On Wed, May 20, 2015 at 3:58 PM, Laszlo Papp <lp...@kde.org> wrote: > On Wed, May 20, 2015 at 3:54 PM, Burton, Ross <ross.bur...@intel.com> wrote: >> >> On 20 May 2015 at 15:50, Laszlo Papp <lp...@kde.org> wrote: >>> >>> Currently, I do not see any simple way without #ifdef jungle in the >>> code around to it. It is not nice. >> >> >> Looking at the busybox recipe reveals this: >> >> # Whether to split the suid apps into a seperate binary >> BUSYBOX_SPLIT_SUID ?= "1" >> >> Just remember that the suid apps were being split out for good security >> reasons. There's no need for sed to have suid rights! > > I will not argue about security measure improvements as I agree about > them with you. However, I will debate the way this security measure is > implemented. It is distraction from the desktop world where you can > also use busybox and many use. Now, all of a sudden, we have to handle > them differently in code and scripts. > > I think a less intrusive approach to implement this could have been > (and probably still not late) is to fix the rights underneath and not > by such wrappers. Such wrappers will introduce this disruption which > is not strictly needed. Well, you could say that if desktop > distributions also implement it like this, then there is no > disruption, but I think that is never going to happen if busybox > itself does not enforce it. > > I think this is not a good implementation for security to remain > consistent with the rest of the world. Could it be please reconsidered > towards another solutions? > > It is also good if one call tell me how to solve this differentiation > between desktop and Yocto without further code.
On a second thought: is even worse now than that, our code has to handle _three_ different scenarios: 1) Desktop. 2) Embedded without Yocto or embedded with old Yocto. 3) Embedded with new Yocto. I do not get excited about this. -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core