[syslinux] Security issues with SYSLINUX 2.01
Seth David Schoen
schoen at loyalty.org
Thu Feb 6 18:07:21 PST 2003
H. Peter Anvin writes:
> I have just received some audit info on the SYSLINUX 2.01 installer
> running setuid. There seems to be some issues, and although I can fix
> them easily enough I'm somewhat questioning the whole approach.
>
> The other alternative would be to make the syslinux installer a wrapper
> around mtools, and use mtools for the filesystem access. Since this
> would be done entirely in userspace, as a normal user, there wouldn't be
> any security issues with it.
>
> The main problem with this is that mtools is *big*, about 120K worth of
> code.
>
> What do people think about this? I'd like to release a security-fixed
> version tonight, since I'm leaving on a trip early tomorrow morning.
The LNX-BBC project, which has been using SYSLINUX since our
predecessor project got started in 1999, has used mtools (and dd)
successfully to make bootable SYSLINUX floppies for over a year now.
http://gar.lnx-bbc.org/cvs/gar/meta/lnx.img/Makefile?rev=HEAD&content-type=text/vnd.viewcvs-markup
We've been very happy with the mtools approach. (We also have a
one-line Perl substitute for rdev...) The net result is that we can
build a complete bootable distribution image with no need for root
privilege at all. I think that's a worthwhile feature.
--
Seth David Schoen <schoen at loyalty.org> | Reading is a right, not a feature!
http://www.loyalty.org/~schoen/ | -- Kathryn Myronuk
http://vitanuova.loyalty.org/ |
More information about the Syslinux
mailing list