On Wed, Jan 26, 2022 at 05:18:58AM -0600, Ariadne Conill wrote: > On Tue, 25 Jan 2022, Kees Cook wrote: > > Lots of stuff likes to do: > > execve(path, NULL, NULL); > > I looked at these, and these seem to basically be lazily-written test cases > which should be fixed. I didn't see any example of real-world applications > doing this. As noted in some of the test cases, there are comments like > "Solaris doesn't support this," etc. See also the (small) handful of instances of `execlp(cmd, NULL);` out there, which I imagine would start to fail: https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0 Two of the hits (ispell, nauty) would seem to be non-test use cases. As an aside, saying POSIX "disallows" argc == 0 might be overstating it a little. As far as I can tell (quotes below), while a Strictly Conforming POSIX Application must provide argc >= 1 to a program it executes, the argc == 0 case isn't entirely disallowed. https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/basedefs/V1_chap01.html "should -- describes a feature or behavior that is recommended but not mandatory. An application should not rely on the existence of the feature or behavior." https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/functions/execve.html "The value in argv[0] *should* point to a filename string that is associated with the process --" (emphasis added) "Early proposals required that the value of argc passed to main() be "one or greater". This was driven by the same requirement in drafts of the ISO C standard. In fact, historical implementations have passed a value of zero when no arguments are supplied to the caller of the exec functions. This requirement was removed from the ISO C standard and subsequently removed from this volume of POSIX.1-2017 as well. The wording, in particular the use of the word should, requires a Strictly Conforming POSIX Application to pass at least one argument to the exec function, thus guaranteeing that argc be one or greater when invoked by such an application. In fact, this is good practice, since many existing applications reference argv[0] without first checking the value of argc." Just to be clear, not disputing the part that disallowing `argc == 0` would be a reasonable idea, or claiming that there's a valid use case. Just the part where POSIX would *require* the system to disallow this. -- Heikki Kallasjoki