tinylogin vs. busybox

tinylogin vs. busybox

[Michael 'Mickey' Lauer]

I just realized that we are still using tinylogin which has bugs and is dead. 
Newer busybox releases contain all the functionality. Anyone know a 
compelling reason to keep using tinylogin as the default in task-base? If 
not, I'd like to switch to busybox (after changing its defconfig) soon.

:M:
-- 
Dr. Michael 'Mickey' Lauer | IT-Freelancer | http://www.vanille-media.de

Re: tinylogin vs. busybox

[Koen Kooi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael 'Mickey' Lauer schreef:
| I just realized that we are still using tinylogin which has bugs and
is dead.
| Newer busybox releases contain all the functionality. Anyone know a
| compelling reason to keep using tinylogin as the default in task-base? If
| not, I'd like to switch to busybox (after changing its defconfig) soon.

Using busybox as login requires it being setuid root, with all the nasty
security implications stemming from that. I don't think OE should force
people to only have one user ('root') on their systems, since that is
exactly what your proposed change would mean.
However, I have no objection to enabling login functionality in busybox.

So:

* keep tinylogin
* don't make busybox setuid root
* update defconfig

regards,

Koen

- --
koen@dominion.kabel.utwente.nl will go go away in december 2007, please
use k.kooi@student.utwente.nl instead.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFHsug+MkyGM64RGpERAihfAKCn2Vlva94cL6G/+eYLezttWkhADwCfYtgC
s8GPomq+b0MqLThl2ZVjxUQ=
=t8V1
-----END PGP SIGNATURE-----

Re: tinylogin vs. busybox

[Michael 'Mickey' Lauer]

On Wednesday 13 February 2008 13:53:18 Koen Kooi wrote:
> Michael 'Mickey' Lauer schreef:
> | I just realized that we are still using tinylogin which has bugs and
>
> is dead.
>
> | Newer busybox releases contain all the functionality. Anyone know a
> | compelling reason to keep using tinylogin as the default in task-base? If
> | not, I'd like to switch to busybox (after changing its defconfig) soon.
>
> Using busybox as login requires it being setuid root, with all the nasty
> security implications stemming from that.

http://www.busybox.net/lists/busybox/2004-May/011551.html give me the opinion 
that this is not a problem.

> I don't think OE should force
> people to only have one user ('root') on their systems, since that is
> exactly what your proposed change would mean.

I agree, but I don't see why using busybox login would limit us to root-only. 
Care to give more details?

Besides, I think using something old and dead as tinylogin with known bugs is 
more of a security problem than setuid root busybox...

:M:
-- 
Dr. Michael 'Mickey' Lauer | IT-Freelancer | http://www.vanille-media.de

Re: tinylogin vs. busybox

[Koen Kooi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael 'Mickey' Lauer schreef:
| On Wednesday 13 February 2008 13:53:18 Koen Kooi wrote:
|> Michael 'Mickey' Lauer schreef:
|> | I just realized that we are still using tinylogin which has bugs and
|>
|> is dead.
|>
|> | Newer busybox releases contain all the functionality. Anyone know a
|> | compelling reason to keep using tinylogin as the default in
task-base? If
|> | not, I'd like to switch to busybox (after changing its defconfig) soon.
|>
|> Using busybox as login requires it being setuid root, with all the nasty
|> security implications stemming from that.
|
| http://www.busybox.net/lists/busybox/2004-May/011551.html give me the
opinion
| that this is not a problem.

If that email is true, we could dump tinylogin, but frankly, I trust
busybox as far as I can throw a piano (and toybox as far as I can throw
a 21" crt) and SUID root binaries make my skin crawl, so we must be very
carefull and do thorough tests before making this change.
The last thing we want is $bigcompany to blame OE for the exploitabilty
of their devices.

|> I don't think OE should force
|> people to only have one user ('root') on their systems, since that is
|> exactly what your proposed change would mean.
|
| I agree, but I don't see why using busybox login would limit us to
root-only.
| Care to give more details?

The way busybox worked before is that *any* busybox applet is SUID root,
which means 'vi' and 'passwd' are as well, which in practice means there
is only one user: root.

| Besides, I think using something old and dead as tinylogin with known
bugs is
| more of a security problem than setuid root busybox...

That depends on what those bugs are, I can't do more than handwaving
about one being less secure as the other without that knowledge.

regards,

Koen

- --
koen@dominion.kabel.utwente.nl will go go away in december 2007, please
use k.kooi@student.utwente.nl instead.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFHswdfMkyGM64RGpERAhIXAJ9+ve//TgUn/U7ZFYUmNaqitAY+bwCfY4pF
JPmlPuPhBdvndxlqzveWVaE=
=nTlr
-----END PGP SIGNATURE-----

Re: tinylogin vs. busybox

[pHilipp Zabel]

On Feb 13, 2008 4:06 PM, Koen Kooi <k.kooi@student.utwente.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michael 'Mickey' Lauer schreef:
> | On Wednesday 13 February 2008 13:53:18 Koen Kooi wrote:
> |> Michael 'Mickey' Lauer schreef:
> |> | I just realized that we are still using tinylogin which has bugs and
> |>
> |> is dead.
> |>
> |> | Newer busybox releases contain all the functionality. Anyone know a
> |> | compelling reason to keep using tinylogin as the default in
> task-base? If
> |> | not, I'd like to switch to busybox (after changing its defconfig) soon.
> |>
> |> Using busybox as login requires it being setuid root, with all the nasty
> |> security implications stemming from that.
> |
> | http://www.busybox.net/lists/busybox/2004-May/011551.html give me the
> opinion
> | that this is not a problem.
>
> If that email is true, we could dump tinylogin, but frankly, I trust
> busybox as far as I can throw a piano (and toybox as far as I can throw
> a 21" crt) and SUID root binaries make my skin crawl, so we must be very
> carefull and do thorough tests before making this change.
> The last thing we want is $bigcompany to blame OE for the exploitabilty
> of their devices.
>
> |> I don't think OE should force
> |> people to only have one user ('root') on their systems, since that is
> |> exactly what your proposed change would mean.
> |
> | I agree, but I don't see why using busybox login would limit us to
> root-only.
> | Care to give more details?
>
> The way busybox worked before is that *any* busybox applet is SUID root,
> which means 'vi' and 'passwd' are as well, which in practice means there
> is only one user: root.

busybox does drop root priviledges for applets that don't need them,
after reading its configuration file.
The only input from non-root users that I can see until then are the
command line parameters (applets/applets.c)

main() --> run_applet_and_exit() --> run_current_applet_and_exit() -->
check_suid()

regards
Philipp

> | Besides, I think using something old and dead as tinylogin with known
> bugs is
> | more of a security problem than setuid root busybox...
>
> That depends on what those bugs are, I can't do more than handwaving
> about one being less secure as the other without that knowledge.
>
> regards,
>
> Koen
>
> - --
> koen@dominion.kabel.utwente.nl will go go away in december 2007, please
> use k.kooi@student.utwente.nl instead.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iD8DBQFHswdfMkyGM64RGpERAhIXAJ9+ve//TgUn/U7ZFYUmNaqitAY+bwCfY4pF
> JPmlPuPhBdvndxlqzveWVaE=
> =nTlr
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
>

Re: tinylogin vs. busybox

[Michael 'Mickey' Lauer]

On Wednesday 13 February 2008 16:06:07 Koen Kooi wrote:
> Michael 'Mickey' Lauer schreef:
> | On Wednesday 13 February 2008 13:53:18 Koen Kooi wrote:
> |> Michael 'Mickey' Lauer schreef:
> |> | I just realized that we are still using tinylogin which has bugs and
> |>
> |> is dead.
> |>
> |> | Newer busybox releases contain all the functionality. Anyone know a
> |> | compelling reason to keep using tinylogin as the default in
>
> task-base? If
>
> |> | not, I'd like to switch to busybox (after changing its defconfig)
> |> | soon.
> |>
> |> Using busybox as login requires it being setuid root, with all the nasty
> |> security implications stemming from that.
> |
> | http://www.busybox.net/lists/busybox/2004-May/011551.html give me the
>
> opinion
>
> | that this is not a problem.
>
> If that email is true, we could dump tinylogin

Excellent. I will look into this and do some tests.

> , but frankly, I trust 
> busybox as far as I can throw a piano (and toybox as far as I can throw
> a 21" crt) and SUID root binaries make my skin crawl, so we must be very
> carefull and do thorough tests before making this change.
> The last thing we want is $bigcompany to blame OE for the exploitabilty
> of their devices.

Sure, better safe than sorry. Of course this would not be the default in 
OE.dev without being tested for quite some time.

:M:
-- 
Dr. Michael 'Mickey' Lauer | IT-Freelancer | http://www.vanille-media.de

Re: tinylogin vs. busybox

[Sergey Lapin]

On Fri, Feb 15, 2008 at 2:46 PM, Michael 'Mickey' Lauer
<mickey@vanille-media.de> wrote:
>  > , but frankly, I trust
>  > busybox as far as I can throw a piano (and toybox as far as I can throw
>  > a 21" crt) and SUID root binaries make my skin crawl, so we must be very
>  > carefull and do thorough tests before making this change.
>  > The last thing we want is $bigcompany to blame OE for the exploitabilty
>  > of their devices.
>
>  Sure, better safe than sorry. Of course this would not be the default in
>  OE.dev without being tested for quite some time.
Well, is it great idea to replace tinylogin with busybox-suid (which
should contain
carefully selected applets and properly tested)?

Re: tinylogin vs. busybox

[Mark Gollahon]

[-- Attachment #1: Type: text/plain, Size: 1908 bytes --]

Why not run two builds of busybox - once for the tinylogin functions and
again for all the rest?


Michael 'Mickey' Lauer wrote ..
> On Wednesday 13 February 2008 16:06:07 Koen Kooi wrote:
> > Michael 'Mickey' Lauer schreef:
> > | On Wednesday 13 February 2008 13:53:18 Koen Kooi wrote:
> > |> Michael 'Mickey' Lauer schreef:
> > |> | I just realized that we are still using tinylogin which has bugs
> and
> > |>
> > |> is dead.
> > |>
> > |> | Newer busybox releases contain all the functionality. Anyone know
> a
> > |> | compelling reason to keep using tinylogin as the default in
> >
> > task-base? If
> >
> > |> | not, I'd like to switch to busybox (after changing its defconfig)
> > |> | soon.
> > |>
> > |> Using busybox as login requires it being setuid root, with all the
> nasty
> > |> security implications stemming from that.
> > |
> > | http://www.busybox.net/lists/busybox/2004-May/011551.html give me the
> >
> > opinion
> >
> > | that this is not a problem.
> >
> > If that email is true, we could dump tinylogin
> 
> Excellent. I will look into this and do some tests.
> 
> > , but frankly, I trust 
> > busybox as far as I can throw a piano (and toybox as far as I can throw
> > a 21" crt) and SUID root binaries make my skin crawl, so we must be very
> > carefull and do thorough tests before making this change.
> > The last thing we want is $bigcompany to blame OE for the exploitabilty
> > of their devices.
> 
> Sure, better safe than sorry. Of course this would not be the default in
> OE.dev without being tested for quite some time.
> 
> :M:
> -- 
> Dr. Michael 'Mickey' Lauer | IT-Freelancer | http://www.vanille-media.de
> 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel