users,w,who,uptime,renice: make NOEXEC
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko
parent
798b94518e
commit
1a1203ff89
@ -4,9 +4,9 @@ Why can't be NOFORK:
|
|||||||
interactive: may wait for user input, ^C has to work
|
interactive: may wait for user input, ^C has to work
|
||||||
spawner: "tool PROG ARGS" which changes program state and execs - must fork
|
spawner: "tool PROG ARGS" which changes program state and execs - must fork
|
||||||
changes state: e.g. environment, signal handlers
|
changes state: e.g. environment, signal handlers
|
||||||
alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
|
|
||||||
open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
|
|
||||||
leaks: does not free allocated memory or opened fds
|
leaks: does not free allocated memory or opened fds
|
||||||
|
alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
|
||||||
|
open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
|
||||||
runner: sometimes may run for long(ish) time, and/or works with network:
|
runner: sometimes may run for long(ish) time, and/or works with network:
|
||||||
^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
|
^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
|
||||||
|
|
||||||
@ -25,6 +25,8 @@ longterm: often runs for a long time (many seconds), execing makes
|
|||||||
complex: no immediately obvious reason why NOFORK wouldn't work,
|
complex: no immediately obvious reason why NOFORK wouldn't work,
|
||||||
but does some non-obvoius operations (example: fuser, lsof, losetup);
|
but does some non-obvoius operations (example: fuser, lsof, losetup);
|
||||||
detailed audit often turns out that it's a leaker
|
detailed audit often turns out that it's a leaker
|
||||||
|
hardware: performs unusual hardware ops which may take long,
|
||||||
|
or even hang due to hardware or firmware bugs
|
||||||
|
|
||||||
Interesting example of "interactive" applet which is nevertheless can be
|
Interesting example of "interactive" applet which is nevertheless can be
|
||||||
(and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
|
(and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
|
||||||
@ -42,8 +44,8 @@ adduser - noexec. leaks
|
|||||||
adjtimex - NOFORK
|
adjtimex - NOFORK
|
||||||
ar - runner
|
ar - runner
|
||||||
arch - NOFORK
|
arch - NOFORK
|
||||||
arp - complex, rare
|
arp - runner, needs ^C: arp -n talks to DNS servers
|
||||||
arping - runner
|
arping - longterm
|
||||||
ash - interactive, longterm
|
ash - interactive, longterm
|
||||||
awk - noexec. runner
|
awk - noexec. runner
|
||||||
base64 - runner
|
base64 - runner
|
||||||
@ -87,7 +89,7 @@ dd - noexec. runner
|
|||||||
deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
|
deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
|
||||||
delgroup - noexec. leaks
|
delgroup - noexec. leaks
|
||||||
deluser - noexec. leaks
|
deluser - noexec. leaks
|
||||||
depmod - complex, rare
|
depmod - longterm(ish)
|
||||||
devmem - runner, complex (access to device memory may hang)
|
devmem - runner, complex (access to device memory may hang)
|
||||||
df - leaks: nested allocs
|
df - leaks: nested allocs
|
||||||
dhcprelay - daemon
|
dhcprelay - daemon
|
||||||
@ -114,19 +116,19 @@ factor - runner (eats stdin if no params)
|
|||||||
fakeidentd - daemon
|
fakeidentd - daemon
|
||||||
false - NOFORK
|
false - NOFORK
|
||||||
fatattr - leaks: open+xioctl, complex
|
fatattr - leaks: open+xioctl, complex
|
||||||
fbset - leaks: open+xfunc, complex, rare
|
fbset - hardware, leaks: open+xfunc
|
||||||
fbsplash - runner, longterm
|
fbsplash - runner, longterm
|
||||||
fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare
|
fdflush - hardware, leaks: open+ioctl_or_perror_and_die
|
||||||
fdformat - needs ^C (floppy may be unresponsive), longterm, rare
|
fdformat - hardware, needs ^C (floppy may be unresponsive), longterm
|
||||||
fdisk - interactive, longterm
|
fdisk - interactive, longterm
|
||||||
fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
|
fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
|
||||||
fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
|
fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
|
||||||
find - noexec. runner
|
find - noexec. runner
|
||||||
findfs - suid
|
findfs - suid
|
||||||
flash_eraseall - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
flash_eraseall - hardware
|
||||||
flash_lock - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
flash_lock - hardware
|
||||||
flash_unlock - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
flash_unlock - hardware
|
||||||
flashcp - needs ^C. could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
flashcp - hardware
|
||||||
flock - spawner, changes state (file locks), let's play safe and not be noexec
|
flock - spawner, changes state (file locks), let's play safe and not be noexec
|
||||||
fold - noexec. runner
|
fold - noexec. runner
|
||||||
free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
|
free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
|
||||||
@ -148,18 +150,18 @@ gunzip - runner
|
|||||||
gzip - runner
|
gzip - runner
|
||||||
halt - rare
|
halt - rare
|
||||||
hd - noexec. runner
|
hd - noexec. runner
|
||||||
hdparm - complex, rare
|
hdparm - hardware
|
||||||
head - noexec. runner
|
head - noexec. runner
|
||||||
hexdump - noexec. runner
|
hexdump - noexec. runner
|
||||||
hostid - NOFORK
|
hostid - NOFORK
|
||||||
hostname - needs ^C (may talk to DNS servers, which may be down)
|
hostname - needs ^C (may talk to DNS servers, which may be down)
|
||||||
httpd - daemon
|
httpd - daemon
|
||||||
hush - interactive, longterm
|
hush - interactive, longterm
|
||||||
hwclock - talks to hardware (xioctl(RTC_RD_TIME)) - needs ^C
|
hwclock - hardware (xioctl(RTC_RD_TIME))
|
||||||
i2cdetect
|
i2cdetect - hardware
|
||||||
i2cdump
|
i2cdump - hardware
|
||||||
i2cget
|
i2cget - hardware
|
||||||
i2cset
|
i2cset - hardware
|
||||||
id - noexec
|
id - noexec
|
||||||
ifconfig - leaks: xsocket+ioctl_or_perror_and_die
|
ifconfig - leaks: xsocket+ioctl_or_perror_and_die
|
||||||
ifenslave - leaks: xsocket+bb_perror_msg_and_die
|
ifenslave - leaks: xsocket+bb_perror_msg_and_die
|
||||||
@ -237,7 +239,7 @@ more - interactive, longterm
|
|||||||
mount - suid
|
mount - suid
|
||||||
mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
|
mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
|
||||||
mpstat - longterm: "mpstat 1" runs indefinitely
|
mpstat - longterm: "mpstat 1" runs indefinitely
|
||||||
mt - rare
|
mt - hardware
|
||||||
mv - noexec candidate, runner
|
mv - noexec candidate, runner
|
||||||
nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
|
nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
|
||||||
nbd-client - noexec
|
nbd-client - noexec
|
||||||
@ -257,8 +259,8 @@ paste - noexec. runner
|
|||||||
patch - needs ^C
|
patch - needs ^C
|
||||||
pgrep - nofork candidate(xregcomp, procps_scan - are they ok?)
|
pgrep - nofork candidate(xregcomp, procps_scan - are they ok?)
|
||||||
pidof - nofork candidate(uses find_pid_by_name, is that ok?)
|
pidof - nofork candidate(uses find_pid_by_name, is that ok?)
|
||||||
ping - suid, runner
|
ping - suid, longterm
|
||||||
ping6 - suid, runner
|
ping6 - suid, longterm
|
||||||
pipe_progress - longterm
|
pipe_progress - longterm
|
||||||
pivot_root - NOFORK
|
pivot_root - NOFORK
|
||||||
pkill - nofork candidate(xregcomp, procps_scan - are they ok?)
|
pkill - nofork candidate(xregcomp, procps_scan - are they ok?)
|
||||||
@ -282,7 +284,7 @@ realpath - NOFORK
|
|||||||
reboot - rare
|
reboot - rare
|
||||||
reformime - runner
|
reformime - runner
|
||||||
remove-shell - noexec. leaks: open+xfunc
|
remove-shell - noexec. leaks: open+xfunc
|
||||||
renice - nofork candidate(uses getpwnam, is that ok?)
|
renice - noexec. nofork candidate(uses getpwnam, is that ok?)
|
||||||
reset - noexec. spawner (execs "stty")
|
reset - noexec. spawner (execs "stty")
|
||||||
resize - noexec. changes state (signal handlers)
|
resize - noexec. changes state (signal handlers)
|
||||||
rev - runner
|
rev - runner
|
||||||
@ -358,21 +360,21 @@ timeout - spawner, longterm, changes state (signals)
|
|||||||
top - interactive, longterm
|
top - interactive, longterm
|
||||||
touch - NOFORK
|
touch - NOFORK
|
||||||
tr - runner
|
tr - runner
|
||||||
traceroute - suid, runner
|
traceroute - suid, longterm
|
||||||
traceroute6 - suid, runner
|
traceroute6 - suid, longterm
|
||||||
true - NOFORK
|
true - NOFORK
|
||||||
truncate - NOFORK
|
truncate - NOFORK
|
||||||
tty - NOFORK
|
tty - NOFORK
|
||||||
ttysize - NOFORK
|
ttysize - NOFORK
|
||||||
tunctl - noexec
|
tunctl - noexec
|
||||||
tune2fs - noexec. leaks: open+xfunc
|
tune2fs - noexec. leaks: open+xfunc
|
||||||
ubiattach - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
ubiattach - hardware
|
||||||
ubidetach - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
ubidetach - hardware
|
||||||
ubimkvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
ubimkvol - hardware
|
||||||
ubirename - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
ubirename - hardware
|
||||||
ubirmvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
ubirmvol - hardware
|
||||||
ubirsvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
ubirsvol - hardware
|
||||||
ubiupdatevol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
|
ubiupdatevol - hardware
|
||||||
udhcpc - daemon
|
udhcpc - daemon
|
||||||
udhcpd - daemon
|
udhcpd - daemon
|
||||||
udpsvd - daemon
|
udpsvd - daemon
|
||||||
@ -388,8 +390,8 @@ unlzma - runner
|
|||||||
unlzop - runner
|
unlzop - runner
|
||||||
unxz - runner
|
unxz - runner
|
||||||
unzip - runner
|
unzip - runner
|
||||||
uptime - nofork candidate(is getutxent ok?)
|
uptime - noexec. nofork candidate(is getutxent ok?)
|
||||||
users - nofork candidate(is getutxent ok?)
|
users - noexec. nofork candidate(is getutxent ok?)
|
||||||
usleep - NOFORK
|
usleep - NOFORK
|
||||||
uudecode - runner
|
uudecode - runner
|
||||||
uuencode - runner
|
uuencode - runner
|
||||||
@ -397,14 +399,14 @@ vconfig - leaks: xsocket+ioctl_or_perror_and_die
|
|||||||
vi - interactive, longterm
|
vi - interactive, longterm
|
||||||
vlock - suid
|
vlock - suid
|
||||||
volname - runner
|
volname - runner
|
||||||
w - nofork candidate(is getutxent ok?)
|
w - noexec. nofork candidate(is getutxent ok?)
|
||||||
wall - suid
|
wall - suid
|
||||||
watch - longterm
|
watch - longterm
|
||||||
watchdog - daemon
|
watchdog - daemon
|
||||||
wc - runner
|
wc - runner
|
||||||
wget - longterm
|
wget - longterm
|
||||||
which - NOFORK
|
which - NOFORK
|
||||||
who - nofork candidate(is getutxent ok?)
|
who - noexec. nofork candidate(is getutxent ok?)
|
||||||
whoami - NOFORK
|
whoami - NOFORK
|
||||||
whois - needs ^C
|
whois - needs ^C
|
||||||
xargs - noexec. spawner
|
xargs - noexec. spawner
|
||||||
|
|||||||
@ -38,10 +38,10 @@
|
|||||||
//config: help
|
//config: help
|
||||||
//config: Print users currently logged on.
|
//config: Print users currently logged on.
|
||||||
|
|
||||||
// APPLET_ODDNAME:name main location suid_type help
|
// APPLET_NOEXEC:name main location suid_type help
|
||||||
//applet:IF_USERS(APPLET_ODDNAME(users, who, BB_DIR_USR_BIN, BB_SUID_DROP, users))
|
//applet:IF_USERS(APPLET_NOEXEC(users, who, BB_DIR_USR_BIN, BB_SUID_DROP, users))
|
||||||
//applet:IF_W( APPLET_ODDNAME(w, who, BB_DIR_USR_BIN, BB_SUID_DROP, w))
|
//applet:IF_W( APPLET_NOEXEC(w, who, BB_DIR_USR_BIN, BB_SUID_DROP, w))
|
||||||
//applet:IF_WHO( APPLET( who, BB_DIR_USR_BIN, BB_SUID_DROP))
|
//applet:IF_WHO( APPLET_NOEXEC(who, who, BB_DIR_USR_BIN, BB_SUID_DROP, who))
|
||||||
|
|
||||||
//kbuild:lib-$(CONFIG_USERS) += who.o
|
//kbuild:lib-$(CONFIG_USERS) += who.o
|
||||||
//kbuild:lib-$(CONFIG_W) += who.o
|
//kbuild:lib-$(CONFIG_W) += who.o
|
||||||
|
|||||||
@ -42,6 +42,7 @@
|
|||||||
//applet:IF_I2CSET(APPLET(i2cset, BB_DIR_USR_SBIN, BB_SUID_DROP))
|
//applet:IF_I2CSET(APPLET(i2cset, BB_DIR_USR_SBIN, BB_SUID_DROP))
|
||||||
//applet:IF_I2CDUMP(APPLET(i2cdump, BB_DIR_USR_SBIN, BB_SUID_DROP))
|
//applet:IF_I2CDUMP(APPLET(i2cdump, BB_DIR_USR_SBIN, BB_SUID_DROP))
|
||||||
//applet:IF_I2CDETECT(APPLET(i2cdetect, BB_DIR_USR_SBIN, BB_SUID_DROP))
|
//applet:IF_I2CDETECT(APPLET(i2cdetect, BB_DIR_USR_SBIN, BB_SUID_DROP))
|
||||||
|
/* not NOEXEC: if hw operation stalls, use less memory in "hung" process */
|
||||||
|
|
||||||
//kbuild:lib-$(CONFIG_I2CGET) += i2c_tools.o
|
//kbuild:lib-$(CONFIG_I2CGET) += i2c_tools.o
|
||||||
//kbuild:lib-$(CONFIG_I2CSET) += i2c_tools.o
|
//kbuild:lib-$(CONFIG_I2CSET) += i2c_tools.o
|
||||||
|
|||||||
@ -27,7 +27,7 @@
|
|||||||
//config: help
|
//config: help
|
||||||
//config: Display the number of users currently logged on.
|
//config: Display the number of users currently logged on.
|
||||||
|
|
||||||
//applet:IF_UPTIME(APPLET(uptime, BB_DIR_USR_BIN, BB_SUID_DROP))
|
//applet:IF_UPTIME(APPLET_NOEXEC(uptime, uptime, BB_DIR_USR_BIN, BB_SUID_DROP, uptime))
|
||||||
|
|
||||||
//kbuild:lib-$(CONFIG_UPTIME) += uptime.o
|
//kbuild:lib-$(CONFIG_UPTIME) += uptime.o
|
||||||
|
|
||||||
|
|||||||
@ -25,7 +25,7 @@
|
|||||||
//config: Renice alters the scheduling priority of one or more running
|
//config: Renice alters the scheduling priority of one or more running
|
||||||
//config: processes.
|
//config: processes.
|
||||||
|
|
||||||
//applet:IF_RENICE(APPLET(renice, BB_DIR_USR_BIN, BB_SUID_DROP))
|
//applet:IF_RENICE(APPLET_NOEXEC(renice, renice, BB_DIR_USR_BIN, BB_SUID_DROP, renice))
|
||||||
|
|
||||||
//kbuild:lib-$(CONFIG_RENICE) += renice.o
|
//kbuild:lib-$(CONFIG_RENICE) += renice.o
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user