1 Why an applet can't be NOFORK or NOEXEC?
4 interactive: may wait for user input, ^C has to work
5 spawner: "tool PROG ARGS" which changes program state and execs - must fork
6 changes state: e.g. environment, signal handlers
7 alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
8 open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
9 leaks: does not free allocated memory or opened fds
10 runner: sometimes may run for long(ish) time, and/or works with network:
11 ^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
13 "runners" can become eligible after shell is taught ^C to interrupt NOFORKs,
14 need to be inspected that they do not fall into alloc+xfunc, open+xfunc,
18 suid: runs under different uid - must fork+exec
20 Why shouldn't be NOFORK/NOEXEC:
21 rare: not started often enough to bother optimizing (example: poweroff)
22 daemon: runs indefinitely; these are also always fit "rare" category
23 longterm: often runs for a long time (many seconds), execing would make
24 memory footprint smaller
25 complex: no immediately obvious reason why NOFORK wouldn't work,
26 but does some non-obvoius operations (example: fuser, lsof, losetup);
27 detailed audit often turns out that it's a leaker
29 Interesting example of "interactive" applet which is nevertheless can be
30 (and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
31 for users to keep it waiting for many minutes, whereas running "rm" in shell
32 is very typical, and speeding up this common use via NOEXEC is useful.
33 IOW: rm is "interactive", but not "longterm".
47 ash - interactive, longterm
61 cal - runner: cal -n9999
63 chat - needs ^C to work
65 chgrp - noexec. runner
66 chmod - noexec. runner
67 chown - noexec. runner
68 chpasswd - runner (list of "user:password"s from stdin)
72 chvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
73 cksum - noexec. runner
82 cryptpw - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. Can be noexec.
85 date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
86 dc - runner (eats stdin if no params)
88 deallocvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
91 depmod - complex, rare
92 devmem - runner, complex (access to device memory may hang)
93 df - complex (nested allocs)
99 dnsdomainname - needs ^C (may talk to DNS servers, which may be down)
100 dos2unix - noexec. runner
103 dumpkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
106 ed - interactive, longterm
107 egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory)
108 eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
109 env - noexec. changes state (env)
113 expr - complex (nested allocs)
114 factor - runner (eats stdin if no params)
117 fatattr - complex (xopen+xioctl can leak fd)
118 fbset - leaks: open+xfunc, complex, rare
119 fbsplash - runner, longterm
120 fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare
121 fdformat - needs ^C (floppy may be unresponsive), longterm, rare
122 fdisk - interactive, longterm
123 fgconsole - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
124 fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
125 find - noexec. runner
131 flock - spawner, changes state (file locks)
132 fold - noexec. runner
133 free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
134 freeramdisk - leaks: open+ioctl_or_perror_and_die
135 fsck - interactive, longterm
144 getopt - noexec. complex (many allocs)
145 getty - interactive, longterm
146 grep - longterm runner ("CMD | grep ..." may run indefinitely, better to exec to conserve memory)
152 hdparm - complex, rare
153 head - noexec. runner
154 hexdump - noexec. runner
156 hostname - DNS resolution may trigger, need ^C
158 hush - interactive, longterm
175 ip - noexec candidate
176 ipaddr - noexec candidate
177 ipcalc - noexec candidate
178 ipcrm - noexec candidate
179 ipcs - noexec candidate
180 iplink - noexec candidate
181 ipneigh - noexec candidate
182 iproute - noexec candidate
183 iprule - noexec candidate
184 iptunnel - noexec candidate
190 last - runner (I've got 1300 lines of output when tried it)
191 less - interactive, longterm
198 loadkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec.
200 login - suid, interactive, longterm
207 lsattr - runner. noexec candidate (ls is, why not this one?)
210 lspci - noexec candidate, too rare to bother for nofork
211 lsscsi - noexec candidate, too rare to bother for nofork
212 lsusb - noexec candidate, too rare to bother for nofork
219 man - spawner, interactive, longterm
220 md5sum - noexec. runner
223 microcom - interactive, longterm
234 mktemp - leaks: xstrdup+concat_path_file
237 more - interactive, longterm
242 mv - runner (can be noexec?)
246 netstat - runner with -c
257 paste - noexec. runner
259 pgrep - nofork candidate(xregcomp, procps_scan - are they ok?)
260 pidof - nofork candidate(uses find_pid_by_name, is that ok?)
265 pkill - nofork candidate(xregcomp, procps_scan - are they ok?)
269 powertop - interactive, longterm
272 ps - noexec candidate
286 renice - nofork candidate(uses getpwnam, is that ok?)
287 reset - spawner (execs "stty")
288 resize - noexec. changes state (signal handlers)
290 rm - noexec. rm -i interactive
296 rtcwake - complex, rare
316 sha1sum - noexec. runner
317 sha256sum - noexec. runner
318 sha3sum - noexec. runner
319 sha512sum - noexec. runner
320 showkey - interactive, longterm
322 shuf - noexec. runner
327 sort - noexec. runner
331 stat - nofork candidate(needs fewer allocs)
342 switch_root - spawner, rare, changes state
352 telnet - interactive, longterm
357 time - spawner, changes state (signals)
358 timeout - spawner, changes state (signals)
359 top - interactive, longterm
362 traceroute - suid, runner
363 traceroute6 - suid, runner
369 tune2fs - leaks: open+xfunc
386 unix2dos - noexec. runner
392 uptime - nofork candidate(is getutxent ok?)
393 users - nofork candidate(is getutxent ok?)
397 vconfig - leaks: xsocket+ioctl_or_perror_and_die
398 vi - interactive, longterm
411 xargs - noexec. spawner