busybox/shell
Denys Vlasenko 7b25b1c5b2 hush: do not leak script fds into NOEXEC children
We set all opened script fds to CLOEXEC, thus making then go away
after fork+exec.
Unfortunately, CLOFORK does not exist. NOEXEC children will still see those fds open.

For one, "ls" applet is NOEXEC. Therefore running "ls -l /proc/self/fd"
in a script from standalone shell shows this:

lrwx------    1 root     root            64 Aug 20 15:17 0 -> /dev/pts/3
lrwx------    1 root     root            64 Aug 20 15:17 1 -> /dev/pts/3
lrwx------    1 root     root            64 Aug 20 15:17 2 -> /dev/pts/3
lr-x------    1 root     root            64 Aug 20 15:17 3 -> /path/to/top/level/script
lr-x------    1 root     root            64 Aug 20 15:17 4 -> /path/to/sourced/SCRIPT1
...

with as many open fds as there are ". SCRIPTn" nest levels.
Fix it by closing these fds after fork (only for NOEXEC children).

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-08-20 15:58:34 +02:00
..
ash_test ash: fix handling of ${VAR: -2} 2016-07-25 03:56:00 +02:00
hush_test hush: fix a bug in FEATURE_SH_STANDALONE=y config. Closes 9186 2016-08-19 18:43:06 +02:00
msh_test whitespace fixes 2010-01-25 13:39:24 +01:00
ash_doc.txt
ash_ptr_hack.c *: make GNU licensing statement forms more regular 2010-08-16 20:14:46 +02:00
ash.c ash: fix handling of ${VAR: -2} 2016-07-25 03:56:00 +02:00
brace.txt hush: wait for cmd to complete, and immediately store its exitcode in $? 2009-11-15 19:58:19 +01:00
Config.src config: disentangle PREFER_APPLETS from SH_STANDALONE and SH_NOFORK 2016-07-22 18:48:38 +02:00
cttyhack.c cttyhack: handle multiple consoles found in sysfs 2012-02-04 21:55:01 +01:00
hush_doc.txt
hush_leaktool.sh
hush.c hush: do not leak script fds into NOEXEC children 2016-08-20 15:58:34 +02:00
Kbuild.src *: make GNU licensing statement forms more regular 2010-08-16 20:14:46 +02:00
match.c shell/match.c: shrink by dropping double bool inversion 2010-09-12 15:06:42 +02:00
match.h hush: optimize #[#] and %[%] for speed. size -2 bytes. 2010-09-04 21:21:07 +02:00
math.c typo fix in comment 2014-11-20 01:43:30 +01:00
math.h move endofname() to libbb 2013-02-26 00:36:53 +01:00
random.c ash,hush: fix a thinko about 2^64-1 factorization 2014-03-15 09:25:46 +01:00
random.h ash,hush: improve randomness of $RANDOM, add easy-ish way to test it 2014-03-13 12:52:43 +01:00
README update shell/README 2010-05-20 12:56:14 +02:00
README.job
shell_common.c *: slap on a few ALIGN1/2s where appropriate 2016-04-22 18:09:21 +02:00
shell_common.h *: declare strings with ALIGN1, as appropriate 2012-07-24 15:56:37 +02:00

http://www.opengroup.org/onlinepubs/9699919799/
Open Group Base Specifications Issue 7


http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap01.html
Shell & Utilities

It says that any of the standard utilities may be implemented
as a regular shell built-in. It gives a list of utilities which
are usually implemented that way (and some of them can only
be implemented as built-ins, like "alias"):

alias
bg
cd
command
false
fc
fg
getopts
jobs
kill
newgrp
pwd
read
true
umask
unalias
wait


http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html
Shell Command Language

It says that shell must implement special built-ins. Special built-ins
differ from regular ones by the fact that variable assignments
done on special builtin are *PRESERVED*. That is,

VAR=VAL special_builtin; echo $VAR

should print VAL.

(Another distinction is that an error in special built-in should
abort the shell, but this is not such a critical difference,
and moreover, at least bash's "set" does not follow this rule,
which is even codified in autoconf configure logic now...)

List of special builtins:

. file
: [argument...]
break [n]
continue [n]
eval [argument...]
exec [command [argument...]]
exit [n]
export name[=word]...
export -p
readonly name[=word]...
readonly -p
return [n]
set [-abCefhmnuvx] [-o option] [argument...]
set [+abCefhmnuvx] [+o option] [argument...]
set -- [argument...]
set -o
set +o
shift [n]
times
trap n [condition...]
trap [action condition...]
unset [-fv] name...

In practice, no one uses this obscure feature - none of these builtins
gives any special reasons to play such dirty tricks.

However. This section also says that *function invocation* should act
similar to special built-in. That is, variable assignments
done on function invocation should be preserved after function invocation.

This is significant: it is not unthinkable to want to run a function
with some variables set to special values. But because of the above,
it does not work: variable will "leak" out of the function.