~alpine/devel

1

[alpine-devel] busybox and suid root apps (ping traceroute etc)

Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20110307153845.5371fd22@ncopa-desktop.nor.wtbts.net>
Sender timestamp
1299508725
DKIM signature
missing
Download raw message
Hi,

I would like to hear about how you think we should solve:
http://redmine.alpinelinux.org/issues/527

Problem: both iputils and bbsuid provides a /bin/ping binary (which
needs to be suid root). iputils has a replaces=bbsuid so it replaces
the busybox ping. But when you upgrade and new version of bbsuid exists
you will get a conflict since /bin/ping now is owned by iputils.

Alternatives:
1) Do nothing. Let upgraders 'apk del iputils' before upgrade and apk
add iputils again after upgrade.

2) let bbsuid replace iputils. This will make the upgrade of bbsuid
silently overwrite iputils' /bin/ping.

3) let busybox run as suid root and delete the bbsuid application

4) let bbsuid post-install script create symlinks the same way as
busybox does.


I think #3 is the technical "correct" solution, but running entire
busybox as suid root scares me (which is why bbsuid exists in first
place).

The same problem applies to traceroute.

Do we have other alternatives?

What do you think?

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
William Pitcock <nenolod@dereferenced.org>
Details
Message ID
<20110311165458.3d76c00a@petrie>
In-Reply-To
<20110307153845.5371fd22@ncopa-desktop.nor.wtbts.net> (view parent)
Sender timestamp
1299884098
DKIM signature
missing
Download raw message
On Mon, 7 Mar 2011 15:38:45 +0100
Natanael Copa <ncopa@alpinelinux.org> wrote:

> Hi,
> 
> I would like to hear about how you think we should solve:
> http://redmine.alpinelinux.org/issues/527
> 
> Problem: both iputils and bbsuid provides a /bin/ping binary (which
> needs to be suid root). iputils has a replaces=bbsuid so it replaces
> the busybox ping. But when you upgrade and new version of bbsuid
> exists you will get a conflict since /bin/ping now is owned by
> iputils.
> 
> Alternatives:
> 1) Do nothing. Let upgraders 'apk del iputils' before upgrade and apk
> add iputils again after upgrade.
> 
> 2) let bbsuid replace iputils. This will make the upgrade of bbsuid
> silently overwrite iputils' /bin/ping.
> 
> 3) let busybox run as suid root and delete the bbsuid application
> 
> 4) let bbsuid post-install script create symlinks the same way as
> busybox does.
> 

i think #4 is the preferable solution here.

- nenolod


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)