1.\" Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. The names of the authors may not be used to endorse or promote 13.\" products derived from this software without specific prior written 14.\" permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $Id: sec-doc.7,v 1.7 2001/12/22 00:14:12 rwatson Exp$ 29.\" 30.Dd September 5, 2005 31.Dt SDOC 7 32.Os 33.Sh NAME 34.Nm sdoc 35.Nd guide to adding security considerations sections to manual pages 36.Sh DESCRIPTION 37This document presents guidelines for 38adding security considerations sections to manual pages. 39It provides two typical examples. 40.Pp 41The guidelines for writing 42.Fx 43manual pages in 44.Xr groff_mdoc 7 45mandate that each manual page describing a feature of the 46.Fx 47system should contain a security considerations section 48describing what security requirements can be broken 49through the misuse of that feature. 50When writing these sections, authors should attempt to 51achieve a happy medium between two conflicting goals: 52brevity and completeness. 53On one hand, security consideration sections must not be too verbose, 54or busy readers might be dissuaded from reading them. 55On the other hand, security consideration sections must not be incomplete, 56or they will fail in their purpose of 57instructing the reader on how to avoid all insecure uses. 58This document provides guidelines for balancing brevity and completeness 59in the security consideration section for a given feature of the 60.Fx 61system. 62.Ss Where to Start 63Begin by listing 64those general security requirements that can be violated 65through the misuse of the feature. 66There are four classes of security requirements: 67.Bl -hang -offset indent 68.It Em integrity 69(example: non-administrators should not modify system binaries), 70.It Em confidentiality 71(example: non-administrators should not view the shadow password file), 72.It Em availability 73(example: the web server should respond to client requests in a timely 74fashion), and 75.It Em correctness 76(example: the ps program should provide exactly the process table 77information listing functionality described in its documentation - no more, 78no less.) 79.El 80.Pp 81A good security considerations section 82should explain how the feature can be misused 83to violate each general security requirement in the list. 84Each explanation should be accompanied by instructions 85the reader should follow in order to avoid a violation. 86When referencing potential vulnerabilities 87described in the Secure Programming Practices manual page, 88.Xr sprog 7 , 89likewise cross-reference that document 90rather than replicating information. 91Whenever possible, refer to this document 92rather than reproducing the material it contains. 93.Ss Where to Stop 94Security problems are often interrelated; 95individual problems often have far-reaching implications. 96For example, the correctness of virtually any dynamically-linked program 97is dependent on the correct implementation and configuration 98of the run-time linker. 99The correctness of this program, in turn, 100depends on the correctness of its libraries, 101the compiler used to build it, 102the correctness of the preceding compiler that was used to build that compiler, 103and so on, 104as described by Thompson (see 105.Sx SEE ALSO , 106below). 107.Pp 108Due to the need for brevity, security consideration sections 109should describe only those issues directly related to the feature 110that is the subject of the manual page. 111Refer to other manual pages 112rather than duplicating the material found there. 113.Sh EXAMPLES 114Security considerations sections for most individual functions can follow 115this simple formula: 116.Pp 117.Bl -enum -offset indent -compact 118.It 119Provide one or two sentences describing each potential security 120problem. 121.It 122Provide one or two sentences describing how to avoid each potential 123security problem. 124.It 125Provide a short example in code. 126.El 127.Pp 128This is an example security considerations section for the 129.Xr strcpy 3 130manual page: 131.Pp 132The 133.Fn strcpy 134function is easily misused in a manner which enables malicious users 135to arbitrarily change a running program's functionality 136through a buffer overflow attack. 137.Pp 138Avoid using 139.Fn strcpy . 140Instead, use 141.Fn strncpy 142and ensure that no more characters are copied to the destination buffer 143than it can hold. 144Do not forget to NUL-terminate the destination buffer, 145as 146.Fn strncpy 147will not terminate the destination string if it is truncated. 148.Pp 149Note that 150.Fn strncpy 151can also be problematic. 152It may be a security concern for a string to be truncated at all. 153Since the truncated string will not be as long as the original, 154it may refer to a completely different resource 155and usage of the truncated resource 156could result in very incorrect behavior. 157Example: 158.Bd -literal 159void 160foo(const char *arbitrary_string) 161{ 162 char onstack[8]; 163 164#if defined(BAD) 165 /* 166 * This first strcpy is bad behavior. Do not use strcpy()! 167 */ 168 (void)strcpy(onstack, arbitrary_string); /* BAD! */ 169#elif defined(BETTER) 170 /* 171 * The following two lines demonstrate better use of 172 * strncpy(). 173 */ 174 (void)strncpy(onstack, arbitrary_string, sizeof(onstack) - 1); 175 onstack[sizeof(onstack - 1)] = '\\0'; 176#elif defined(BEST) 177 /* 178 * These lines are even more robust due to testing for 179 * truncation. 180 */ 181 if (strlen(arbitrary_string) + 1 > sizeof(onstack)) 182 err(1, "onstack would be truncated"); 183 (void)strncpy(onstack, arbitrary_string, sizeof(onstack)); 184#endif 185} 186.Ed 187.Pp 188Security considerations sections for tools and commands 189are apt to be less formulaic. 190Let your list of potentially-violated security requirements 191be your guide; 192explain each one and list a solution in as concise a manner as possible. 193.Pp 194This is an example security considerations section for the 195.Xr rtld 1 196manual page: 197.Pp 198Using the LD_LIBRARY_PATH and LD_PRELOAD environment variables, 199malicious users can cause the dynamic linker 200to link shared libraries of their own devising 201into the address space of processes running non-set-user-ID/group-ID programs. 202These shared libraries can arbitrarily change the functionality 203of the program by replacing calls to standard library functions 204with calls to their own. 205Although this feature is disabled for set-user-ID and set-group-ID programs, 206it can still be used to create Trojan horses in other programs. 207.Pp 208All users should be aware that the correct operation of non 209set-user-ID/group-ID dynamically-linked programs depends on the proper 210configuration of these environment variables, 211and take care to avoid actions that might set them to values 212which would cause the run-time linker 213to link in shared libraries of unknown pedigree. 214.Sh SEE ALSO 215.Xr groff_mdoc 7 , 216.Xr security 7 , 217.Xr sprog 7 218.Rs 219.%A "Edward Amoroso, AT&T Bell Laboratories" 220.%B "Fundamentals of Computer Security Technology" 221.%I "P T R Prentice Hall" 222.%D "1994" 223.Re 224.Rs 225.%A "Ken Thompson" 226.%T "Reflections on Trusting Trust" 227.%J "Communications of the ACM" 228.%I "Association for Computing Machinery, Inc." 229.%P "761-763" 230.%N "Vol. 27, No. 8" 231.%D "August, 1984" 232.Re 233.Sh HISTORY 234The 235.Nm 236manual page first appeared in 237.Fx 5.0 . 238.Sh AUTHORS 239.An Tim Fraser Aq Mt tfraser@tislabs.com , 240NAI Labs CBOSS project 241.An Brian Feldman Aq Mt bfeldman@tislabs.com , 242NAI Labs CBOSS project 243