83d7785e41
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
418 lines
10 KiB
Plaintext
418 lines
10 KiB
Plaintext
Why an applet can't be NOFORK or NOEXEC?
|
|
|
|
Why can't be NOFORK:
|
|
interactive: may wait for user input, ^C has to work
|
|
spawner: "tool PROG ARGS" which changes program state and execs - must fork
|
|
changes state: e.g. environment, signal handlers
|
|
alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
|
|
open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
|
|
leaks: does not free allocated memory or opened fds
|
|
runner: sometimes may run for long(ish) time, and/or works with network:
|
|
^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
|
|
|
|
"runners" can become eligible after shell is taught ^C to interrupt NOFORKs,
|
|
need to be inspected that they do not fall into alloc+xfunc, open+xfunc,
|
|
leak categories.
|
|
|
|
Why can't be NOEXEC:
|
|
suid: runs under different uid - must fork+exec
|
|
|
|
Why shouldn't be NOFORK/NOEXEC:
|
|
rare: not started often enough to bother optimizing (example: poweroff)
|
|
daemon: runs indefinitely; these are also always fit "rare" category
|
|
longterm: often runs for a long time (many seconds), execing would make
|
|
memory footprint smaller
|
|
complex: no immediately obvious reason why NOFORK wouldn't work,
|
|
but does some non-obvoius operations (example: fuser, lsof, losetup);
|
|
detailed audit often turns out that it's a leaker
|
|
|
|
Interesting example of "interactive" applet which is nevertheless can be
|
|
(and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
|
|
for users to keep it waiting for many minutes, whereas running "rm" in shell
|
|
is very typical, and speeding up this common use via NOEXEC is useful.
|
|
IOW: rm is "interactive", but not "longterm".
|
|
|
|
|
|
[ - NOFORK
|
|
[[ - NOFORK
|
|
acpid - daemon
|
|
add-shell
|
|
addgroup
|
|
adduser
|
|
adjtimex
|
|
ar - runner
|
|
arch - NOFORK
|
|
arp - complex, rare
|
|
arping - runner
|
|
ash - interactive, longterm
|
|
awk - noexec. runner
|
|
base64 - runner
|
|
basename - NOFORK
|
|
beep
|
|
blkdiscard
|
|
blkid
|
|
blockdev
|
|
bootchartd - daemon
|
|
brctl
|
|
bunzip2 - runner
|
|
busybox
|
|
bzcat - runner
|
|
bzip2 - runner
|
|
cal - runner: cal -n9999
|
|
cat - runner
|
|
chat - needs ^C to work
|
|
chattr - runner
|
|
chgrp - noexec. runner
|
|
chmod - noexec. runner
|
|
chown - noexec. runner
|
|
chpasswd - runner (list of "user:password"s from stdin)
|
|
chpst - noexec candidate, spawner
|
|
chroot - noexec candidate, spawner
|
|
chrt - noexec candidate, spawner
|
|
chvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
|
|
cksum - noexec. runner
|
|
clear - NOFORK
|
|
cmp - runner
|
|
comm - runner
|
|
conspy - interactive, longterm
|
|
cp - noexec. runner
|
|
cpio - runner
|
|
crond - daemon
|
|
crontab
|
|
cryptpw - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. Can be noexec.
|
|
cttyhack - noexec candidate, spawner
|
|
cut - noexec. runner
|
|
date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
|
|
dc - runner (eats stdin if no params)
|
|
dd - noexec. runner
|
|
deallocvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
|
|
delgroup
|
|
deluser
|
|
depmod - complex, rare
|
|
devmem - runner, complex (access to device memory may hang)
|
|
df - leaks: nested allocs
|
|
dhcprelay - daemon
|
|
diff - runner
|
|
dirname - NOFORK
|
|
dmesg - runner
|
|
dnsd - daemon
|
|
dnsdomainname - needs ^C (may talk to DNS servers, which may be down)
|
|
dos2unix - noexec. runner
|
|
dpkg - runner
|
|
du - runner
|
|
dumpkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
|
|
dumpleases
|
|
echo - NOFORK
|
|
ed - interactive, longterm
|
|
egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory)
|
|
eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
|
|
env - noexec. spawner, changes state (env)
|
|
envdir - noexec candidate, spawner
|
|
envuidgid - noexec candidate, spawner
|
|
expand - runner
|
|
expr - leaks: nested allocs
|
|
factor - runner (eats stdin if no params)
|
|
fakeidentd - daemon
|
|
false - NOFORK
|
|
fatattr - leaks: open+xioctl, complex
|
|
fbset - leaks: open+xfunc, complex, rare
|
|
fbsplash - runner, longterm
|
|
fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare
|
|
fdformat - needs ^C (floppy may be unresponsive), longterm, rare
|
|
fdisk - interactive, longterm
|
|
fgconsole - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
|
|
fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
|
|
find - noexec. runner
|
|
findfs - suid
|
|
flash_eraseall
|
|
flash_lock
|
|
flash_unlock
|
|
flashcp
|
|
flock - spawner, changes state (file locks)
|
|
fold - noexec. runner
|
|
free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
|
|
freeramdisk - leaks: open+ioctl_or_perror_and_die
|
|
fsck - interactive, longterm
|
|
fsck.minix
|
|
fsfreeze - noexec candidate (it's very simple), leaks: open+xioctl
|
|
fstrim - noexec candidate (it's very simple), leaks: open+xioctl
|
|
fsync - NOFORK
|
|
ftpd - daemon
|
|
ftpget - runner
|
|
ftpput - runner
|
|
fuser - complex
|
|
getopt - noexec. leaks: many allocs
|
|
getty - interactive, longterm
|
|
grep - longterm runner ("CMD | grep ..." may run indefinitely, better to exec to conserve memory)
|
|
groups - noexec
|
|
gunzip - runner
|
|
gzip - runner
|
|
halt - rare
|
|
hd - noexec. runner
|
|
hdparm - complex, rare
|
|
head - noexec. runner
|
|
hexdump - noexec. runner
|
|
hostid - NOFORK
|
|
hostname - DNS resolution may trigger, need ^C
|
|
httpd - daemon
|
|
hush - interactive, longterm
|
|
hwclock - talks to hardware (xioctl(RTC_RD_TIME)) - needs ^C
|
|
i2cdetect
|
|
i2cdump
|
|
i2cget
|
|
i2cset
|
|
id - noexec
|
|
ifconfig
|
|
ifenslave
|
|
ifplugd - daemon
|
|
inetd - daemon
|
|
init - daemon
|
|
inotifyd - daemon
|
|
insmod - noexec
|
|
install - runner
|
|
ionice - spawner
|
|
iostat - runner
|
|
ip - noexec candidate
|
|
ipaddr - noexec candidate
|
|
ipcalc - noexec candidate
|
|
ipcrm - noexec candidate
|
|
ipcs - noexec candidate
|
|
iplink - noexec candidate
|
|
ipneigh - noexec candidate
|
|
iproute - noexec candidate
|
|
iprule - noexec candidate
|
|
iptunnel - noexec candidate
|
|
kbd_mode
|
|
kill - NOFORK
|
|
killall - NOFORK
|
|
killall5 - NOFORK
|
|
klogd - daemon
|
|
last - runner (I've got 1300 lines of output when tried it)
|
|
less - interactive, longterm
|
|
link - NOFORK
|
|
linux32 - spawner
|
|
linux64 - spawner
|
|
linuxrc - daemon
|
|
ln - noexec
|
|
loadfont
|
|
loadkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
|
|
logger - runner
|
|
login - suid, interactive, longterm
|
|
logname - NOFORK
|
|
losetup - complex
|
|
lpd - daemon
|
|
lpq - runner
|
|
lpr - runner
|
|
ls - noexec. runner
|
|
lsattr - runner. noexec candidate (ls is, why not this one?)
|
|
lsmod - noexec
|
|
lsof - complex
|
|
lspci - noexec candidate, too rare to bother for nofork
|
|
lsscsi - noexec candidate, too rare to bother for nofork
|
|
lsusb - noexec candidate, too rare to bother for nofork
|
|
lzcat - runner
|
|
lzma - runner
|
|
lzop - runner
|
|
lzopcat - runner
|
|
makedevs
|
|
makemime - runner
|
|
man - spawner, interactive, longterm
|
|
md5sum - noexec. runner
|
|
mdev - daemon
|
|
mesg
|
|
microcom - interactive, longterm
|
|
mkdir - NOFORK
|
|
mkdosfs
|
|
mke2fs
|
|
mkfifo - noexec
|
|
mkfs.ext2
|
|
mkfs.minix
|
|
mkfs.vfat
|
|
mknod - noexec
|
|
mkpasswd
|
|
mkswap
|
|
mktemp - noexec. leaks: xstrdup+concat_path_file
|
|
modinfo - noexec
|
|
modprobe - noexec
|
|
more - interactive, longterm
|
|
mount - suid
|
|
mountpoint
|
|
mpstat
|
|
mt
|
|
mv - runner (can be noexec?)
|
|
nameif
|
|
nbd-client
|
|
nc - runner
|
|
netstat - runner with -c
|
|
nice - spawner
|
|
nl - runner
|
|
nmeter - runner
|
|
nohup - spawner
|
|
nproc - NOFORK
|
|
ntpd - daemon
|
|
od - runner
|
|
openvt - spawner
|
|
partprobe
|
|
passwd - suid
|
|
paste - noexec. runner
|
|
patch
|
|
pgrep - nofork candidate(xregcomp, procps_scan - are they ok?)
|
|
pidof - nofork candidate(uses find_pid_by_name, is that ok?)
|
|
ping - suid, runner
|
|
ping6 - suid, runner
|
|
pipe_progress
|
|
pivot_root
|
|
pkill - nofork candidate(xregcomp, procps_scan - are they ok?)
|
|
pmap
|
|
popmaildir - runner
|
|
poweroff - rare
|
|
powertop - interactive, longterm
|
|
printenv - NOFORK
|
|
printf - NOFORK
|
|
ps - noexec candidate
|
|
pscan - longterm
|
|
pstree
|
|
pwd - NOFORK
|
|
pwdx - NOFORK
|
|
raidautorun
|
|
rdate
|
|
rdev
|
|
readlink - NOFORK
|
|
readprofile
|
|
realpath - NOFORK
|
|
reboot - rare
|
|
reformime - runner
|
|
remove-shell
|
|
renice - nofork candidate(uses getpwnam, is that ok?)
|
|
reset - spawner (execs "stty")
|
|
resize - noexec. changes state (signal handlers)
|
|
rev - runner
|
|
rm - noexec. rm -i interactive
|
|
rmdir - NOFORK
|
|
rmmod - noexec
|
|
route
|
|
rpm - runner
|
|
rpm2cpio - runner
|
|
rtcwake - puts system to sleep, optimizing this for speed is pointless
|
|
run-parts
|
|
runlevel - noexec. can be nofork if "endutxent()" is called unconditionally, but too rare to bother?
|
|
runsv - daemon
|
|
runsvdir - daemon
|
|
rx - runner
|
|
script
|
|
scriptreplay
|
|
sed - runner
|
|
sendmail - runner
|
|
seq - noexec. runner
|
|
setarch - spawner
|
|
setconsole
|
|
setfont
|
|
setkeycodes
|
|
setlogcons
|
|
setpriv - spawner
|
|
setserial
|
|
setsid - spawner
|
|
setuidgid
|
|
sha1sum - noexec. runner
|
|
sha256sum - noexec. runner
|
|
sha3sum - noexec. runner
|
|
sha512sum - noexec. runner
|
|
showkey - interactive, longterm
|
|
shred - runner
|
|
shuf - noexec. runner
|
|
slattach
|
|
sleep - runner
|
|
smemcap - runner
|
|
softlimit - spawner
|
|
sort - noexec. runner
|
|
split - runner
|
|
ssl_client - network
|
|
start-stop-daemon
|
|
stat - nofork candidate(needs fewer allocs)
|
|
strings - runner
|
|
stty
|
|
su - suid, spawner
|
|
sulogin - spawner
|
|
sum - runner
|
|
sv
|
|
svc
|
|
svlogd - daemon
|
|
swapoff - rare
|
|
swapon - rare
|
|
switch_root - spawner, rare, changes state
|
|
sync - NOFORK
|
|
sysctl
|
|
syslogd - daemon
|
|
tac - noexec. runner
|
|
tail - runner
|
|
tar - runner
|
|
taskset - spawner
|
|
tcpsvd - daemon
|
|
tee - runner
|
|
telnet - interactive, longterm
|
|
telnetd - daemon
|
|
test - NOFORK
|
|
tftp - runner
|
|
tftpd - daemon
|
|
time - spawner, changes state (signals)
|
|
timeout - spawner, changes state (signals)
|
|
top - interactive, longterm
|
|
touch - NOFORK
|
|
tr - runner
|
|
traceroute - suid, runner
|
|
traceroute6 - suid, runner
|
|
true - NOFORK
|
|
truncate - NOFORK
|
|
tty - NOFORK
|
|
ttysize - NOFORK
|
|
tunctl
|
|
tune2fs - leaks: open+xfunc
|
|
ubiattach
|
|
ubidetach
|
|
ubimkvol
|
|
ubirename
|
|
ubirmvol
|
|
ubirsvol
|
|
ubiupdatevol
|
|
udhcpc - daemon
|
|
udhcpd - daemon
|
|
udpsvd - daemon
|
|
uevent - daemon
|
|
umount
|
|
uname - NOFORK
|
|
uncompress - runner
|
|
unexpand - runner
|
|
uniq - runner
|
|
unix2dos - noexec. runner
|
|
unlink - NOFORK
|
|
unlzma - runner
|
|
unlzop - runner
|
|
unxz - runner
|
|
unzip - runner
|
|
uptime - nofork candidate(is getutxent ok?)
|
|
users - nofork candidate(is getutxent ok?)
|
|
usleep - NOFORK
|
|
uudecode - runner
|
|
uuencode - runner
|
|
vconfig - leaks: xsocket+ioctl_or_perror_and_die
|
|
vi - interactive, longterm
|
|
vlock - suid
|
|
volname - runner
|
|
w
|
|
wall - suid
|
|
watch - longterm
|
|
watchdog - daemon
|
|
wc - runner
|
|
wget - longterm
|
|
which - NOFORK
|
|
who
|
|
whoami - NOFORK
|
|
whois
|
|
xargs - noexec. spawner
|
|
xxd - noexec. runner
|
|
xz - runner
|
|
xzcat - runner
|
|
yes - noexec. runner
|
|
zcat - runner
|
|
zcip - daemon
|