NOFORK_NOEXEC.lst 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437
  1. Why an applet can't be NOFORK or NOEXEC?
  2. Why can't be NOFORK:
  3. interactive: may wait for user input, ^C has to work
  4. spawner: "tool PROG ARGS" which changes program state and execs - must fork
  5. changes state: e.g. environment, signal handlers
  6. leaks: does not free allocated memory or opened fds
  7. alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
  8. open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
  9. talks to network/serial/etc: it's not known how long the delay can be,
  10. it's reasonable to expect it might be many seconds
  11. (even if usually it is not), so ^C has to work
  12. runner: sometimes may run for long(ish) time, and/or works with network:
  13. ^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
  14. "runners" can become eligible after shell is taught ^C to interrupt NOFORKs,
  15. need to be inspected that they do not fall into alloc+xfunc, open+xfunc,
  16. leak categories.
  17. Why can't be NOEXEC:
  18. suid: runs under different uid - must fork+exec
  19. if it's important that /proc/PID/cmdline and comm are correct.
  20. ("pkill sh" killing itself before it kills real "sh" is no fun)
  21. Why shouldn't be NOFORK/NOEXEC:
  22. rare: not started often enough to bother optimizing (example: poweroff)
  23. daemon: runs indefinitely; these are also always fit "rare" category
  24. longterm: often runs for a long time (many seconds), execing makes
  25. memory footprint smaller
  26. complex: no immediately obvious reason why NOFORK wouldn't work,
  27. but does some non-obvoius operations (example: fuser, lsof, losetup);
  28. detailed audit often turns out that it's a leaker
  29. hardware: performs unusual hardware ops which may take long,
  30. or even hang due to hardware or firmware bugs
  31. Interesting example of "interactive" applet which is nevertheless can be
  32. (and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
  33. for users to keep it waiting for many minutes, whereas running "rm" in shell
  34. is very typical, and speeding up this common use via NOEXEC is useful.
  35. IOW: rm is "interactive", but not "longterm".
  36. Interesting example of an applet which can be NOFORK but if not,
  37. then should not be NOEXEC, is "usleep". As NOFORK, it amount to simply
  38. nanosleep()ing in the calling program (usually shell). No memory wasted.
  39. But if ran as NOEXEC, it would create a potentially long-term process,
  40. which would be taking more memory because it did not exec
  41. and did not free much of the copied memory of the parent
  42. (COW helps with this only as long as parent doesn't modify its memory).
  43. [ - NOFORK
  44. [[ - NOFORK
  45. acpid - daemon
  46. add-shell - noexec. leaks: open+xfunc
  47. addgroup - noexec. leaks
  48. adduser - noexec. leaks
  49. adjtimex - NOFORK
  50. ar - runner
  51. arch - NOFORK
  52. arp - talks to network: arp -n queries DNS
  53. arping - longterm
  54. ash - interactive, longterm
  55. awk - noexec. runner
  56. base64 - runner
  57. basename - NOFORK
  58. beep - longterm: beep -r 999999999
  59. blkdiscard - noexec. leaks: open+xioctl
  60. blkid - noexec
  61. blockdev - noexec. leaks fd
  62. bootchartd - daemon
  63. brctl - noexec
  64. bunzip2 - runner
  65. bzcat - runner
  66. bzip2 - runner
  67. cal - noexec. can be runner: cal -n9999
  68. cat - runner: cat HUGEFILE
  69. chat - longterm (when used as intended - talking to modem over stdin/out)
  70. chattr - noexec. runner
  71. chgrp - noexec. runner
  72. chmod - noexec. runner
  73. chown - noexec. runner
  74. chpasswd - longterm? (list of "user:password"s from stdin)
  75. chpst - noexec. spawner
  76. chroot - noexec. spawner
  77. chrt - noexec. spawner
  78. chvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
  79. cksum - noexec. runner
  80. clear - NOFORK
  81. cmp - runner
  82. comm - runner
  83. conspy - interactive, longterm
  84. cp - noexec. sometimes runner
  85. cpio - runner
  86. crond - daemon
  87. crontab - longterm (runs $EDITOR), leaks: open+xasprintf
  88. cryptpw - noexec. changes state: with --password-fd=N, moves N to stdin
  89. cttyhack - noexec. spawner
  90. cut - noexec. runner
  91. date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
  92. dc - longterm (eats stdin if no params)
  93. dd - noexec. runner
  94. deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
  95. delgroup - noexec. leaks
  96. deluser - noexec. leaks
  97. depmod - longterm(ish)
  98. devmem - hardware (access to device memory may hang)
  99. df - noexec. leaks: nested allocs
  100. dhcprelay - daemon
  101. diff - runner
  102. dirname - NOFORK
  103. dmesg - runner
  104. dnsd - daemon
  105. dnsdomainname - noexec. talks to network (may query DNS)
  106. dos2unix - noexec. runner
  107. dpkg - runner
  108. du - runner
  109. dumpkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
  110. dumpleases - noexec. leaks: open+xread
  111. echo - NOFORK
  112. ed - interactive, longterm
  113. egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory)
  114. eject - hardware, leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
  115. env - noexec. spawner, changes state (env)
  116. envdir - noexec. spawner
  117. envuidgid - noexec. spawner
  118. expand - runner
  119. expr - noexec. leaks: nested allocs
  120. factor - longterm (eats stdin if no params)
  121. fakeidentd - daemon
  122. false - NOFORK
  123. fatattr - noexec. leaks: open+xioctl, complex
  124. fbset - hardware, leaks: open+xfunc
  125. fbsplash - runner, longterm
  126. fdflush - hardware, leaks: open+ioctl_or_perror_and_die
  127. fdformat - hardware, longterm
  128. fdisk - interactive, longterm
  129. fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
  130. fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
  131. find - noexec. runner
  132. findfs - suid
  133. flash_eraseall - hardware
  134. flash_lock - hardware
  135. flash_unlock - hardware
  136. flashcp - hardware
  137. flock - spawner, changes state (file locks), let's play safe and not be noexec
  138. fold - noexec. runner
  139. free - NOFORK
  140. freeramdisk - noexec. leaks: open+ioctl_or_perror_and_die
  141. fsck - interactive, longterm
  142. fsck.minix - needs ^C
  143. fsfreeze - noexec. leaks: open+xioctl
  144. fstrim - noexec. leaks: open+xioctl, find_block_device -> readdir+xstrdup
  145. fsync - NOFORK
  146. ftpd - daemon
  147. ftpget - runner
  148. ftpput - runner
  149. fuser - complex
  150. getopt - noexec. leaks: many allocs
  151. getty - interactive, longterm
  152. grep - longterm runner ("CMD | grep ..." may run indefinitely, better to exec to conserve memory)
  153. groups - noexec
  154. gunzip - runner
  155. gzip - runner
  156. halt - rare
  157. hd - noexec. runner
  158. hdparm - hardware
  159. head - noexec. runner
  160. hexdump - noexec. runner
  161. hexedit - interactive, longterm
  162. hostid - NOFORK
  163. hostname - noexec. talks to network (hostname -d may query DNS)
  164. httpd - daemon
  165. hush - interactive, longterm
  166. hwclock - hardware (xioctl(RTC_RD_TIME))
  167. i2cdetect - hardware
  168. i2cdump - hardware
  169. i2cget - hardware
  170. i2cset - hardware
  171. id - noexec
  172. ifconfig - hardware? (mem_start NN io_addr NN irq NN), leaks: xsocket+ioctl_or_perror_and_die
  173. ifenslave - noexec. leaks: xsocket+bb_perror_msg_and_die
  174. ifplugd - daemon
  175. inetd - daemon
  176. init - daemon
  177. inotifyd - daemon
  178. insmod - noexec
  179. install - runner
  180. ionice - noexec. spawner
  181. iostat - longterm: "iostat 1" runs indefinitely
  182. ip - noexec
  183. ipaddr - noexec
  184. ipcalc - noexec. ipcalc -h talks to network
  185. ipcrm - noexec
  186. ipcs - noexec
  187. iplink - noexec
  188. ipneigh - noexec
  189. iproute - noexec
  190. iprule - noexec
  191. iptunnel - noexec
  192. kbd_mode - noexec. leaks: xopen_nonblocking+xioctl
  193. kill - NOFORK
  194. killall - NOFORK
  195. killall5 - NOFORK
  196. klogd - daemon
  197. last - runner (I've got 1300 lines of output when tried it)
  198. less - interactive, longterm
  199. link - NOFORK
  200. linux32 - noexec. spawner
  201. linux64 - noexec. spawner
  202. linuxrc - daemon
  203. ln - noexec
  204. loadfont - noexec. leaks: config_open+bb_error_msg_and_die("map format")
  205. loadkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
  206. logger - runner
  207. login - suid, interactive, longterm
  208. logname - NOFORK
  209. losetup - noexec. complex
  210. lpd - daemon
  211. lpq - runner
  212. lpr - runner
  213. ls - noexec. runner
  214. lsattr - noexec. runner
  215. lsmod - noexec
  216. lsof - complex
  217. lspci - noexec. too rare to bother for nofork
  218. lsscsi - noexec. too rare to bother for nofork
  219. lsusb - noexec. too rare to bother for nofork
  220. lzcat - runner
  221. lzma - runner
  222. lzop - runner
  223. lzopcat - runner
  224. makedevs - noexec
  225. makemime - runner
  226. man - spawner, interactive, longterm
  227. md5sum - noexec. runner
  228. mdev - daemon
  229. mesg - NOFORK
  230. microcom - interactive, longterm
  231. minips - noexec
  232. mkdir - NOFORK
  233. mkdosfs - needs ^C
  234. mke2fs - needs ^C
  235. mkfifo - noexec
  236. mkfs.ext2 - needs ^C
  237. mkfs.minix - needs ^C
  238. mkfs.vfat - needs ^C
  239. mknod - noexec
  240. mkpasswd - noexec. changes state: with --password-fd=N, moves N to stdin
  241. mkswap - needs ^C
  242. mktemp - noexec. leaks: xstrdup+concat_path_file
  243. modinfo - noexec
  244. modprobe - noexec
  245. more - interactive, longterm
  246. mount - suid
  247. mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
  248. mpstat - longterm: "mpstat 1" runs indefinitely
  249. mt - hardware
  250. mv - noexec. sometimes runner
  251. nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
  252. nbd-client - noexec
  253. nc - runner
  254. netstat - longterm with -c (continuous listing)
  255. nice - noexec. spawner
  256. nl - runner
  257. nmeter - longterm
  258. nohup - noexec. spawner
  259. nproc - NOFORK
  260. ntpd - daemon
  261. nuke - noexec
  262. od - runner
  263. openvt - longterm: spawns a child and waits for it
  264. partprobe - noexec. leaks: open+ioctl_or_perror_and_die(BLKRRPART)
  265. passwd - suid
  266. paste - noexec. runner
  267. patch - needs ^C
  268. pgrep - must fork+exec to get correct /proc/PID/cmdline and comm field
  269. pidof - must fork+exec to get correct /proc/PID/cmdline and comm field
  270. ping - suid, longterm
  271. ping6 - suid, longterm
  272. pipe_progress - longterm
  273. pivot_root - NOFORK
  274. pkill - must fork+exec to get correct /proc/PID/cmdline and comm field
  275. pmap - noexec candidate, leaks: open+xstrdup
  276. popmaildir - runner
  277. poweroff - rare
  278. powertop - interactive, longterm
  279. printenv - NOFORK
  280. printf - NOFORK
  281. ps - noexec
  282. pscan - talks to network
  283. pstree - noexec
  284. pwd - NOFORK
  285. pwdx - NOFORK
  286. raidautorun - noexec. very simple. leaks: open+xioctl
  287. rdate - talks to network
  288. rdev - noexec. leaks: find_block_device -> readdir+xstrdup
  289. readlink - NOFORK
  290. readprofile - reads /boot/System.map and /proc/profile, better to free more memory by execing?
  291. realpath - NOFORK
  292. reboot - rare
  293. reformime - runner
  294. remove-shell - noexec. leaks: open+xfunc
  295. renice - noexec. nofork candidate(uses getpwnam, is that ok?)
  296. reset - noexec. spawner (execs "stty")
  297. resize - noexec. changes state (signal handlers)
  298. resume - noexec
  299. rev - runner
  300. rm - noexec. rm -i interactive
  301. rmdir - NOFORK
  302. rmmod - noexec
  303. route - talks to network (may query DNS to convert IPs to names)
  304. rpm - runner
  305. rpm2cpio - runner
  306. rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless
  307. run-init - spawner, rare, changes state (oh yes), execing may be important to free binary's inode
  308. run-parts - longterm
  309. runlevel - noexec. can be nofork if "endutxent()" is called unconditionally, but too rare to bother?
  310. runsv - daemon
  311. runsvdir - daemon
  312. rx - runner
  313. script - longterm: pumps script output from slave pty
  314. scriptreplay - longterm: plays back "script" saved output, sleeping as necessary.
  315. sed - runner
  316. sendmail - runner
  317. seq - noexec. runner
  318. setarch - noexec. spawner
  319. setconsole - noexec
  320. setfattr - noexec
  321. setfont - noexec. leaks a lot of stuff
  322. setkeycodes - noexec
  323. setlogcons - noexec
  324. setpriv - spawner, changes state, let's play safe and not be noexec
  325. setserial - noexec
  326. setsid - spawner, uses fork_or_rexec() [not audited to work in noexec], let's play safe and not be noexec
  327. setuidgid - noexec. spawner
  328. sha1sum - noexec. runner
  329. sha256sum - noexec. runner
  330. sha3sum - noexec. runner
  331. sha512sum - noexec. runner
  332. showkey - interactive, longterm
  333. shred - runner
  334. shuf - noexec. runner
  335. slattach - longterm (may sleep forever), uses bb_common_bufsiz1
  336. sleep - longterm. Could be nofork, if not the problem of "killall sleep" not killing it.
  337. smemcap - runner
  338. softlimit - noexec. spawner
  339. sort - noexec. runner
  340. split - runner
  341. ssl_client - longterm
  342. start-stop-daemon - not noexec: uses bb_common_bufsiz1
  343. stat - noexec. nofork candidate(needs fewer allocs)
  344. strings - runner
  345. stty - noexec. nofork candidate: has no allocs or opens except xmove_fd(xopen("-F DEVICE"),STDIN). tcsetattr(STDIN) is not a problem: it would work the same across processes sharing this fd
  346. su - suid, spawner
  347. sulogin - noexec. spawner
  348. sum - runner
  349. sv - noexec. needs ^C (uses usleep(420000))
  350. svc - noexec. needs ^C (uses usleep(420000))
  351. svlogd - daemon
  352. swapoff - longterm: may cause memory pressure, execing is beneficial
  353. swapon - rare
  354. switch_root - spawner, rare, changes state (oh yes), execing may be important to free binary's inode
  355. sync - NOFORK
  356. sysctl - noexec. leaks: xstrdup+xmalloc_read
  357. syslogd - daemon
  358. tac - noexec. runner
  359. tail - runner
  360. tar - runner
  361. taskset - noexec. spawner
  362. tcpsvd - daemon
  363. tee - runner
  364. telnet - interactive, longterm
  365. telnetd - daemon
  366. test - NOFORK
  367. tftp - runner
  368. tftpd - daemon
  369. time - spawner, longterm, changes state (signals)
  370. timeout - spawner, longterm, changes state (signals)
  371. top - interactive, longterm
  372. touch - NOFORK
  373. tr - runner
  374. traceroute - suid, longterm
  375. traceroute6 - suid, longterm
  376. true - NOFORK
  377. truncate - NOFORK
  378. tty - NOFORK
  379. ttysize - NOFORK
  380. tunctl - noexec
  381. tune2fs - noexec. leaks: open+xfunc
  382. ubiattach - hardware
  383. ubidetach - hardware
  384. ubimkvol - hardware
  385. ubirename - hardware
  386. ubirmvol - hardware
  387. ubirsvol - hardware
  388. ubiupdatevol - hardware
  389. udhcpc - daemon
  390. udhcpd - daemon
  391. udpsvd - daemon
  392. uevent - daemon
  393. umount - noexec. leaks: nested xmalloc
  394. uname - NOFORK
  395. uncompress - runner
  396. unexpand - runner
  397. uniq - runner
  398. unix2dos - noexec. runner
  399. unlink - NOFORK
  400. unlzma - runner
  401. unlzop - runner
  402. unxz - runner
  403. unzip - runner
  404. uptime - noexec. nofork candidate(is getutxent ok?)
  405. users - noexec. nofork candidate(is getutxent ok?)
  406. usleep - NOFORK. But what about "killall usleep"?
  407. uudecode - runner
  408. uuencode - runner
  409. vconfig - noexec. leaks: xsocket+ioctl_or_perror_and_die
  410. vi - interactive, longterm
  411. vlock - suid
  412. volname - hardware (reads CDROM, this can take long-ish if need to spin up)
  413. w - noexec. nofork candidate(is getutxent ok?)
  414. wall - suid
  415. watch - longterm
  416. watchdog - daemon
  417. wc - runner
  418. wget - longterm
  419. which - NOFORK
  420. who - noexec. nofork candidate(is getutxent ok?)
  421. whoami - NOFORK
  422. whois - talks to network
  423. xargs - noexec. spawner
  424. xxd - noexec. runner
  425. xz - runner
  426. xzcat - runner
  427. yes - noexec. runner
  428. zcat - runner
  429. zcip - daemon