diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst index ccd8f0c96..5ec9ae3fe 100644 --- a/NOFORK_NOEXEC.lst +++ b/NOFORK_NOEXEC.lst @@ -20,7 +20,7 @@ suid: runs under different uid - must fork+exec Why shouldn't be NOFORK/NOEXEC: rare: not started often enough to bother optimizing (example: poweroff) daemon: runs indefinitely; these are also always fit "rare" category -longterm: often runs for a long time (many seconds), execing would make +longterm: often runs for a long time (many seconds), execing makes memory footprint smaller complex: no immediately obvious reason why NOFORK wouldn't work, but does some non-obvoius operations (example: fuser, lsof, losetup); @@ -66,9 +66,9 @@ chgrp - noexec. runner chmod - noexec. runner chown - noexec. runner chpasswd - runner (list of "user:password"s from stdin) -chpst - noexec candidate, spawner -chroot - noexec candidate, spawner -chrt - noexec candidate, spawner +chpst - noexec. spawner +chroot - noexec. spawner +chrt - noexec. spawner chvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate. cksum - noexec. runner clear - NOFORK @@ -80,7 +80,7 @@ cpio - runner crond - daemon crontab 0 leaks: open+xasprintf cryptpw - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. noexec candidate. -cttyhack - noexec candidate, spawner +cttyhack - noexec. spawner cut - noexec. runner date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf) dc - runner (eats stdin if no params) @@ -107,8 +107,8 @@ ed - interactive, longterm egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory) eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds) env - noexec. spawner, changes state (env) -envdir - noexec candidate, spawner -envuidgid - noexec candidate, spawner +envdir - noexec. spawner +envuidgid - noexec. spawner expand - runner expr - leaks: nested allocs factor - runner (eats stdin if no params) @@ -128,7 +128,7 @@ flash_eraseall flash_lock flash_unlock flashcp -flock - spawner, changes state (file locks) +flock - spawner, changes state (file locks), let's play safe and not be noexec fold - noexec. runner free - nofork candidate(struct globals, needs to close /proc/meminfo fd) freeramdisk - leaks: open+ioctl_or_perror_and_die @@ -170,7 +170,7 @@ init - daemon inotifyd - daemon insmod - noexec install - runner -ionice - spawner +ionice - noexec. spawner iostat - runner ip - noexec candidate ipaddr - noexec candidate @@ -190,8 +190,8 @@ klogd - daemon last - runner (I've got 1300 lines of output when tried it) less - interactive, longterm link - NOFORK -linux32 - spawner -linux64 - spawner +linux32 - noexec. spawner +linux64 - noexec. spawner linuxrc - daemon ln - noexec loadfont - leaks: config_open+bb_error_msg_and_die("map format") @@ -247,11 +247,11 @@ netstat - runner with -c nice - noexec candidate, spawner nl - runner nmeter - longterm -nohup - noexec candidate (maybe free concat_path_file result?), spawner +nohup - noexec. spawner nproc - NOFORK ntpd - daemon od - runner -openvt - spawner +openvt - longterm: spawns a child and waits for it partprobe - noexec candidate (simple), leaks: open+ioctl_or_perror_and_die(BLKRRPART) passwd - suid paste - noexec. runner @@ -304,15 +304,15 @@ scriptreplay sed - runner sendmail - runner seq - noexec. runner -setarch - spawner +setarch - noexec. spawner setconsole setfont setkeycodes setlogcons -setpriv - spawner +setpriv - spawner, changes state, let's play safe and not be noexec setserial -setsid - spawner -setuidgid +setsid - spawner, uses fork_or_rexec() [not audted to work in noexec], let's play safe and not be noexec +setuidgid - noexec. spawner sha1sum - noexec. runner sha256sum - noexec. runner sha3sum - noexec. runner @@ -323,7 +323,7 @@ shuf - noexec. runner slattach sleep - runner, longterm smemcap - runner -softlimit - noexec candidate, spawner +softlimit - noexec. spawner sort - noexec. runner split - runner ssl_client - longterm @@ -332,21 +332,21 @@ stat - nofork candidate(needs fewer allocs) strings - runner stty - noexec/nofork candidate. has no allocs or opens except xmove_fd(xopen("-F DEVICE"),STDIN). tcsetattr(STDIN) is not a problem: it would work the same across processes sharing this fd su - suid, spawner -sulogin - spawner +sulogin - noexec. spawner sum - runner sv - noexec candidate, needs ^C (uses usleep(420000)) svc - noexec candidate, needs ^C (uses usleep(420000)) svlogd - daemon swapoff - rare swapon - rare -switch_root - spawner, rare, changes state +switch_root - spawner, rare, changes state (oh yes), execing may be important to free binary's inode sync - NOFORK sysctl - noexec candidate, leaks: xstrdup+xmalloc_read syslogd - daemon tac - noexec. runner tail - runner tar - runner -taskset - spawner +taskset - noexec. spawner tcpsvd - daemon tee - runner telnet - interactive, longterm @@ -354,8 +354,8 @@ telnetd - daemon test - NOFORK tftp - runner tftpd - daemon -time - spawner, changes state (signals) -timeout - spawner, changes state (signals) +time - spawner, longterm, changes state (signals) +timeout - spawner, longterm, changes state (signals) top - interactive, longterm touch - NOFORK tr - runner diff --git a/console-tools/reset.c b/console-tools/reset.c index 04e5b0ca1..f2b900ddb 100644 --- a/console-tools/reset.c +++ b/console-tools/reset.c @@ -16,7 +16,7 @@ //config: This program is used to reset the terminal screen, if it //config: gets messed up. -//applet:IF_RESET(APPLET(reset, BB_DIR_USR_BIN, BB_SUID_DROP)) +//applet:IF_RESET(APPLET_NOEXEC(reset, reset, BB_DIR_USR_BIN, BB_SUID_DROP, reset)) //kbuild:lib-$(CONFIG_RESET) += reset.o diff --git a/coreutils/chroot.c b/coreutils/chroot.c index 5645d72df..78751df84 100644 --- a/coreutils/chroot.c +++ b/coreutils/chroot.c @@ -13,7 +13,7 @@ //config: chroot is used to change the root directory and run a command. //config: The default command is '/bin/sh'. -//applet:IF_CHROOT(APPLET(chroot, BB_DIR_USR_SBIN, BB_SUID_DROP)) +//applet:IF_CHROOT(APPLET_NOEXEC(chroot, chroot, BB_DIR_USR_SBIN, BB_SUID_DROP, chroot)) //kbuild:lib-$(CONFIG_CHROOT) += chroot.o @@ -40,6 +40,7 @@ int chroot_main(int argc UNUSED_PARAM, char **argv) ++argv; if (!*argv) bb_show_usage(); + xchroot(*argv); ++argv; diff --git a/coreutils/nice.c b/coreutils/nice.c index 0bf055299..d6818cf00 100644 --- a/coreutils/nice.c +++ b/coreutils/nice.c @@ -12,7 +12,7 @@ //config: help //config: nice runs a program with modified scheduling priority. -//applet:IF_NICE(APPLET(nice, BB_DIR_BIN, BB_SUID_DROP)) +//applet:IF_NICE(APPLET_NOEXEC(nice, nice, BB_DIR_BIN, BB_SUID_DROP, nice)) //kbuild:lib-$(CONFIG_NICE) += nice.o diff --git a/coreutils/nohup.c b/coreutils/nohup.c index df271c738..8a70ec4df 100644 --- a/coreutils/nohup.c +++ b/coreutils/nohup.c @@ -15,7 +15,7 @@ //config: help //config: run a command immune to hangups, with output to a non-tty. -//applet:IF_NOHUP(APPLET(nohup, BB_DIR_USR_BIN, BB_SUID_DROP)) +//applet:IF_NOHUP(APPLET_NOEXEC(nohup, nohup, BB_DIR_USR_BIN, BB_SUID_DROP, nohup)) //kbuild:lib-$(CONFIG_NOHUP) += nohup.o diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c index d5a463cac..27ea5dff0 100644 --- a/loginutils/sulogin.c +++ b/loginutils/sulogin.c @@ -12,7 +12,7 @@ //config: sulogin is invoked when the system goes into single user //config: mode (this is done through an entry in inittab). -//applet:IF_SULOGIN(APPLET(sulogin, BB_DIR_SBIN, BB_SUID_DROP)) +//applet:IF_SULOGIN(APPLET_NOEXEC(sulogin, sulogin, BB_DIR_SBIN, BB_SUID_DROP, sulogin)) //kbuild:lib-$(CONFIG_SULOGIN) += sulogin.o @@ -34,7 +34,7 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv) /* Note: sulogin is not a suid app. It is meant to be run by init * for single user / emergency mode. init starts it as root. - * Normal users (potentially malisious ones) can only run it under + * Normal users (potentially malicious ones) can only run it under * their UID, therefore no paranoia here is warranted: * $LD_LIBRARY_PATH in env, TTY = /dev/sda * are no more dangerous here than in e.g. cp applet. diff --git a/runit/chpst.c b/runit/chpst.c index ccc96539d..c061a91ea 100644 --- a/runit/chpst.c +++ b/runit/chpst.c @@ -59,12 +59,12 @@ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. //config: help //config: Sets soft resource limits as specified by options -//applet:IF_CHPST(APPLET(chpst, BB_DIR_USR_BIN, BB_SUID_DROP)) -// APPLET_ODDNAME:name main location suid_type help -//applet:IF_ENVDIR( APPLET_ODDNAME(envdir, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, envdir)) -//applet:IF_ENVUIDGID(APPLET_ODDNAME(envuidgid, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, envuidgid)) -//applet:IF_SETUIDGID(APPLET_ODDNAME(setuidgid, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, setuidgid)) -//applet:IF_SOFTLIMIT(APPLET_ODDNAME(softlimit, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, softlimit)) +//applet:IF_CHPST( APPLET_NOEXEC(chpst, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, chpst)) +// APPLET_NOEXEC:name main location suid_type help +//applet:IF_ENVDIR( APPLET_NOEXEC(envdir, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, envdir)) +//applet:IF_ENVUIDGID(APPLET_NOEXEC(envuidgid, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, envuidgid)) +//applet:IF_SETUIDGID(APPLET_NOEXEC(setuidgid, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, setuidgid)) +//applet:IF_SOFTLIMIT(APPLET_NOEXEC(softlimit, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, softlimit)) //kbuild:lib-$(CONFIG_CHPST) += chpst.o //kbuild:lib-$(CONFIG_ENVDIR) += chpst.o diff --git a/shell/cttyhack.c b/shell/cttyhack.c index 9004b4763..849fe9e48 100644 --- a/shell/cttyhack.c +++ b/shell/cttyhack.c @@ -6,7 +6,7 @@ */ #include "libbb.h" -//applet:IF_CTTYHACK(APPLET(cttyhack, BB_DIR_BIN, BB_SUID_DROP)) +//applet:IF_CTTYHACK(APPLET_NOEXEC(cttyhack, cttyhack, BB_DIR_BIN, BB_SUID_DROP, cttyhack)) //kbuild:lib-$(CONFIG_CTTYHACK) += cttyhack.o diff --git a/util-linux/chrt.c b/util-linux/chrt.c index 4bc8b6cfa..52523df02 100644 --- a/util-linux/chrt.c +++ b/util-linux/chrt.c @@ -12,7 +12,7 @@ //config: manipulate real-time attributes of a process. //config: This requires sched_{g,s}etparam support in your libc. -//applet:IF_CHRT(APPLET(chrt, BB_DIR_USR_BIN, BB_SUID_DROP)) +//applet:IF_CHRT(APPLET_NOEXEC(chrt, chrt, BB_DIR_USR_BIN, BB_SUID_DROP, chrt)) //kbuild:lib-$(CONFIG_CHRT) += chrt.o diff --git a/util-linux/ionice.c b/util-linux/ionice.c index c7b7f0373..5b9664d25 100644 --- a/util-linux/ionice.c +++ b/util-linux/ionice.c @@ -14,7 +14,7 @@ //config: Set/set program io scheduling class and priority //config: Requires kernel >= 2.6.13 -//applet:IF_IONICE(APPLET(ionice, BB_DIR_BIN, BB_SUID_DROP)) +//applet:IF_IONICE(APPLET_NOEXEC(ionice, ionice, BB_DIR_BIN, BB_SUID_DROP, ionice)) //kbuild:lib-$(CONFIG_IONICE) += ionice.o diff --git a/util-linux/setarch.c b/util-linux/setarch.c index d4b568832..520865318 100644 --- a/util-linux/setarch.c +++ b/util-linux/setarch.c @@ -30,10 +30,10 @@ //config: help //config: Alias to "setarch linux64". -//applet:IF_SETARCH(APPLET(setarch, BB_DIR_BIN, BB_SUID_DROP)) -// APPLET_ODDNAME:name main location suid_type help -//applet:IF_LINUX32(APPLET_ODDNAME(linux32, setarch, BB_DIR_BIN, BB_SUID_DROP, linux32)) -//applet:IF_LINUX64(APPLET_ODDNAME(linux64, setarch, BB_DIR_BIN, BB_SUID_DROP, linux64)) +//applet:IF_SETARCH(APPLET_NOEXEC(setarch, setarch, BB_DIR_BIN, BB_SUID_DROP, setarch)) +// APPLET_NOEXEC:name main location suid_type help +//applet:IF_LINUX32(APPLET_NOEXEC(linux32, setarch, BB_DIR_BIN, BB_SUID_DROP, linux32)) +//applet:IF_LINUX64(APPLET_NOEXEC(linux64, setarch, BB_DIR_BIN, BB_SUID_DROP, linux64)) //kbuild:lib-$(CONFIG_SETARCH) += setarch.o //kbuild:lib-$(CONFIG_LINUX32) += setarch.o diff --git a/util-linux/taskset.c b/util-linux/taskset.c index 9957b1a71..89dea176e 100644 --- a/util-linux/taskset.c +++ b/util-linux/taskset.c @@ -22,7 +22,7 @@ //config: affinity parameter 0xHHHHHHHHHHHHHHHHHHHH can be arbitrarily long //config: in this case. Otherwise, it is limited to sizeof(long). -//applet:IF_TASKSET(APPLET(taskset, BB_DIR_USR_BIN, BB_SUID_DROP)) +//applet:IF_TASKSET(APPLET_NOEXEC(taskset, taskset, BB_DIR_USR_BIN, BB_SUID_DROP, taskset)) //kbuild:lib-$(CONFIG_TASKSET) += taskset.o //usage:#define taskset_trivial_usage