Rob Landley | aaffef4 | 2006-01-22 01:44:29 +0000 | [diff] [blame] | 1 | <!--#include file="header.html" --> |
| 2 | |
| 3 | <h2>Rob's notes on programming busybox.</h2> |
| 4 | |
| 5 | <ul> |
| 6 | <li><a href="#goals">What are the goals of busybox?</a></li> |
| 7 | <li><a href="#design">What is the design of busybox?</a></li> |
| 8 | <li><a href="#source">How is the source code organized?</a></li> |
| 9 | <ul> |
| 10 | <li><a href="#source_applets">The applet directories.</a></li> |
| 11 | <li><a href="#source_libbb">The busybox shared library (libbb)</a></li> |
| 12 | </ul> |
| 13 | <li><a href="#adding">Adding an applet to busybox</a></li> |
| 14 | <li><a href="#standards">What standards does busybox adhere to?</a></li> |
Rob Landley | b1b3cee | 2006-01-29 06:29:01 +0000 | [diff] [blame^] | 15 | <li><a href="#tips">Tips and tricks.</a></li> |
| 16 | <ul> |
| 17 | <li><a href="#tips_encrypted_passwords">Encrypted Passwords</a></li> |
| 18 | <li><a href="#tips_vfork">Fork and vfork</a></li> |
| 19 | </ul> |
Rob Landley | aaffef4 | 2006-01-22 01:44:29 +0000 | [diff] [blame] | 20 | </ul> |
| 21 | |
| 22 | <h2><b><a name="goals" />What are the goals of busybox?</b></h2> |
| 23 | |
| 24 | <p>Busybox aims to be the smallest and simplest correct implementation of the |
| 25 | standard Linux command line tools. First and foremost, this means the |
| 26 | smallest executable size we can manage. We also want to have the simplest |
| 27 | and cleanest implementation we can manage, be <a href="#standards">standards |
| 28 | compliant</a>, minimize run-time memory usage (heap and stack), run fast, and |
| 29 | take over the world.</p> |
| 30 | |
| 31 | <h2><b><a name="design" />What is the design of busybox?</b></h2> |
| 32 | |
| 33 | <p>Busybox is like a swiss army knife: one thing with many functions. |
| 34 | The busybox executable can act like many different programs depending on |
| 35 | the name used to invoke it. Normal practice is to create a bunch of symlinks |
| 36 | pointing to the busybox binary, each of which triggers a different busybox |
| 37 | function. (See <a href="FAQ.html#getting_started">getting started</a> in the |
| 38 | FAQ for more information on usage, and <a href="BusyBox.html">the |
| 39 | busybox documentation</a> for a list of symlink names and what they do.) |
| 40 | |
| 41 | <p>The "one binary to rule them all" approach is primarily for size reasons: a |
| 42 | single multi-purpose executable is smaller then many small files could be. |
| 43 | This way busybox only has one set of ELF headers, it can easily share code |
| 44 | between different apps even when statically linked, it has better packing |
| 45 | efficiency by avoding gaps between files or compression dictionary resets, |
| 46 | and so on.</p> |
| 47 | |
| 48 | <p>Work is underway on new options such as "make standalone" to build separate |
| 49 | binaries for each applet, and a "libbb.so" to make the busybox common code |
| 50 | available as a shared library. Neither is ready yet at the time of this |
| 51 | writing.</p> |
| 52 | |
| 53 | <a name="source" /> |
| 54 | |
| 55 | <h2><a name="source_applets" /><b>The applet directories</b></h2> |
| 56 | |
| 57 | <p>The directory "applets" contains the busybox startup code (applets.c and |
| 58 | busybox.c), and several subdirectories containing the code for the individual |
| 59 | applets.</p> |
| 60 | |
| 61 | <p>Busybox execution starts with the main() function in applets/busybox.c, |
| 62 | which sets the global variable bb_applet_name to argv[0] and calls |
| 63 | run_applet_by_name() in applets/applets.c. That uses the applets[] array |
| 64 | (defined in include/busybox.h and filled out in include/applets.h) to |
| 65 | transfer control to the appropriate APPLET_main() function (such as |
| 66 | cat_main() or sed_main()). The individual applet takes it from there.</p> |
| 67 | |
| 68 | <p>This is why calling busybox under a different name triggers different |
| 69 | functionality: main() looks up argv[0] in applets[] to get a function pointer |
| 70 | to APPLET_main().</p> |
| 71 | |
| 72 | <p>Busybox applets may also be invoked through the multiplexor applet |
| 73 | "busybox" (see busybox_main() in applets/busybox.c), and through the |
| 74 | standalone shell (grep for STANDALONE_SHELL in applets/shell/*.c). |
| 75 | See <a href="FAQ.html#getting_started">getting started</a> in the |
| 76 | FAQ for more information on these alternate usage mechanisms, which are |
| 77 | just different ways to reach the relevant APPLET_main() function.</p> |
| 78 | |
| 79 | <p>The applet subdirectories (archival, console-tools, coreutils, |
| 80 | debianutils, e2fsprogs, editors, findutils, init, loginutils, miscutils, |
| 81 | modutils, networking, procps, shell, sysklogd, and util-linux) correspond |
| 82 | to the configuration sub-menus in menuconfig. Each subdirectory contains the |
| 83 | code to implement the applets in that sub-menu, as well as a Config.in |
| 84 | file defining that configuration sub-menu (with dependencies and help text |
| 85 | for each applet), and the makefile segment (Makefile.in) for that |
| 86 | subdirectory.</p> |
| 87 | |
| 88 | <p>The run-time --help is stored in usage_messages[], which is initialized at |
| 89 | the start of applets/applets.c and gets its help text from usage.h. During the |
| 90 | build this help text is also used to generate the BusyBox documentation (in |
| 91 | html, txt, and man page formats) in the docs directory. See |
| 92 | <a href="#adding">adding an applet to busybox</a> for more |
| 93 | information.</p> |
| 94 | |
| 95 | <h2><a name="source_libbb" /><b>libbb</b></h2> |
| 96 | |
| 97 | <p>Most non-setup code shared between busybox applets lives in the libbb |
| 98 | directory. It's a mess that evolved over the years without much auditing |
| 99 | or cleanup. For anybody looking for a great project to break into busybox |
| 100 | development with, documenting libbb would be both incredibly useful and good |
| 101 | experience.</p> |
| 102 | |
| 103 | <p>Common themes in libbb include allocation functions that test |
| 104 | for failure and abort the program with an error message so the caller doesn't |
| 105 | have to test the return value (xmalloc(), xstrdup(), etc), wrapped versions |
| 106 | of open(), close(), read(), and write() that test for their own failures |
| 107 | and/or retry automatically, linked list management functions (llist.c), |
| 108 | command line argument parsing (getopt_ulflags.c), and a whole lot more.</p> |
| 109 | |
| 110 | <h2><a name="adding" /><b>Adding an applet to busybox</b></h2> |
| 111 | |
| 112 | <p>To add a new applet to busybox, first pick a name for the applet and |
| 113 | a corresponding CONFIG_NAME. Then do this:</p> |
| 114 | |
| 115 | <ul> |
| 116 | <li>Figure out where in the busybox source tree your applet best fits, |
| 117 | and put your source code there. Be sure to use APPLET_main() instead |
| 118 | of main(), where APPLET is the name of your applet.</li> |
| 119 | |
| 120 | <li>Add your applet to the relevant Config.in file (which file you add |
| 121 | it to determines where it shows up in "make menuconfig"). This uses |
| 122 | the same general format as the linux kernel's configuration system.</li> |
| 123 | |
| 124 | <li>Add your applet to the relevant Makefile.in file (in the same |
| 125 | directory as the Config.in you chose), using the existing entries as a |
| 126 | template and the same CONFIG symbol as you used for Config.in. (Don't |
| 127 | forget "needlibm" or "needcrypt" if your applet needs libm or |
| 128 | libcrypt.)</li> |
| 129 | |
| 130 | <li>Add your applet to "include/applets.h", using one of the existing |
| 131 | entries as a template. (Note: this is in alphabetical order. Applets |
| 132 | are found via binary search, and if you add an applet out of order it |
| 133 | won't work.)</li> |
| 134 | |
| 135 | <li>Add your applet's runtime help text to "include/usage.h". You need |
| 136 | at least appname_trivial_usage (the minimal help text, always included |
| 137 | in the busybox binary when this applet is enabled) and appname_full_usage |
| 138 | (extra help text included in the busybox binary with |
| 139 | CONFIG_FEATURE_VERBOSE_USAGE is enabled), or it won't compile. |
| 140 | The other two help entry types (appname_example_usage and |
| 141 | appname_notes_usage) are optional. They don't take up space in the binary, |
| 142 | but instead show up in the generated documentation (BusyBox.html, |
| 143 | BusyBox.txt, and the man page BusyBox.1).</li> |
| 144 | |
| 145 | <li>Run menuconfig, switch your applet on, compile, test, and fix the |
| 146 | bugs. Be sure to try both "allyesconfig" and "allnoconfig" (and |
| 147 | "allbareconfig" if relevant).</li> |
| 148 | |
| 149 | </ul> |
| 150 | |
| 151 | <h2><a name="standards" />What standards does busybox adhere to?</a></h2> |
| 152 | |
| 153 | <p>The standard we're paying attention to is the "Shell and Utilities" |
| 154 | portion of the <a href=http://www.opengroup.org/onlinepubs/009695399/>Open |
| 155 | Group Base Standards</a> (also known as the Single Unix Specification version |
| 156 | 3 or SUSv3). Note that paying attention isn't necessarily the same thing as |
| 157 | following it.</p> |
| 158 | |
| 159 | <p>SUSv3 doesn't even mention things like init, mount, tar, or losetup, nor |
| 160 | commonly used options like echo's '-e' and '-n', or sed's '-i'. Busybox is |
| 161 | driven by what real users actually need, not the fact the standard believes |
| 162 | we should implement ed or sccs. For size reasons, we're unlikely to include |
| 163 | much internationalization support beyond UTF-8, and on top of all that, our |
| 164 | configuration menu lets developers chop out features to produce smaller but |
| 165 | very non-standard utilities.</p> |
| 166 | |
| 167 | <p>Also, Busybox is aimed primarily at Linux. Unix standards are interesting |
| 168 | because Linux tries to adhere to them, but portability to dozens of platforms |
| 169 | is only interesting in terms of offering a restricted feature set that works |
| 170 | everywhere, not growing dozens of platform-specific extensions. Busybox |
| 171 | should be portable to all hardware platforms Linux supports, and any other |
| 172 | similar operating systems that are easy to do and won't require much |
| 173 | maintenance.</p> |
| 174 | |
| 175 | <p>In practice, standards compliance tends to be a clean-up step once an |
| 176 | applet is otherwise finished. When polishing and testing a busybox applet, |
| 177 | we ensure we have at least the option of full standards compliance, or else |
| 178 | document where we (intentionally) fall short.</p> |
| 179 | |
Rob Landley | b1b3cee | 2006-01-29 06:29:01 +0000 | [diff] [blame^] | 180 | <h2><a name="tips" />Programming tips and tricks.</a></h2> |
| 181 | |
| 182 | <p>Various things busybox uses that aren't particularly well documented |
| 183 | elsewhere.</p> |
| 184 | |
| 185 | <h2><a name="tips_encrypted_passwords">Encrypted Passwords</a></h2> |
| 186 | |
| 187 | <p>Password fields in /etc/passwd and /etc/shadow are in a special format. |
| 188 | If the first character isn't '$', then it's an old DES style password. If |
| 189 | the first character is '$' then the password is actually three fields |
| 190 | separated by '$' characters:</p> |
| 191 | <pre> |
| 192 | <b>$type$salt$encrypted_password</b> |
| 193 | </pre> |
| 194 | |
| 195 | <p>The "type" indicates which encryption algorithm to use: 1 for MD5 and 2 for SHA1.</p> |
| 196 | |
| 197 | <p>The "salt" is a bunch of ramdom characters (generally 8) the encryption |
| 198 | algorithm uses to perturb the password in a known and reproducible way (such |
| 199 | as by appending the random data to the unencrypted password, or combining |
| 200 | them with exclusive or). Salt is randomly generated when setting a password, |
| 201 | and then the same salt value is re-used when checking the password. (Salt is |
| 202 | thus stored unencrypted.)</p> |
| 203 | |
| 204 | <p>The advantage of using salt is that the same cleartext password encrypted |
| 205 | with a different salt value produces a different encrypted value. |
| 206 | If each encrypted password uses a different salt value, an attacker is forced |
| 207 | to do the cryptographic math all over again for each password they want to |
| 208 | check. Without salt, they could simply produce a big dictionary of commonly |
| 209 | used passwords ahead of time, and look up each password in a stolen password |
| 210 | file to see if it's a known value. (Even if there are billions of possible |
| 211 | passwords in the dictionary, checking each one is just a binary search against |
| 212 | a file only a few gigabytes long.) With salt they can't even tell if two |
| 213 | different users share the same password without guessing what that password |
| 214 | is and decrypting it. They also can't precompute the attack dictionary for |
| 215 | a specific password until they know what the salt value is.</p> |
| 216 | |
| 217 | <p>The third field is the encrypted password (plus the salt). For md5 this |
| 218 | is 22 bytes.</p> |
| 219 | |
| 220 | <p>The busybox function to handle all this is pw_encrypt(clear, salt) in |
| 221 | "libbb/pw_encrypt.c". The first argument is the clear text password to be |
| 222 | encrypted, and the second is a string in "$type$salt$password" format, from |
| 223 | which the "type" and "salt" fields will be extracted to produce an encrypted |
| 224 | value. (Only the first two fields are needed, the third $ is equivalent to |
| 225 | the end of the string.) The return value is an encrypted password in |
| 226 | /etc/passwd format, with all three $ separated fields. It's stored in |
| 227 | a static buffer, 128 bytes long.</p> |
| 228 | |
| 229 | <p>So when checking an existing password, if pw_encrypt(text, |
| 230 | old_encrypted_password) returns a string that compares identical to |
| 231 | old_encrypted_password, you've got the right password. When setting a new |
| 232 | password, generate a random 8 character salt string, put it in the right |
| 233 | format with sprintf(buffer, "$%c$%s", type, salt), and feed buffer as the |
| 234 | second argument to pw_encrypt(text,buffer).</p> |
| 235 | |
| 236 | <h2><a name="tips_vfork">Fork and vfork</a></h2> |
| 237 | |
| 238 | <p>On systems that haven't got a Memory Management Unit, fork() is unreasonably |
| 239 | expensive to implement, so a less capable function called vfork() is used |
| 240 | instead.</p> |
| 241 | |
| 242 | <p>The reason vfork() exists is that if you haven't got an MMU then you can't |
| 243 | simply set up a second set of page tables and share the physical memory via |
| 244 | copy-on-write, which is what fork() normally does. This means that actually |
| 245 | forking has to copy all the parent's memory (which could easily be tens of |
| 246 | megabytes). And you have to do this even though that memory gets freed again |
| 247 | as soon as the exec happens, so it's probably all a big waste of time.</p> |
| 248 | |
| 249 | <p>This is not only slow and a waste of space, it also causes totally |
| 250 | unnecessary memory usage spikes based on how big the _parent_ process is (not |
| 251 | the child), and these spikes are quite likely to trigger an out of memory |
| 252 | condition on small systems (which is where nommu is common anyway). So |
| 253 | although you _can_ emulate a real fork on a nommu system, you really don't |
| 254 | want to.</p> |
| 255 | |
| 256 | <p>In theory, vfork() is just a fork() that writeably shares the heap and stack |
| 257 | rather than copying it (so what one process writes the other one sees). In |
| 258 | practice, vfork() has to suspend the parent process until the child does exec, |
| 259 | at which point the parent wakes up and resumes by returning from the call to |
| 260 | vfork(). All modern kernel/libc combinations implement vfork() to put the |
| 261 | parent to sleep until the child does its exec. There's just no other way to |
| 262 | make it work: they're sharing the same stack, so if either one returns from its |
| 263 | function it stomps on the callstack so that when the other process returns, |
| 264 | hilarity ensues. In fact without suspending the parent there's no way to even |
| 265 | store separate copies of the return value (the pid) from the vfork() call |
| 266 | itself: both assignments write into the same memory location.</p> |
| 267 | |
| 268 | <p>One way to understand (and in fact implement) vfork() is this: imagine |
| 269 | the parent does a setjmp and then continues on (pretending to be the child) |
| 270 | until the exec() comes around, then the _exec_ does the actual fork, and the |
| 271 | parent does a longjmp back to the original vfork call and continues on from |
| 272 | there. (It thus becomes obvious why the child can't return, or modify |
| 273 | local variables it doesn't want the parent to see changed when it resumes.) |
| 274 | |
| 275 | <p>Note a common mistake: the need for vfork doesn't mean you can't have two |
| 276 | processes running at the same time. It means you can't have two processes |
| 277 | sharing the same memory without stomping all over each other. As soon as |
| 278 | the child calls exec(), the parent resumes.</p> |
| 279 | |
| 280 | <p>(Now in theory, a nommu system could just copy the _stack_ when it forks |
| 281 | (which presumably is much shorter than the heap), and leave the heap shared. |
| 282 | In practice, you've just wound up in a multi-threaded situation and you can't |
| 283 | do a malloc() or free() on your heap without freeing the other process's memory |
| 284 | (and if you don't have the proper locking for being threaded, corrupting the |
| 285 | heap if both of you try to do it at the same time and wind up stomping on |
| 286 | each other while traversing the free memory lists). The thing about vfork is |
| 287 | that it's a big red flag warning "there be dragons here" rather than |
| 288 | something subtle and thus even more dangerous.)</p> |
| 289 | |
Rob Landley | aaffef4 | 2006-01-22 01:44:29 +0000 | [diff] [blame] | 290 | <br> |
| 291 | <br> |
| 292 | <br> |
| 293 | |
| 294 | <!--#include file="footer.html" --> |