FS#26312 - [busybox] SETUID

Attached to Project: Community Packages
Opened by Sverd Johnsen (sjohnsen) - Thursday, 06 October 2011, 23:53 GMT
Last edited by Sergej Pupykin (sergej) - Sunday, 16 October 2011, 17:26 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Verified a claim on IRC that busybox is setuid. If that was intentional: very bad idea. Please use namcap on packages - it's there for a reason.

I hope that no one reported this earlier just because nobody is using it, luckily it's only the community version..
This task depends upon

Closed by  Sergej Pupykin (sergej)
Sunday, 16 October 2011, 17:26 GMT
Reason for closing:  Fixed
Additional comments about closing:  both this and  FS#25999  by saving access rights during package update.
Comment by Karol Błażewicz (karol) - Friday, 07 October 2011, 00:00 GMT
You mean  FS#25999  ?
Comment by Sverd Johnsen (sjohnsen) - Friday, 07 October 2011, 00:28 GMT
Okay, looks like me (and the other guy) didn't do some basic research. "Severity" should be lowered to reflect that..

I would still much prefer when busybox would ship with a .INSTALL file that basically says "chmod 4555 /bin/busybox if you want to use feature xyz" rather than shipping it with setuid by default.

I make a wild guess and assume that most people just use it casually or for recovery purposes (It's statically linked, after all.) and don't need/want it to be setuid by default given how long Busybox has been without this.

Loading...