1 Why an applet can't be NOFORK or NOEXEC?
4 interactive: may wait for user input, ^C has to work
5 spawner: "tool PROG ARGS" which changes program state and execs - must fork
6 changes state: e.g. environment, signal handlers
7 alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
8 open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
9 leaks: does not free allocated memory or opened fds
10 runner: sometimes may run for long(ish) time, and/or works with network:
11 ^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
13 "runners" can become eligible after shell is taught ^C to interrupt NOFORKs,
14 need to be inspected that they do not fall into alloc+xfunc, open+xfunc,
18 suid: runs under different uid - must fork+exec
20 Why shouldn't be NOFORK/NOEXEC:
21 rare: not started often enough to bother optimizing (example: poweroff)
22 daemon: runs indefinitely; these are also always fit "rare" category
23 longterm: often runs for a long time (many seconds), execing makes
24 memory footprint smaller
25 complex: no immediately obvious reason why NOFORK wouldn't work,
26 but does some non-obvoius operations (example: fuser, lsof, losetup);
27 detailed audit often turns out that it's a leaker
29 Interesting example of "interactive" applet which is nevertheless can be
30 (and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
31 for users to keep it waiting for many minutes, whereas running "rm" in shell
32 is very typical, and speeding up this common use via NOEXEC is useful.
33 IOW: rm is "interactive", but not "longterm".
47 ash - interactive, longterm
54 blockdev - noexec. leaks fd
61 cal - runner: cal -n9999
63 chat - needs ^C to work
64 chattr - noexec. runner
65 chgrp - noexec. runner
66 chmod - noexec. runner
67 chown - noexec. runner
68 chpasswd - runner (list of "user:password"s from stdin)
69 chpst - noexec. spawner
70 chroot - noexec. spawner
71 chrt - noexec. spawner
72 chvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
73 cksum - noexec. runner
77 conspy - interactive, longterm
81 crontab - longterm (runs $EDITOR), leaks: open+xasprintf
82 cryptpw - noexec. changes state: with --password-fd=N, moves N to stdin
83 cttyhack - noexec. spawner
85 date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
86 dc - runner (eats stdin if no params)
88 deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
91 depmod - complex, rare
92 devmem - runner, complex (access to device memory may hang)
93 df - leaks: nested allocs
99 dnsdomainname - needs ^C (may talk to DNS servers, which may be down)
100 dos2unix - noexec. runner
103 dumpkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
104 dumpleases - leaks: open+xread
106 ed - interactive, longterm
107 egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory)
108 eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
109 env - noexec. spawner, changes state (env)
110 envdir - noexec. spawner
111 envuidgid - noexec. spawner
113 expr - leaks: nested allocs
114 factor - runner (eats stdin if no params)
117 fatattr - leaks: open+xioctl, complex
118 fbset - leaks: open+xfunc, complex, rare
119 fbsplash - runner, longterm
120 fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare
121 fdformat - needs ^C (floppy may be unresponsive), longterm, rare
122 fdisk - interactive, longterm
123 fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
124 fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
125 find - noexec. runner
131 flock - spawner, changes state (file locks), let's play safe and not be noexec
132 fold - noexec. runner
133 free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
134 freeramdisk - leaks: open+ioctl_or_perror_and_die
135 fsck - interactive, longterm
136 fsck.minix - needs ^C
137 fsfreeze - noexec. leaks: open+xioctl
138 fstrim - noexec. leaks: open+xioctl, find_block_device -> readdir+xstrdup
144 getopt - noexec. leaks: many allocs
145 getty - interactive, longterm
146 grep - longterm runner ("CMD | grep ..." may run indefinitely, better to exec to conserve memory)
152 hdparm - complex, rare
153 head - noexec. runner
154 hexdump - noexec. runner
156 hostname - needs ^C (may talk to DNS servers, which may be down)
158 hush - interactive, longterm
159 hwclock - talks to hardware (xioctl(RTC_RD_TIME)) - needs ^C
165 ifconfig - leaks: xsocket+ioctl_or_perror_and_die
166 ifenslave - leaks: xsocket+bb_perror_msg_and_die
173 ionice - noexec. spawner
175 ip - noexec candidate
176 ipaddr - noexec candidate
177 ipcalc - noexec candidate
178 ipcrm - noexec candidate
179 ipcs - noexec candidate
180 iplink - noexec candidate
181 ipneigh - noexec candidate
182 iproute - noexec candidate
183 iprule - noexec candidate
184 iptunnel - noexec candidate
185 kbd_mode - noexec. leaks: xopen_nonblocking+xioctl
190 last - runner (I've got 1300 lines of output when tried it)
191 less - interactive, longterm
193 linux32 - noexec. spawner
194 linux64 - noexec. spawner
197 loadfont - noexec. leaks: config_open+bb_error_msg_and_die("map format")
198 loadkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
200 login - suid, interactive, longterm
207 lsattr - noexec. runner
210 lspci - noexec. too rare to bother for nofork
211 lsscsi - noexec. too rare to bother for nofork
212 lsusb - noexec. too rare to bother for nofork
219 man - spawner, interactive, longterm
220 md5sum - noexec. runner
223 microcom - interactive, longterm
229 mkfs.minix - needs ^C
232 mkpasswd - noexec. changes state: with --password-fd=N, moves N to stdin
234 mktemp - noexec. leaks: xstrdup+concat_path_file
237 more - interactive, longterm
239 mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
240 mpstat - longterm: "mpstat 1" runs indefinitely
242 mv - noexec candidate, runner
243 nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
246 netstat - runner with -c
247 nice - noexec. spawner
250 nohup - noexec. spawner
254 openvt - longterm: spawns a child and waits for it
255 partprobe - noexec. leaks: open+ioctl_or_perror_and_die(BLKRRPART)
257 paste - noexec. runner
259 pgrep - nofork candidate(xregcomp, procps_scan - are they ok?)
260 pidof - nofork candidate(uses find_pid_by_name, is that ok?)
263 pipe_progress - longterm
265 pkill - nofork candidate(xregcomp, procps_scan - are they ok?)
266 pmap - noexec candidate, leaks: open+xstrdup
269 powertop - interactive, longterm
272 ps - looks for AT_CLKTCK elf aux vector, therefore can't be noexec
277 raidautorun - noexec. very simple. leaks: open+xioctl
278 rdate - needs ^C (may talk to DNS servers, which may be down)
279 rdev - leaks: find_block_device -> readdir+xstrdup
286 renice - nofork candidate(uses getpwnam, is that ok?)
287 reset - noexec. spawner (execs "stty")
288 resize - noexec. changes state (signal handlers)
290 rm - noexec. rm -i interactive
293 route - needs ^C (may talk to DNS servers, which may be down)
296 rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless
298 runlevel - noexec. can be nofork if "endutxent()" is called unconditionally, but too rare to bother?
307 setarch - noexec. spawner
309 setfont - noexec. leaks a lot of stuff
312 setpriv - spawner, changes state, let's play safe and not be noexec
314 setsid - spawner, uses fork_or_rexec() [not audited to work in noexec], let's play safe and not be noexec
315 setuidgid - noexec. spawner
316 sha1sum - noexec. runner
317 sha256sum - noexec. runner
318 sha3sum - noexec. runner
319 sha512sum - noexec. runner
320 showkey - interactive, longterm
322 shuf - noexec. runner
323 slattach - longterm (may sleep forever), uses bb_common_bufsiz1
324 sleep - runner, longterm
326 softlimit - noexec. spawner
327 sort - noexec. runner
329 ssl_client - longterm
331 stat - nofork candidate(needs fewer allocs)
333 stty - noexec. nofork candidate: has no allocs or opens except xmove_fd(xopen("-F DEVICE"),STDIN). tcsetattr(STDIN) is not a problem: it would work the same across processes sharing this fd
335 sulogin - noexec. spawner
337 sv - noexec. needs ^C (uses usleep(420000))
338 svc - noexec. needs ^C (uses usleep(420000))
342 switch_root - spawner, rare, changes state (oh yes), execing may be important to free binary's inode
344 sysctl - noexec. leaks: xstrdup+xmalloc_read
349 taskset - noexec. spawner
352 telnet - interactive, longterm
357 time - spawner, longterm, changes state (signals)
358 timeout - spawner, longterm, changes state (signals)
359 top - interactive, longterm
362 traceroute - suid, runner
363 traceroute6 - suid, runner
369 tune2fs - noexec. leaks: open+xfunc
381 umount - noexec. leaks: nested xmalloc
386 unix2dos - noexec. runner
392 uptime - nofork candidate(is getutxent ok?)
393 users - nofork candidate(is getutxent ok?)
397 vconfig - leaks: xsocket+ioctl_or_perror_and_die
398 vi - interactive, longterm
401 w - nofork candidate(is getutxent ok?)
408 who - nofork candidate(is getutxent ok?)
411 xargs - noexec. spawner