interactive: may wait for user input, ^C has to work
spawner: "tool PROG ARGS" which changes program state and execs - must fork
changes state: e.g. environment, signal handlers
-alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
-open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
leaks: does not free allocated memory or opened fds
+ alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
+ open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
+talks to network/serial/etc: it's not known how long the delay can be,
+ it's reasonable to expect it might be many seconds
+ (even if usually it is not), so ^C has to work
runner: sometimes may run for long(ish) time, and/or works with network:
^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
Why can't be NOEXEC:
suid: runs under different uid - must fork+exec
+if it's important that /proc/PID/cmdline and comm are correct.
+ ("pkill sh" killing itself before it kills real "sh" is no fun)
Why shouldn't be NOFORK/NOEXEC:
rare: not started often enough to bother optimizing (example: poweroff)
complex: no immediately obvious reason why NOFORK wouldn't work,
but does some non-obvoius operations (example: fuser, lsof, losetup);
detailed audit often turns out that it's a leaker
+hardware: performs unusual hardware ops which may take long,
+ or even hang due to hardware or firmware bugs
Interesting example of "interactive" applet which is nevertheless can be
(and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
is very typical, and speeding up this common use via NOEXEC is useful.
IOW: rm is "interactive", but not "longterm".
+Interesting example of an applet which can be NOFORK but if not,
+then should not be NOEXEC, is "usleep". As NOFORK, it amount to simply
+nanosleep()ing in the calling program (usually shell). No memory wasted.
+But if ran as NOEXEC, it would create a potentially long-term process,
+which would be taking more memory because it did not exec
+and did not free much of the copied memory of the parent
+(COW helps with this only as long as parent doesn't modify its memory).
+
[ - NOFORK
[[ - NOFORK
acpid - daemon
-add-shell
-addgroup
-adduser
-adjtimex
+add-shell - noexec. leaks: open+xfunc
+addgroup - noexec. leaks
+adduser - noexec. leaks
+adjtimex - NOFORK
ar - runner
arch - NOFORK
-arp - complex, rare
-arping - runner
+arp - talks to network: arp -n queries DNS
+arping - longterm
ash - interactive, longterm
awk - noexec. runner
base64 - runner
basename - NOFORK
-beep
-blkdiscard
-blkid
+beep - longterm: beep -r 999999999
+blkdiscard - noexec. leaks: open+xioctl
+blkid - noexec
blockdev - noexec. leaks fd
bootchartd - daemon
-brctl
+brctl - noexec
bunzip2 - runner
-busybox
bzcat - runner
bzip2 - runner
-cal - runner: cal -n9999
-cat - runner
-chat - needs ^C to work
+cal - noexec. can be runner: cal -n9999
+cat - runner: cat HUGEFILE
+chat - longterm (when used as intended - talking to modem over stdin/out)
chattr - noexec. runner
chgrp - noexec. runner
chmod - noexec. runner
chown - noexec. runner
-chpasswd - runner (list of "user:password"s from stdin)
+chpasswd - longterm? (list of "user:password"s from stdin)
chpst - noexec. spawner
chroot - noexec. spawner
chrt - noexec. spawner
cmp - runner
comm - runner
conspy - interactive, longterm
-cp - noexec. runner
+cp - noexec. sometimes runner
cpio - runner
crond - daemon
-crontab 0 leaks: open+xasprintf
+crontab - longterm (runs $EDITOR), leaks: open+xasprintf
cryptpw - noexec. changes state: with --password-fd=N, moves N to stdin
cttyhack - noexec. spawner
cut - noexec. runner
date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
-dc - runner (eats stdin if no params)
+dc - longterm (eats stdin if no params)
dd - noexec. runner
deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
-delgroup
-deluser
-depmod - complex, rare
-devmem - runner, complex (access to device memory may hang)
-df - leaks: nested allocs
+delgroup - noexec. leaks
+deluser - noexec. leaks
+depmod - longterm(ish)
+devmem - hardware (access to device memory may hang)
+df - noexec. leaks: nested allocs
dhcprelay - daemon
diff - runner
dirname - NOFORK
dmesg - runner
dnsd - daemon
-dnsdomainname - needs ^C (may talk to DNS servers, which may be down)
+dnsdomainname - noexec. talks to network (may query DNS)
dos2unix - noexec. runner
dpkg - runner
du - runner
dumpkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
-dumpleases - leaks: open+xread
+dumpleases - noexec. leaks: open+xread
echo - NOFORK
ed - interactive, longterm
egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory)
-eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
+eject - hardware, leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
env - noexec. spawner, changes state (env)
envdir - noexec. spawner
envuidgid - noexec. spawner
expand - runner
-expr - leaks: nested allocs
-factor - runner (eats stdin if no params)
+expr - noexec. leaks: nested allocs
+factor - longterm (eats stdin if no params)
fakeidentd - daemon
false - NOFORK
-fatattr - leaks: open+xioctl, complex
-fbset - leaks: open+xfunc, complex, rare
+fatattr - noexec. leaks: open+xioctl, complex
+fbset - hardware, leaks: open+xfunc
fbsplash - runner, longterm
-fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare
-fdformat - needs ^C (floppy may be unresponsive), longterm, rare
+fdflush - hardware, leaks: open+ioctl_or_perror_and_die
+fdformat - hardware, longterm
fdisk - interactive, longterm
fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
find - noexec. runner
findfs - suid
-flash_eraseall
-flash_lock
-flash_unlock
-flashcp
+flash_eraseall - hardware
+flash_lock - hardware
+flash_unlock - hardware
+flashcp - hardware
flock - spawner, changes state (file locks), let's play safe and not be noexec
fold - noexec. runner
-free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
-freeramdisk - leaks: open+ioctl_or_perror_and_die
+free - NOFORK
+freeramdisk - noexec. leaks: open+ioctl_or_perror_and_die
fsck - interactive, longterm
fsck.minix - needs ^C
fsfreeze - noexec. leaks: open+xioctl
gzip - runner
halt - rare
hd - noexec. runner
-hdparm - complex, rare
+hdparm - hardware
head - noexec. runner
hexdump - noexec. runner
+hexedit - interactive, longterm
hostid - NOFORK
-hostname - needs ^C (may talk to DNS servers, which may be down)
+hostname - noexec. talks to network (hostname -d may query DNS)
httpd - daemon
hush - interactive, longterm
-hwclock - talks to hardware (xioctl(RTC_RD_TIME)) - needs ^C
-i2cdetect
-i2cdump
-i2cget
-i2cset
+hwclock - hardware (xioctl(RTC_RD_TIME))
+i2cdetect - hardware
+i2cdump - hardware
+i2cget - hardware
+i2cset - hardware
id - noexec
-ifconfig - leaks: xsocket+ioctl_or_perror_and_die
-ifenslave - leaks: xsocket+bb_perror_msg_and_die
+ifconfig - hardware? (mem_start NN io_addr NN irq NN), leaks: xsocket+ioctl_or_perror_and_die
+ifenslave - noexec. leaks: xsocket+bb_perror_msg_and_die
ifplugd - daemon
inetd - daemon
init - daemon
insmod - noexec
install - runner
ionice - noexec. spawner
-iostat - runner
-ip - noexec candidate
-ipaddr - noexec candidate
-ipcalc - noexec candidate
-ipcrm - noexec candidate
-ipcs - noexec candidate
-iplink - noexec candidate
-ipneigh - noexec candidate
-iproute - noexec candidate
-iprule - noexec candidate
-iptunnel - noexec candidate
-kbd_mode - leaks: xopen_nonblocking+xioctl
+iostat - longterm: "iostat 1" runs indefinitely
+ip - noexec
+ipaddr - noexec
+ipcalc - noexec. ipcalc -h talks to network
+ipcrm - noexec
+ipcs - noexec
+iplink - noexec
+ipneigh - noexec
+iproute - noexec
+iprule - noexec
+iptunnel - noexec
+kbd_mode - noexec. leaks: xopen_nonblocking+xioctl
kill - NOFORK
killall - NOFORK
killall5 - NOFORK
linux64 - noexec. spawner
linuxrc - daemon
ln - noexec
-loadfont - leaks: config_open+bb_error_msg_and_die("map format")
+loadfont - noexec. leaks: config_open+bb_error_msg_and_die("map format")
loadkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
logger - runner
login - suid, interactive, longterm
logname - NOFORK
-losetup - complex
+losetup - noexec. complex
lpd - daemon
lpq - runner
lpr - runner
lsattr - noexec. runner
lsmod - noexec
lsof - complex
-lspci - noexec candidate, too rare to bother for nofork
-lsscsi - noexec candidate, too rare to bother for nofork
-lsusb - noexec candidate, too rare to bother for nofork
+lspci - noexec. too rare to bother for nofork
+lsscsi - noexec. too rare to bother for nofork
+lsusb - noexec. too rare to bother for nofork
lzcat - runner
lzma - runner
lzop - runner
lzopcat - runner
-makedevs
+makedevs - noexec
makemime - runner
man - spawner, interactive, longterm
md5sum - noexec. runner
mdev - daemon
mesg - NOFORK
microcom - interactive, longterm
+minips - noexec
mkdir - NOFORK
mkdosfs - needs ^C
mke2fs - needs ^C
more - interactive, longterm
mount - suid
mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
-mpstat - noexec candidate (it's a measuring tool, putting less load by itself is good), complex
-mt - rare
-mv - noexec candidate, runner
-nameif - leaks: config_open2+ioctl_or_perror_and_die
-nbd-client
+mpstat - longterm: "mpstat 1" runs indefinitely
+mt - hardware
+mv - noexec. sometimes runner
+nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
+nbd-client - noexec
nc - runner
-netstat - runner with -c
+netstat - longterm with -c (continuous listing)
nice - noexec. spawner
nl - runner
nmeter - longterm
nohup - noexec. spawner
nproc - NOFORK
ntpd - daemon
+nuke - noexec
od - runner
openvt - longterm: spawns a child and waits for it
partprobe - noexec. leaks: open+ioctl_or_perror_and_die(BLKRRPART)
passwd - suid
paste - noexec. runner
patch - needs ^C
-pgrep - nofork candidate(xregcomp, procps_scan - are they ok?)
-pidof - nofork candidate(uses find_pid_by_name, is that ok?)
-ping - suid, runner
-ping6 - suid, runner
+pgrep - must fork+exec to get correct /proc/PID/cmdline and comm field
+pidof - must fork+exec to get correct /proc/PID/cmdline and comm field
+ping - suid, longterm
+ping6 - suid, longterm
pipe_progress - longterm
pivot_root - NOFORK
-pkill - nofork candidate(xregcomp, procps_scan - are they ok?)
+pkill - must fork+exec to get correct /proc/PID/cmdline and comm field
pmap - noexec candidate, leaks: open+xstrdup
popmaildir - runner
poweroff - rare
powertop - interactive, longterm
printenv - NOFORK
printf - NOFORK
-ps - noexec candidate
-pscan - longterm
-pstree
+ps - noexec
+pscan - talks to network
+pstree - noexec
pwd - NOFORK
pwdx - NOFORK
-raidautorun
-rdate - needs ^C (may talk to DNS servers, which may be down)
-rdev - leaks: find_block_device -> readdir+xstrdup
+raidautorun - noexec. very simple. leaks: open+xioctl
+rdate - talks to network
+rdev - noexec. leaks: find_block_device -> readdir+xstrdup
readlink - NOFORK
-readprofile
+readprofile - reads /boot/System.map and /proc/profile, better to free more memory by execing?
realpath - NOFORK
reboot - rare
reformime - runner
-remove-shell
-renice - nofork candidate(uses getpwnam, is that ok?)
+remove-shell - noexec. leaks: open+xfunc
+renice - noexec. nofork candidate(uses getpwnam, is that ok?)
reset - noexec. spawner (execs "stty")
resize - noexec. changes state (signal handlers)
+resume - noexec
rev - runner
rm - noexec. rm -i interactive
rmdir - NOFORK
rmmod - noexec
-route - needs ^C (may talk to DNS servers, which may be down)
+route - talks to network (may query DNS to convert IPs to names)
rpm - runner
rpm2cpio - runner
rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless
-run-parts
+run-init - spawner, rare, changes state (oh yes), execing may be important to free binary's inode
+run-parts - longterm
runlevel - noexec. can be nofork if "endutxent()" is called unconditionally, but too rare to bother?
runsv - daemon
runsvdir - daemon
rx - runner
-script
-scriptreplay
+script - longterm: pumps script output from slave pty
+scriptreplay - longterm: plays back "script" saved output, sleeping as necessary.
sed - runner
sendmail - runner
seq - noexec. runner
setarch - noexec. spawner
-setconsole
-setfont
-setkeycodes
-setlogcons
+setconsole - noexec
+setfattr - noexec
+setfont - noexec. leaks a lot of stuff
+setkeycodes - noexec
+setlogcons - noexec
setpriv - spawner, changes state, let's play safe and not be noexec
-setserial
-setsid - spawner, uses fork_or_rexec() [not audted to work in noexec], let's play safe and not be noexec
+setserial - noexec
+setsid - spawner, uses fork_or_rexec() [not audited to work in noexec], let's play safe and not be noexec
setuidgid - noexec. spawner
sha1sum - noexec. runner
sha256sum - noexec. runner
showkey - interactive, longterm
shred - runner
shuf - noexec. runner
-slattach
-sleep - runner, longterm
+slattach - longterm (may sleep forever), uses bb_common_bufsiz1
+sleep - longterm. Could be nofork, if not the problem of "killall sleep" not killing it.
smemcap - runner
softlimit - noexec. spawner
sort - noexec. runner
split - runner
ssl_client - longterm
-start-stop-daemon
-stat - nofork candidate(needs fewer allocs)
+start-stop-daemon - not noexec: uses bb_common_bufsiz1
+stat - noexec. nofork candidate(needs fewer allocs)
strings - runner
stty - noexec. nofork candidate: has no allocs or opens except xmove_fd(xopen("-F DEVICE"),STDIN). tcsetattr(STDIN) is not a problem: it would work the same across processes sharing this fd
su - suid, spawner
sv - noexec. needs ^C (uses usleep(420000))
svc - noexec. needs ^C (uses usleep(420000))
svlogd - daemon
-swapoff - rare
+swapoff - longterm: may cause memory pressure, execing is beneficial
swapon - rare
switch_root - spawner, rare, changes state (oh yes), execing may be important to free binary's inode
sync - NOFORK
top - interactive, longterm
touch - NOFORK
tr - runner
-traceroute - suid, runner
-traceroute6 - suid, runner
+traceroute - suid, longterm
+traceroute6 - suid, longterm
true - NOFORK
truncate - NOFORK
tty - NOFORK
ttysize - NOFORK
-tunctl
+tunctl - noexec
tune2fs - noexec. leaks: open+xfunc
-ubiattach
-ubidetach
-ubimkvol
-ubirename
-ubirmvol
-ubirsvol
-ubiupdatevol
+ubiattach - hardware
+ubidetach - hardware
+ubimkvol - hardware
+ubirename - hardware
+ubirmvol - hardware
+ubirsvol - hardware
+ubiupdatevol - hardware
udhcpc - daemon
udhcpd - daemon
udpsvd - daemon
uevent - daemon
-umount - noexec candidate, leaks: nested xmalloc
+umount - noexec. leaks: nested xmalloc
uname - NOFORK
uncompress - runner
unexpand - runner
unlzop - runner
unxz - runner
unzip - runner
-uptime - nofork candidate(is getutxent ok?)
-users - nofork candidate(is getutxent ok?)
-usleep - NOFORK
+uptime - noexec. nofork candidate(is getutxent ok?)
+users - noexec. nofork candidate(is getutxent ok?)
+usleep - NOFORK. But what about "killall usleep"?
uudecode - runner
uuencode - runner
-vconfig - leaks: xsocket+ioctl_or_perror_and_die
+vconfig - noexec. leaks: xsocket+ioctl_or_perror_and_die
vi - interactive, longterm
vlock - suid
-volname - runner
-w - nofork candidate(is getutxent ok?)
+volname - hardware (reads CDROM, this can take long-ish if need to spin up)
+w - noexec. nofork candidate(is getutxent ok?)
wall - suid
watch - longterm
watchdog - daemon
wc - runner
wget - longterm
which - NOFORK
-who - nofork candidate(is getutxent ok?)
+who - noexec. nofork candidate(is getutxent ok?)
whoami - NOFORK
-whois - needs ^C
+whois - talks to network
xargs - noexec. spawner
xxd - noexec. runner
xz - runner