From 7f9d62d7f5b67b6b1cc7e0b94826ba2a6e193586 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Fri, 4 Aug 2017 16:01:39 +0200 Subject: tweak NOFORK_NOEXEC.lst Signed-off-by: Denys Vlasenko --- NOFORK_NOEXEC.lst | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst index 14019bf..74922ff 100644 --- a/NOFORK_NOEXEC.lst +++ b/NOFORK_NOEXEC.lst @@ -2,26 +2,28 @@ Why an applet can't be NOFORK or NOEXEC? Why can't be NOFORK: interactive: may wait for user input, ^C has to work -spawner: "tool PROG ARGS" which changes program's environment - must fork +spawner: "tool PROG ARGS" which changes program state and execs - must fork changes state: e.g. environment, signal handlers alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies +leaks: does not free allocated memory or opened fds runner: sometimes may run for long(ish) time, and/or works with network: ^C has to work (cat BIGFILE, chmod -R, ftpget, nc) -"runners" can become eligible after shell is taught ^C to interrupt NOFORKs! +"runners" can become eligible after shell is taught ^C to interrupt NOFORKs, +need to be inspected that they do not fall into alloc+xfunc, open+xfunc +categories. Why can't be NOEXEC: suid: runs under different uid - must fork+exec Why shouldn't be NOFORK/NOEXEC: -complex: no immediately obvious reason why NOFORK wouldn't work, - but does some non-obvoius operations (example: fuser, lsof, losetup); - nested xmallocs (typical in complex code) is a problem for NOFORK -rare: not used often enough to bother optimizing (example: poweroff) +rare: not started often enough to bother optimizing (example: poweroff) +daemon: runs indefinitely; these are also always fit "rare" category longterm: often runs for a long time (many seconds), execing would make memory footprint smaller -daemon: runs indefinitely +complex: no immediately obvious reason why NOFORK wouldn't work, + but does some non-obvoius operations (example: fuser, lsof, losetup) [ - NOFORK [[ - NOFORK @@ -59,7 +61,7 @@ chpasswd - runner (list of "user:password"s from stdin) chpst - spawner chroot - spawner chrt - spawner -chvt +chvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. Can be noexec. cksum - noexec. runner clear - NOFORK cmp - runner @@ -69,7 +71,7 @@ cp - noexec. runner cpio - runner crond - daemon crontab -cryptpw +cryptpw - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. Can be noexec. cttyhack - spawner cut - noexec. runner date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf) -- cgit v1.1