diff options
-rw-r--r-- | NOFORK_NOEXEC.lst | 48 | ||||
-rw-r--r-- | util-linux/mesg.c | 9 |
2 files changed, 31 insertions, 26 deletions
diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst index 730f2cc..ccd8f0c 100644 --- a/NOFORK_NOEXEC.lst +++ b/NOFORK_NOEXEC.lst @@ -51,7 +51,7 @@ basename - NOFORK beep blkdiscard blkid -blockdev +blockdev - noexec candidate (rather simple), leaks fd bootchartd - daemon brctl bunzip2 - runner @@ -69,7 +69,7 @@ chpasswd - runner (list of "user:password"s from stdin) chpst - noexec candidate, spawner chroot - noexec candidate, spawner chrt - noexec candidate, spawner -chvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec. +chvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate. cksum - noexec. runner clear - NOFORK cmp - runner @@ -78,14 +78,14 @@ conspy - interactive, longterm cp - noexec. runner cpio - runner crond - daemon -crontab -cryptpw - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. Can be noexec. +crontab 0 leaks: open+xasprintf +cryptpw - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. noexec candidate. cttyhack - noexec candidate, spawner cut - noexec. runner date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf) dc - runner (eats stdin if no params) dd - noexec. runner -deallocvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec. +deallocvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate. delgroup deluser depmod - complex, rare @@ -100,8 +100,8 @@ dnsdomainname - needs ^C (may talk to DNS servers, which may be down) dos2unix - noexec. runner dpkg - runner du - runner -dumpkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec. -dumpleases +dumpkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate. +dumpleases - leaks: open+xread echo - NOFORK ed - interactive, longterm egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory) @@ -120,7 +120,7 @@ fbsplash - runner, longterm fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare fdformat - needs ^C (floppy may be unresponsive), longterm, rare fdisk - interactive, longterm -fgconsole - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec. +fgconsole - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate. fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory) find - noexec. runner findfs - suid @@ -133,7 +133,7 @@ fold - noexec. runner free - nofork candidate(struct globals, needs to close /proc/meminfo fd) freeramdisk - leaks: open+ioctl_or_perror_and_die fsck - interactive, longterm -fsck.minix +fsck.minix - needs ^C fsfreeze - noexec candidate (it's very simple), leaks: open+xioctl fstrim - noexec candidate (it's very simple), leaks: open+xioctl, find_block_device -> readdir+xstrdup fsync - NOFORK @@ -162,8 +162,8 @@ i2cdump i2cget i2cset id - noexec -ifconfig -ifenslave +ifconfig - leaks: xsocket+ioctl_or_perror_and_die +ifenslave - leaks: xsocket+bb_perror_msg_and_die ifplugd - daemon inetd - daemon init - daemon @@ -182,7 +182,7 @@ ipneigh - noexec candidate iproute - noexec candidate iprule - noexec candidate iptunnel - noexec candidate -kbd_mode +kbd_mode - leaks: xopen_nonblocking+xioctl kill - NOFORK killall - NOFORK killall5 - NOFORK @@ -194,8 +194,8 @@ linux32 - spawner linux64 - spawner linuxrc - daemon ln - noexec -loadfont -loadkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec. +loadfont - leaks: config_open+bb_error_msg_and_die("map format") +loadkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate. logger - runner login - suid, interactive, longterm logname - NOFORK @@ -219,7 +219,7 @@ makemime - runner man - spawner, interactive, longterm md5sum - noexec. runner mdev - daemon -mesg +mesg - NOFORK microcom - interactive, longterm mkdir - NOFORK mkdosfs - needs ^C @@ -229,7 +229,7 @@ mkfs.ext2 - needs ^C mkfs.minix - needs ^C mkfs.vfat - needs ^C mknod - noexec -mkpasswd - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. Can be noexec. +mkpasswd - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. noexec candidate. mkswap - needs ^C mktemp - noexec. leaks: xstrdup+concat_path_file modinfo - noexec @@ -239,8 +239,8 @@ mount - suid mountpoint - noexec candidate, leaks: option -n "print dev name": find_block_device -> readdir+xstrdup mpstat - noexec candidate (it's a measuring tool, putting less load by itself is good), complex mt - rare -mv - runner (can be noexec?) -nameif +mv - noexec candidate, runner +nameif - leaks: config_open2+ioctl_or_perror_and_die nbd-client nc - runner netstat - runner with -c @@ -260,8 +260,8 @@ pgrep - nofork candidate(xregcomp, procps_scan - are they ok?) pidof - nofork candidate(uses find_pid_by_name, is that ok?) ping - suid, runner ping6 - suid, runner -pipe_progress -pivot_root +pipe_progress - longterm +pivot_root - nofork candidate? the code is trivial pkill - nofork candidate(xregcomp, procps_scan - are they ok?) pmap - noexec candidate, leaks: open+xstrdup popmaildir - runner @@ -378,7 +378,7 @@ udhcpc - daemon udhcpd - daemon udpsvd - daemon uevent - daemon -umount +umount - noexec candidate, leaks: nested xmalloc uname - NOFORK uncompress - runner unexpand - runner @@ -398,16 +398,16 @@ vconfig - leaks: xsocket+ioctl_or_perror_and_die vi - interactive, longterm vlock - suid volname - runner -w +w - nofork candidate(is getutxent ok?) wall - suid watch - longterm watchdog - daemon wc - runner wget - longterm which - NOFORK -who +who - nofork candidate(is getutxent ok?) whoami - NOFORK -whois +whois - needs ^C xargs - noexec. spawner xxd - noexec. runner xz - runner diff --git a/util-linux/mesg.c b/util-linux/mesg.c index c4371eb..91c0531 100644 --- a/util-linux/mesg.c +++ b/util-linux/mesg.c @@ -26,7 +26,7 @@ //config: If you set this option to N, "mesg y" will enable writing //config: by anybody at all. This is not recommended. -//applet:IF_MESG(APPLET(mesg, BB_DIR_USR_BIN, BB_SUID_DROP)) +//applet:IF_MESG(APPLET_NOFORK(mesg, mesg, BB_DIR_USR_BIN, BB_SUID_DROP, mesg)) //kbuild:lib-$(CONFIG_MESG) += mesg.o @@ -60,10 +60,15 @@ int mesg_main(int argc UNUSED_PARAM, char **argv) bb_show_usage(); } + /* We are a NOFORK applet. + * (Not that it's very useful, but code is trivially NOFORK-safe). + * Play nice. Do not leak anything. + */ + if (!isatty(STDIN_FILENO)) bb_error_msg_and_die("not a tty"); - xfstat(STDIN_FILENO, &sb, "stderr"); + xfstat(STDIN_FILENO, &sb, "stdin"); if (c == 0) { puts((sb.st_mode & (S_IWGRP|S_IWOTH)) ? "is y" : "is n"); return EXIT_SUCCESS; |