2017-08-03 06:59:32 +05:30
Why an applet can't be NOFORK or NOEXEC?
Why can't be NOFORK:
interactive: may wait for user input, ^C has to work
2017-08-04 19:31:39 +05:30
spawner: "tool PROG ARGS" which changes program state and execs - must fork
2017-08-03 06:59:32 +05:30
changes state: e.g. environment, signal handlers
2017-08-04 17:58:16 +05:30
alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
2017-08-04 19:31:39 +05:30
leaks: does not free allocated memory or opened fds
2017-08-03 22:30:01 +05:30
runner: sometimes may run for long(ish) time, and/or works with network:
2017-08-03 06:59:32 +05:30
^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
2017-08-04 19:31:39 +05:30
"runners" can become eligible after shell is taught ^C to interrupt NOFORKs,
2017-08-04 21:06:16 +05:30
need to be inspected that they do not fall into alloc+xfunc, open+xfunc,
leak categories.
2017-08-03 06:59:32 +05:30
Why can't be NOEXEC:
suid: runs under different uid - must fork+exec
Why shouldn't be NOFORK/NOEXEC:
2017-08-04 19:31:39 +05:30
rare: not started often enough to bother optimizing (example: poweroff)
daemon: runs indefinitely; these are also always fit "rare" category
2017-08-04 23:25:01 +05:30
longterm: often runs for a long time (many seconds), execing makes
2017-08-03 22:30:01 +05:30
memory footprint smaller
2017-08-04 19:31:39 +05:30
complex: no immediately obvious reason why NOFORK wouldn't work,
2017-08-04 21:06:16 +05:30
but does some non-obvoius operations (example: fuser, lsof, losetup);
detailed audit often turns out that it's a leaker
Interesting example of "interactive" applet which is nevertheless can be
(and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
for users to keep it waiting for many minutes, whereas running "rm" in shell
is very typical, and speeding up this common use via NOEXEC is useful.
IOW: rm is "interactive", but not "longterm".
2017-08-03 06:59:32 +05:30
[ - NOFORK
[[ - NOFORK
acpid - daemon
add-shell
addgroup
adduser
2017-08-06 23:30:21 +05:30
adjtimex - NOFORK
2017-08-03 06:59:32 +05:30
ar - runner
arch - NOFORK
2017-08-04 21:06:16 +05:30
arp - complex, rare
2017-08-03 06:59:32 +05:30
arping - runner
2017-08-04 21:06:16 +05:30
ash - interactive, longterm
2017-08-03 22:30:01 +05:30
awk - noexec. runner
2017-08-03 06:59:32 +05:30
base64 - runner
basename - NOFORK
beep
blkdiscard
blkid
2017-08-05 04:59:12 +05:30
blockdev - noexec. leaks fd
2017-08-03 06:59:32 +05:30
bootchartd - daemon
2017-08-06 23:44:02 +05:30
brctl - noexec
2017-08-03 06:59:32 +05:30
bunzip2 - runner
busybox
bzcat - runner
bzip2 - runner
2017-08-03 22:30:01 +05:30
cal - runner: cal -n9999
2017-08-03 06:59:32 +05:30
cat - runner
2017-08-04 21:06:16 +05:30
chat - needs ^C to work
2017-08-06 00:08:04 +05:30
chattr - noexec. runner
2017-08-03 22:30:01 +05:30
chgrp - noexec. runner
chmod - noexec. runner
chown - noexec. runner
2017-08-03 06:59:32 +05:30
chpasswd - runner (list of "user:password"s from stdin)
2017-08-04 23:25:01 +05:30
chpst - noexec. spawner
chroot - noexec. spawner
chrt - noexec. spawner
2017-08-05 05:32:31 +05:30
chvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
2017-08-03 22:30:01 +05:30
cksum - noexec. runner
2017-08-03 06:59:32 +05:30
clear - NOFORK
cmp - runner
comm - runner
2017-08-04 21:29:46 +05:30
conspy - interactive, longterm
2017-08-03 22:30:01 +05:30
cp - noexec. runner
2017-08-03 06:59:32 +05:30
cpio - runner
crond - daemon
2017-08-06 20:44:09 +05:30
crontab - longterm (runs $EDITOR), leaks: open+xasprintf
2017-08-05 05:38:23 +05:30
cryptpw - noexec. changes state: with --password-fd=N, moves N to stdin
2017-08-04 23:25:01 +05:30
cttyhack - noexec. spawner
2017-08-03 22:30:01 +05:30
cut - noexec. runner
date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
2017-08-03 06:59:32 +05:30
dc - runner (eats stdin if no params)
2017-08-03 22:30:01 +05:30
dd - noexec. runner
2017-08-05 05:32:31 +05:30
deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
2017-08-03 06:59:32 +05:30
delgroup
deluser
2017-08-04 21:06:16 +05:30
depmod - complex, rare
2017-08-03 22:30:01 +05:30
devmem - runner, complex (access to device memory may hang)
2017-08-04 21:29:46 +05:30
df - leaks: nested allocs
2017-08-03 06:59:32 +05:30
dhcprelay - daemon
diff - runner
dirname - NOFORK
2017-08-03 22:30:01 +05:30
dmesg - runner
2017-08-03 06:59:32 +05:30
dnsd - daemon
2017-08-04 21:06:16 +05:30
dnsdomainname - needs ^C (may talk to DNS servers, which may be down)
2017-08-03 22:30:01 +05:30
dos2unix - noexec. runner
2017-08-03 06:59:32 +05:30
dpkg - runner
2017-08-03 22:30:01 +05:30
du - runner
2017-08-05 05:32:31 +05:30
dumpkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
2017-08-04 22:46:01 +05:30
dumpleases - leaks: open+xread
2017-08-03 06:59:32 +05:30
echo - NOFORK
2017-08-04 21:06:16 +05:30
ed - interactive, longterm
egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory)
eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
2017-08-04 21:29:46 +05:30
env - noexec. spawner, changes state (env)
2017-08-04 23:25:01 +05:30
envdir - noexec. spawner
envuidgid - noexec. spawner
2017-08-03 06:59:32 +05:30
expand - runner
2017-08-04 21:29:46 +05:30
expr - leaks: nested allocs
2017-08-03 06:59:32 +05:30
factor - runner (eats stdin if no params)
fakeidentd - daemon
false - NOFORK
2017-08-04 21:29:46 +05:30
fatattr - leaks: open+xioctl, complex
2017-08-04 21:06:16 +05:30
fbset - leaks: open+xfunc, complex, rare
fbsplash - runner, longterm
fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare
fdformat - needs ^C (floppy may be unresponsive), longterm, rare
fdisk - interactive, longterm
2017-08-05 05:32:31 +05:30
fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
2017-08-04 21:06:16 +05:30
fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
2017-08-03 22:30:01 +05:30
find - noexec. runner
2017-08-03 06:59:32 +05:30
findfs - suid
flash_eraseall
flash_lock
flash_unlock
flashcp
2017-08-04 23:25:01 +05:30
flock - spawner, changes state (file locks), let's play safe and not be noexec
2017-08-03 22:30:01 +05:30
fold - noexec. runner
free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
2017-08-04 21:06:16 +05:30
freeramdisk - leaks: open+ioctl_or_perror_and_die
fsck - interactive, longterm
2017-08-04 22:46:01 +05:30
fsck.minix - needs ^C
2017-08-05 04:59:12 +05:30
fsfreeze - noexec. leaks: open+xioctl
fstrim - noexec. leaks: open+xioctl, find_block_device -> readdir+xstrdup
2017-08-03 06:59:32 +05:30
fsync - NOFORK
ftpd - daemon
ftpget - runner
ftpput - runner
fuser - complex
2017-08-04 21:29:46 +05:30
getopt - noexec. leaks: many allocs
2017-08-04 21:06:16 +05:30
getty - interactive, longterm
grep - longterm runner ("CMD | grep ..." may run indefinitely, better to exec to conserve memory)
2017-08-03 06:59:32 +05:30
groups - noexec
gunzip - runner
gzip - runner
halt - rare
2017-08-03 22:30:01 +05:30
hd - noexec. runner
2017-08-03 06:59:32 +05:30
hdparm - complex, rare
2017-08-03 22:30:01 +05:30
head - noexec. runner
hexdump - noexec. runner
2017-08-03 06:59:32 +05:30
hostid - NOFORK
2017-08-04 22:06:55 +05:30
hostname - needs ^C (may talk to DNS servers, which may be down)
2017-08-03 06:59:32 +05:30
httpd - daemon
2017-08-04 21:06:16 +05:30
hush - interactive, longterm
2017-08-04 21:29:46 +05:30
hwclock - talks to hardware (xioctl(RTC_RD_TIME)) - needs ^C
2017-08-03 06:59:32 +05:30
i2cdetect
i2cdump
i2cget
i2cset
id - noexec
2017-08-04 22:46:01 +05:30
ifconfig - leaks: xsocket+ioctl_or_perror_and_die
ifenslave - leaks: xsocket+bb_perror_msg_and_die
2017-08-03 06:59:32 +05:30
ifplugd - daemon
inetd - daemon
init - daemon
inotifyd - daemon
2017-08-04 06:26:39 +05:30
insmod - noexec
2017-08-03 06:59:32 +05:30
install - runner
2017-08-04 23:25:01 +05:30
ionice - noexec. spawner
2017-08-03 06:59:32 +05:30
iostat - runner
2017-08-03 23:00:21 +05:30
ip - noexec candidate
ipaddr - noexec candidate
ipcalc - noexec candidate
ipcrm - noexec candidate
ipcs - noexec candidate
iplink - noexec candidate
ipneigh - noexec candidate
iproute - noexec candidate
iprule - noexec candidate
iptunnel - noexec candidate
2017-08-06 15:58:00 +05:30
kbd_mode - noexec. leaks: xopen_nonblocking+xioctl
2017-08-03 22:30:01 +05:30
kill - NOFORK
killall - NOFORK
killall5 - NOFORK
2017-08-03 06:59:32 +05:30
klogd - daemon
2017-08-03 22:30:01 +05:30
last - runner (I've got 1300 lines of output when tried it)
2017-08-04 21:06:16 +05:30
less - interactive, longterm
2017-08-03 06:59:32 +05:30
link - NOFORK
2017-08-04 23:25:01 +05:30
linux32 - noexec. spawner
linux64 - noexec. spawner
2017-08-03 06:59:32 +05:30
linuxrc - daemon
ln - noexec
2017-08-06 22:35:45 +05:30
loadfont - noexec. leaks: config_open+bb_error_msg_and_die("map format")
2017-08-05 05:32:31 +05:30
loadkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
2017-08-03 06:59:32 +05:30
logger - runner
2017-08-04 21:06:16 +05:30
login - suid, interactive, longterm
2017-08-03 06:59:32 +05:30
logname - NOFORK
losetup - complex
lpd - daemon
lpq - runner
lpr - runner
2017-08-03 22:30:01 +05:30
ls - noexec. runner
2017-08-06 00:08:04 +05:30
lsattr - noexec. runner
2017-08-04 06:26:39 +05:30
lsmod - noexec
2017-08-03 06:59:32 +05:30
lsof - complex
2017-08-06 02:58:19 +05:30
lspci - noexec. too rare to bother for nofork
lsscsi - noexec. too rare to bother for nofork
lsusb - noexec. too rare to bother for nofork
2017-08-03 06:59:32 +05:30
lzcat - runner
lzma - runner
lzop - runner
lzopcat - runner
makedevs
makemime - runner
2017-08-04 21:06:16 +05:30
man - spawner, interactive, longterm
2017-08-03 22:30:01 +05:30
md5sum - noexec. runner
2017-08-03 06:59:32 +05:30
mdev - daemon
2017-08-04 22:46:01 +05:30
mesg - NOFORK
2017-08-04 21:06:16 +05:30
microcom - interactive, longterm
2017-08-03 06:59:32 +05:30
mkdir - NOFORK
2017-08-04 22:06:55 +05:30
mkdosfs - needs ^C
mke2fs - needs ^C
2017-08-03 06:59:32 +05:30
mkfifo - noexec
2017-08-04 22:06:55 +05:30
mkfs.ext2 - needs ^C
mkfs.minix - needs ^C
mkfs.vfat - needs ^C
2017-08-03 06:59:32 +05:30
mknod - noexec
2017-08-05 05:38:23 +05:30
mkpasswd - noexec. changes state: with --password-fd=N, moves N to stdin
2017-08-04 22:06:55 +05:30
mkswap - needs ^C
2017-08-04 21:09:05 +05:30
mktemp - noexec. leaks: xstrdup+concat_path_file
2017-08-04 06:26:39 +05:30
modinfo - noexec
modprobe - noexec
2017-08-04 21:06:16 +05:30
more - interactive, longterm
2017-08-03 06:59:32 +05:30
mount - suid
2017-08-05 04:59:12 +05:30
mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
2017-08-06 17:45:24 +05:30
mpstat - longterm: "mpstat 1" runs indefinitely
2017-08-04 22:06:55 +05:30
mt - rare
2017-08-04 22:46:01 +05:30
mv - noexec candidate, runner
2017-08-06 17:45:24 +05:30
nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
2017-08-03 06:59:32 +05:30
nbd-client
nc - runner
2017-08-03 22:30:01 +05:30
netstat - runner with -c
2017-08-04 23:37:19 +05:30
nice - noexec. spawner
2017-08-03 06:59:32 +05:30
nl - runner
2017-08-04 22:06:55 +05:30
nmeter - longterm
2017-08-04 23:25:01 +05:30
nohup - noexec. spawner
2017-08-03 06:59:32 +05:30
nproc - NOFORK
ntpd - daemon
od - runner
2017-08-04 23:25:01 +05:30
openvt - longterm: spawns a child and waits for it
2017-08-05 05:16:39 +05:30
partprobe - noexec. leaks: open+ioctl_or_perror_and_die(BLKRRPART)
2017-08-03 06:59:32 +05:30
passwd - suid
2017-08-03 22:30:01 +05:30
paste - noexec. runner
2017-08-04 22:06:55 +05:30
patch - needs ^C
2017-08-03 22:30:01 +05:30
pgrep - nofork candidate(xregcomp, procps_scan - are they ok?)
pidof - nofork candidate(uses find_pid_by_name, is that ok?)
2017-08-03 06:59:32 +05:30
ping - suid, runner
ping6 - suid, runner
2017-08-04 22:46:01 +05:30
pipe_progress - longterm
2017-08-05 05:21:12 +05:30
pivot_root - NOFORK
2017-08-03 22:30:01 +05:30
pkill - nofork candidate(xregcomp, procps_scan - are they ok?)
2017-08-04 22:06:55 +05:30
pmap - noexec candidate, leaks: open+xstrdup
2017-08-03 06:59:32 +05:30
popmaildir - runner
poweroff - rare
2017-08-03 22:30:01 +05:30
powertop - interactive, longterm
2017-08-03 06:59:32 +05:30
printenv - NOFORK
printf - NOFORK
2017-08-06 01:55:00 +05:30
ps - looks for AT_CLKTCK elf aux vector, therefore can't be noexec
2017-08-03 23:00:21 +05:30
pscan - longterm
2017-08-06 01:55:00 +05:30
pstree - noexec
2017-08-03 06:59:32 +05:30
pwd - NOFORK
2017-08-03 22:30:01 +05:30
pwdx - NOFORK
2017-08-06 22:38:46 +05:30
raidautorun - noexec. very simple. leaks: open+xioctl
2017-08-04 22:06:55 +05:30
rdate - needs ^C (may talk to DNS servers, which may be down)
rdev - leaks: find_block_device -> readdir+xstrdup
2017-08-03 22:30:01 +05:30
readlink - NOFORK
2017-08-03 06:59:32 +05:30
readprofile
2017-08-03 22:30:01 +05:30
realpath - NOFORK
2017-08-03 06:59:32 +05:30
reboot - rare
reformime - runner
remove-shell
2017-08-03 22:30:01 +05:30
renice - nofork candidate(uses getpwnam, is that ok?)
2017-08-04 23:37:19 +05:30
reset - noexec. spawner (execs "stty")
2017-08-03 22:30:01 +05:30
resize - noexec. changes state (signal handlers)
2017-08-03 06:59:32 +05:30
rev - runner
2017-08-03 22:30:01 +05:30
rm - noexec. rm -i interactive
2017-08-03 06:59:32 +05:30
rmdir - NOFORK
2017-08-04 06:26:39 +05:30
rmmod - noexec
2017-08-04 22:06:55 +05:30
route - needs ^C (may talk to DNS servers, which may be down)
2017-08-03 06:59:32 +05:30
rpm - runner
rpm2cpio - runner
2017-08-04 22:06:55 +05:30
rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless
2017-08-06 22:38:46 +05:30
run-parts - longterm
2017-08-04 21:29:46 +05:30
runlevel - noexec. can be nofork if "endutxent()" is called unconditionally, but too rare to bother?
2017-08-03 06:59:32 +05:30
runsv - daemon
runsvdir - daemon
rx - runner
script
scriptreplay
sed - runner
sendmail - runner
2017-08-03 22:30:01 +05:30
seq - noexec. runner
2017-08-04 23:25:01 +05:30
setarch - noexec. spawner
2017-08-06 22:26:25 +05:30
setconsole - noexec
2017-08-06 22:35:45 +05:30
setfont - noexec. leaks a lot of stuff
2017-08-06 21:59:25 +05:30
setkeycodes - noexec
2017-08-06 21:47:58 +05:30
setlogcons - noexec
2017-08-04 23:25:01 +05:30
setpriv - spawner, changes state, let's play safe and not be noexec
2017-08-06 21:36:46 +05:30
setserial - noexec
2017-08-06 20:44:09 +05:30
setsid - spawner, uses fork_or_rexec() [not audited to work in noexec], let's play safe and not be noexec
2017-08-04 23:25:01 +05:30
setuidgid - noexec. spawner
2017-08-03 22:30:01 +05:30
sha1sum - noexec. runner
sha256sum - noexec. runner
sha3sum - noexec. runner
sha512sum - noexec. runner
2017-08-04 21:06:16 +05:30
showkey - interactive, longterm
2017-08-03 06:59:32 +05:30
shred - runner
2017-08-03 22:30:01 +05:30
shuf - noexec. runner
2017-08-06 20:44:09 +05:30
slattach - longterm (may sleep forever), uses bb_common_bufsiz1
2017-08-04 22:06:55 +05:30
sleep - runner, longterm
2017-08-03 06:59:32 +05:30
smemcap - runner
2017-08-04 23:25:01 +05:30
softlimit - noexec. spawner
2017-08-03 22:30:01 +05:30
sort - noexec. runner
2017-08-03 06:59:32 +05:30
split - runner
2017-08-04 22:06:55 +05:30
ssl_client - longterm
2017-08-03 06:59:32 +05:30
start-stop-daemon
2017-08-03 22:30:01 +05:30
stat - nofork candidate(needs fewer allocs)
2017-08-03 06:59:32 +05:30
strings - runner
2017-08-04 23:37:19 +05:30
stty - noexec. nofork candidate: has no allocs or opens except xmove_fd(xopen("-F DEVICE"),STDIN). tcsetattr(STDIN) is not a problem: it would work the same across processes sharing this fd
2017-08-03 06:59:32 +05:30
su - suid, spawner
2017-08-04 23:25:01 +05:30
sulogin - noexec. spawner
2017-08-03 06:59:32 +05:30
sum - runner
2017-08-05 05:12:08 +05:30
sv - noexec. needs ^C (uses usleep(420000))
svc - noexec. needs ^C (uses usleep(420000))
2017-08-03 06:59:32 +05:30
svlogd - daemon
swapoff - rare
swapon - rare
2017-08-04 23:25:01 +05:30
switch_root - spawner, rare, changes state (oh yes), execing may be important to free binary's inode
2017-08-03 06:59:32 +05:30
sync - NOFORK
2017-08-05 21:53:10 +05:30
sysctl - noexec. leaks: xstrdup+xmalloc_read
2017-08-03 06:59:32 +05:30
syslogd - daemon
2017-08-03 22:30:01 +05:30
tac - noexec. runner
2017-08-03 06:59:32 +05:30
tail - runner
tar - runner
2017-08-04 23:25:01 +05:30
taskset - noexec. spawner
2017-08-03 06:59:32 +05:30
tcpsvd - daemon
tee - runner
2017-08-04 21:06:16 +05:30
telnet - interactive, longterm
2017-08-03 06:59:32 +05:30
telnetd - daemon
test - NOFORK
tftp - runner
tftpd - daemon
2017-08-04 23:25:01 +05:30
time - spawner, longterm, changes state (signals)
timeout - spawner, longterm, changes state (signals)
2017-08-03 22:30:01 +05:30
top - interactive, longterm
2017-08-03 06:59:32 +05:30
touch - NOFORK
tr - runner
traceroute - suid, runner
traceroute6 - suid, runner
true - NOFORK
truncate - NOFORK
tty - NOFORK
2017-08-03 22:30:01 +05:30
ttysize - NOFORK
2017-08-06 15:58:00 +05:30
tunctl - noexec
2017-08-06 00:08:04 +05:30
tune2fs - noexec. leaks: open+xfunc
2017-08-03 06:59:32 +05:30
ubiattach
ubidetach
ubimkvol
ubirename
ubirmvol
ubirsvol
ubiupdatevol
udhcpc - daemon
udhcpd - daemon
udpsvd - daemon
uevent - daemon
2017-08-06 02:51:02 +05:30
umount - noexec. leaks: nested xmalloc
2017-08-03 06:59:32 +05:30
uname - NOFORK
uncompress - runner
unexpand - runner
uniq - runner
2017-08-03 22:30:01 +05:30
unix2dos - noexec. runner
2017-08-03 06:59:32 +05:30
unlink - NOFORK
unlzma - runner
unlzop - runner
unxz - runner
unzip - runner
2017-08-03 22:30:01 +05:30
uptime - nofork candidate(is getutxent ok?)
users - nofork candidate(is getutxent ok?)
2017-08-03 06:59:32 +05:30
usleep - NOFORK
uudecode - runner
uuencode - runner
2017-08-04 21:06:16 +05:30
vconfig - leaks: xsocket+ioctl_or_perror_and_die
vi - interactive, longterm
2017-08-03 06:59:32 +05:30
vlock - suid
volname - runner
2017-08-04 22:46:01 +05:30
w - nofork candidate(is getutxent ok?)
2017-08-03 06:59:32 +05:30
wall - suid
2017-08-04 21:29:46 +05:30
watch - longterm
2017-08-03 06:59:32 +05:30
watchdog - daemon
wc - runner
2017-08-04 21:29:46 +05:30
wget - longterm
2017-08-03 06:59:32 +05:30
which - NOFORK
2017-08-04 22:46:01 +05:30
who - nofork candidate(is getutxent ok?)
2017-08-03 06:59:32 +05:30
whoami - NOFORK
2017-08-04 22:46:01 +05:30
whois - needs ^C
2017-08-03 22:30:01 +05:30
xargs - noexec. spawner
xxd - noexec. runner
2017-08-03 06:59:32 +05:30
xz - runner
xzcat - runner
2017-08-03 22:30:01 +05:30
yes - noexec. runner
2017-08-03 06:59:32 +05:30
zcat - runner
zcip - daemon