution for not requiring them since 2.5 
years.

> 
> A security-paranoid project conceivably would be willing to trade more code
> and complexity for added security wrt bugs.
> 
> We are size-paranoid project, not security-paranoid one.
> 
> If you are concerned about posiible bugs in ping applet, feel free to audit
> its code and let me know if you find one.
> 

well if you cant be convinced to trade 100-200 bytes for a secure ping 
implementation, than you should at least remove the existing bogus 
SOCK_DGRAM "support" which doesn't work at all, but adds bloat (10 bytes 
or so).