FS#26312 - [busybox] SETUID
Attached to Project:
Community Packages
Opened by Sverd Johnsen (sjohnsen) - Thursday, 06 October 2011, 23:53 GMT
Last edited by Sergej Pupykin (sergej) - Sunday, 16 October 2011, 17:26 GMT
Opened by Sverd Johnsen (sjohnsen) - Thursday, 06 October 2011, 23:53 GMT
Last edited by Sergej Pupykin (sergej) - Sunday, 16 October 2011, 17:26 GMT
|
Details
Verified a claim on IRC that busybox is setuid. If that was
intentional: very bad idea. Please use namcap on packages -
it's there for a reason.
I hope that no one reported this earlier just because nobody is using it, luckily it's only the community version.. |
This task depends upon
Closed by Sergej Pupykin (sergej)
Sunday, 16 October 2011, 17:26 GMT
Reason for closing: Fixed
Additional comments about closing: both this and FS#25999
by saving access rights during package update.
Sunday, 16 October 2011, 17:26 GMT
Reason for closing: Fixed
Additional comments about closing: both this and
FS#25999?I would still much prefer when busybox would ship with a .INSTALL file that basically says "chmod 4555 /bin/busybox if you want to use feature xyz" rather than shipping it with setuid by default.
I make a wild guess and assume that most people just use it casually or for recovery purposes (It's statically linked, after all.) and don't need/want it to be setuid by default given how long Busybox has been without this.