[PATCH] tinylogin: use angstrom mirror for SRC

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH] tinylogin: use angstrom mirror for SRC_URI
@ 2011-06-15 14:27 Phil Blundell
  2011-07-07 10:29 ` Richard Purdie
  0 siblings, 1 reply; 3+ messages in thread
From: Phil Blundell @ 2011-06-15 14:27 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer

since busybox.net no longer seems to be hosting the tarball

Signed-off-by: Phil Blundell <philb@gnu.org>
---
 meta/recipes-core/tinylogin/tinylogin_1.4.bb |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/meta/recipes-core/tinylogin/tinylogin_1.4.bb b/meta/recipes-core/tinylogin/tinylogin_1.4.bb
index 0b51b25..b73b5b7 100644
--- a/meta/recipes-core/tinylogin/tinylogin_1.4.bb
+++ b/meta/recipes-core/tinylogin/tinylogin_1.4.bb
@@ -9,7 +9,7 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM="file://LICENSE;md5=f1060fa3a366f098b5b1d8c2077ba269"
 PR = "r6"
 
-SRC_URI = "http://tinylogin.busybox.net/downloads/tinylogin-${PV}.tar.bz2 \
+SRC_URI = "http://www.angstrom-distribution.org/unstable/sources/tinylogin-${PV}.tar.bz2 \
 	file://cvs-20040608.patch;patch=1;pnum=1 \
 	file://add-system.patch;patch=1;pnum=1 \
 	file://adduser-empty_pwd.patch;patch=1 \
-- 
1.7.2.5






^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] tinylogin: use angstrom mirror for SRC_URI
  2011-06-15 14:27 [PATCH] tinylogin: use angstrom mirror for SRC_URI Phil Blundell
@ 2011-07-07 10:29 ` Richard Purdie
  2011-07-07 10:45   ` Phil Blundell
  0 siblings, 1 reply; 3+ messages in thread
From: Richard Purdie @ 2011-07-07 10:29 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer

On Wed, 2011-06-15 at 15:27 +0100, Phil Blundell wrote:
> since busybox.net no longer seems to be hosting the tarball
> 
> Signed-off-by: Phil Blundell <philb@gnu.org>
> ---
>  meta/recipes-core/tinylogin/tinylogin_1.4.bb |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/meta/recipes-core/tinylogin/tinylogin_1.4.bb b/meta/recipes-core/tinylogin/tinylogin_1.4.bb
> index 0b51b25..b73b5b7 100644
> --- a/meta/recipes-core/tinylogin/tinylogin_1.4.bb
> +++ b/meta/recipes-core/tinylogin/tinylogin_1.4.bb
> @@ -9,7 +9,7 @@ LICENSE = "GPLv2"
>  LIC_FILES_CHKSUM="file://LICENSE;md5=f1060fa3a366f098b5b1d8c2077ba269"
>  PR = "r6"
>  
> -SRC_URI = "http://tinylogin.busybox.net/downloads/tinylogin-${PV}.tar.bz2 \
> +SRC_URI = "http://www.angstrom-distribution.org/unstable/sources/tinylogin-${PV}.tar.bz2 \
>  	file://cvs-20040608.patch;patch=1;pnum=1 \
>  	file://add-system.patch;patch=1;pnum=1 \
>  	file://adduser-empty_pwd.patch;patch=1 \

Merged to master, thanks.

Longer term, I wonder if we could make this recipe download and build
busybox but only build the getty/login parts and rename the resulting
static binary to be standalone from busybox itself?

That would likely address the concerns people (rightly IMO) have about
making busybox itself SUID...

Cheers,

Richard




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] tinylogin: use angstrom mirror for SRC_URI
  2011-07-07 10:29 ` Richard Purdie
@ 2011-07-07 10:45   ` Phil Blundell
  0 siblings, 0 replies; 3+ messages in thread
From: Phil Blundell @ 2011-07-07 10:45 UTC (permalink / raw)
  To: Patches and discussions about the oe-core layer

On Thu, 2011-07-07 at 11:29 +0100, Richard Purdie wrote:
> Longer term, I wonder if we could make this recipe download and build
> busybox but only build the getty/login parts and rename the resulting
> static binary to be standalone from busybox itself?
> 
> That would likely address the concerns people (rightly IMO) have about
> making busybox itself SUID...

I wondered about that too, but I'm still not very convinced that this is
a good solution.  I continue to feel that having the setuid
login-related pieces as a separate source package is the best approach
and I've never entirely understood why the busybox folks have been so
determined to deprecate tinylogin in favour of the rolled-up version.

Just to recap, I think there are five main areas of concern around
having login and suchlike be part of busybox:

a) the risk that busybox's privilege-dropping code might malfunction and
lead to applets being run with more privs than they ought to have;

b) the risk that busybox might have vulnerabilities in the code which
runs before privileges are dropped;

c) the difficulty in auditing the codebase for vulnerabilities: given
that any part of busybox can (potentially) call any other function in
the executable, it is hard to determine for sure which lines of code
might be executed under setuid context and which might not;

d) the various pieces of low-level fallout which go with having busybox
itself be technically setuid (even if it drops the privileges
immediately), for example inability to strace /bin/sh as any user other
than root.

e) the relatively high level of churn in the busybox codebase, meaning
that any audit would need to be repeated frequently

I think your proposal would address issues (a), (b), (d), and
potentially (e), but it's not obvious to me that there is any way of
solving (c) that wouldn't introduce another maintenance headache.  And
on the downside, I think (although I haven't tested it) that a
login-only busybox build would probably end up bigger than the tinylogin
binaries that we have today.

p.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-07-07 10:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-15 14:27 [PATCH] tinylogin: use angstrom mirror for SRC_URI Phil Blundell
2011-07-07 10:29 ` Richard Purdie
2011-07-07 10:45   ` Phil Blundell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox