xref: /freebsd/share/man/man7/sdoc.7 (revision e1e636193db45630c7881246d25902e57c43d24e)
1.\" Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. The names of the authors may not be used to endorse or promote
13.\"    products derived from this software without specific prior written
14.\"    permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.\" $Id: sec-doc.7,v 1.7 2001/12/22 00:14:12 rwatson Exp$
29.\"
30.Dd September 5, 2005
31.Dt SDOC 7
32.Os
33.Sh NAME
34.Nm sdoc
35.Nd guide to adding security considerations sections to manual pages
36.Sh DESCRIPTION
37This document presents guidelines for
38adding security considerations sections to manual pages.
39It provides two typical examples.
40.Pp
41The guidelines for writing
42.Fx
43manual pages in
44.Xr groff_mdoc 7
45mandate that each manual page describing a feature of the
46.Fx
47system should contain a security considerations section
48describing what security requirements can be broken
49through the misuse of that feature.
50When writing these sections, authors should attempt to
51achieve a happy medium between two conflicting goals:
52brevity and completeness.
53On one hand, security consideration sections must not be too verbose,
54or busy readers might be dissuaded from reading them.
55On the other hand, security consideration sections must not be incomplete,
56or they will fail in their purpose of
57instructing the reader on how to avoid all insecure uses.
58This document provides guidelines for balancing brevity and completeness
59in the security consideration section for a given feature of the
60.Fx
61system.
62.Ss Where to Start
63Begin by listing
64those general security requirements that can be violated
65through the misuse of the feature.
66There are four classes of security requirements:
67.Bl -hang -offset indent
68.It Em integrity
69(example: non-administrators should not modify system binaries),
70.It Em confidentiality
71(example: non-administrators should not view the shadow password file),
72.It Em availability
73(example: the web server should respond to client requests in a timely
74fashion), and
75.It Em correctness
76(example: the ps program should provide exactly the process table
77information listing functionality described in its documentation - no more,
78no less.)
79.El
80.Pp
81A good security considerations section
82should explain how the feature can be misused
83to violate each general security requirement in the list.
84Each explanation should be accompanied by instructions
85the reader should follow in order to avoid a violation.
86When referencing potential vulnerabilities
87described in the Secure Programming Practices manual page,
88.Xr sprog 7 ,
89likewise cross-reference that document
90rather than replicating information.
91Whenever possible, refer to this document
92rather than reproducing the material it contains.
93.Ss Where to Stop
94Security problems are often interrelated;
95individual problems often have far-reaching implications.
96For example, the correctness of virtually any dynamically-linked program
97is dependent on the correct implementation and configuration
98of the run-time linker.
99The correctness of this program, in turn,
100depends on the correctness of its libraries,
101the compiler used to build it,
102the correctness of the preceding compiler that was used to build that compiler,
103and so on,
104as described by Thompson (see
105.Sx SEE ALSO ,
106below).
107.Pp
108Due to the need for brevity, security consideration sections
109should describe only those issues directly related to the feature
110that is the subject of the manual page.
111Refer to other manual pages
112rather than duplicating the material found there.
113.Sh EXAMPLES
114Security considerations sections for most individual functions can follow
115this simple formula:
116.Pp
117.Bl -enum -offset indent -compact
118.It
119Provide one or two sentences describing each potential security
120problem.
121.It
122Provide one or two sentences describing how to avoid each potential
123security problem.
124.It
125Provide a short example in code.
126.El
127.Pp
128This is an example security considerations section for the
129.Xr strcpy 3
130manual page:
131.Pp
132The
133.Fn strcpy
134function is easily misused in a manner which enables malicious users
135to arbitrarily change a running program's functionality
136through a buffer overflow attack.
137.Pp
138Avoid using
139.Fn strcpy .
140Instead, use
141.Fn strncpy
142and ensure that no more characters are copied to the destination buffer
143than it can hold.
144Do not forget to NUL-terminate the destination buffer,
145as
146.Fn strncpy
147will not terminate the destination string if it is truncated.
148.Pp
149Note that
150.Fn strncpy
151can also be problematic.
152It may be a security concern for a string to be truncated at all.
153Since the truncated string will not be as long as the original,
154it may refer to a completely different resource
155and usage of the truncated resource
156could result in very incorrect behavior.
157Example:
158.Bd -literal
159void
160foo(const char *arbitrary_string)
161{
162	char onstack[8];
163
164#if defined(BAD)
165	/*
166	 * This first strcpy is bad behavior.  Do not use strcpy()!
167	 */
168	(void)strcpy(onstack, arbitrary_string);     /* BAD! */
169#elif defined(BETTER)
170	/*
171	 * The following two lines demonstrate better use of
172	 * strncpy().
173	 */
174	(void)strncpy(onstack, arbitrary_string, sizeof(onstack) - 1);
175	onstack[sizeof(onstack - 1)] = '\\0';
176#elif defined(BEST)
177	/*
178	 * These lines are even more robust due to testing for
179	 * truncation.
180	 */
181	if (strlen(arbitrary_string) + 1 > sizeof(onstack))
182		err(1, "onstack would be truncated");
183	(void)strncpy(onstack, arbitrary_string, sizeof(onstack));
184#endif
185}
186.Ed
187.Pp
188Security considerations sections for tools and commands
189are apt to be less formulaic.
190Let your list of potentially-violated security requirements
191be your guide;
192explain each one and list a solution in as concise a manner as possible.
193.Pp
194This is an example security considerations section for the
195.Xr rtld 1
196manual page:
197.Pp
198Using the LD_LIBRARY_PATH and LD_PRELOAD environment variables,
199malicious users can cause the dynamic linker
200to link shared libraries of their own devising
201into the address space of processes running non-set-user-ID/group-ID programs.
202These shared libraries can arbitrarily change the functionality
203of the program by replacing calls to standard library functions
204with calls to their own.
205Although this feature is disabled for set-user-ID and set-group-ID programs,
206it can still be used to create Trojan horses in other programs.
207.Pp
208All users should be aware that the correct operation of non
209set-user-ID/group-ID dynamically-linked programs depends on the proper
210configuration of these environment variables,
211and take care to avoid actions that might set them to values
212which would cause the run-time linker
213to link in shared libraries of unknown pedigree.
214.Sh SEE ALSO
215.Xr groff_mdoc 7 ,
216.Xr security 7 ,
217.Xr sprog 7
218.Rs
219.%A "Edward Amoroso, AT&T Bell Laboratories"
220.%B "Fundamentals of Computer Security Technology"
221.%I "P T R Prentice Hall"
222.%D "1994"
223.Re
224.Rs
225.%A "Ken Thompson"
226.%T "Reflections on Trusting Trust"
227.%J "Communications of the ACM"
228.%I "Association for Computing Machinery, Inc."
229.%P "761-763"
230.%N "Vol. 27, No. 8"
231.%D "August, 1984"
232.Re
233.Sh HISTORY
234The
235.Nm
236manual page first appeared in
237.Fx 5.0 .
238.Sh AUTHORS
239.An Tim Fraser Aq Mt tfraser@tislabs.com ,
240NAI Labs CBOSS project
241.An Brian Feldman Aq Mt bfeldman@tislabs.com ,
242NAI Labs CBOSS project
243