1.\" 2.\" Copyright (c) 2001 Eric Melville <eric@FreeBSD.org> 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd June 3, 2001 29.Dt SPROG 7 30.Os 31.Sh NAME 32.Nm sprog 33.Nd secure programming practices 34.Sh DESCRIPTION 35Security issues have crept into many systems over the years. 36This document is a guide for programming practices that prevent these problems. 37.Ss Overview 38Writing secure applications takes a very scrutinous and pessimistic outlook. 39Applications should be run with the principle of 40.Dq Li least privilege 41so that no process is ever running with more than the bare minimum access it 42needs to accomplish its function. 43Previously tested code should be reused whenever possible. 44Generally, anything beyond the control of a program should never be trusted. 45This includes all forms of user input, system resources, interprocess 46communication, and the timing of events. 47.Ss Buffer Overflows 48One of the most common types of security problems is the buffer overflow. 49In short, if a program is not careful with the data it receives, it may be 50possible for this data to be written across memory, overwriting the return 51address for a function call, and the program will be forced to run code that 52does unfriendly things. 53.Pp 54A good number of functions in the standard C library make it difficult or 55even impossible to prevent buffer overflows when used. 56These include 57.Xr fscanf 3 , 58.Xr gets 3 , 59.Xr getwd 3 , 60.Xr realpath 3 , 61.Xr scanf 3 , 62.Xr sprintf 3 , 63.Xr strcat 3 , 64.Xr strcpy 3 , 65.Xr vscanf 3 , 66and 67.Xr vsprintf 3 . 68.Pp 69Many other functions that deal with strings can also open up a potential 70buffer overflow when not used carefully. 71For example, 72.Xr strncat 3 73does not go out of its way to provide 74.Tn NUL 75character termination. 76Of course, the proper length must always be specified. 77Usage of 78.Xr strlcat 3 79and 80.Xr strlcpy 3 81ensure that strings are null terminated and of the specified length. 82.Pp 83Functions that receive a string format must also be used carefully. 84It is possible for a string to contain additional format specifiers, which 85open up another possibility for a buffer overflow. 86Never pass a string with untrusted data without using 87.Ql %s . 88Always use the proper secure idiom: 89.Pp 90.Dl function("%s", string); 91.Pp 92There are mechanisms that provide a backstop for these problems at the 93library and compiler levels, however, there is no substitute for simply 94writing good code. 95.Ss Set-user-ID Issues 96In many cases, it may be necessary for a program to operate with an increased 97set of permissions. 98Reasons for this include binding to protected sockets, reading and writing 99certain files and directories, and access to various resources. 100Using a setuid program is frequently the solution. 101However, it is important that programs give up these privileges as soon as 102possible. 103For example, if a program is binding to a protected socket, it should give 104up its privileges as soon as it has finished binding to that socket. 105This is accomplished with the 106.Xr setuid 2 107family of system calls. 108.Ss Limited Environments 109The traditional method of restricting a process is with the 110.Xr chroot 2 111system call. 112This system call changes the root directory from which all other paths are 113referenced for a process and any child processes. 114Of course, the process must have access to this path to begin with. 115The new environment does not actually take effect until 116.Xr chdir 2 117is called to place the process into the new environment. 118Unfortunately, a process can break out of this environment if root access is 119obtained. 120.Pp 121Often, 122.Xr jail 2 123can be used to create a more complete and enclosed environment than 124.Xr chroot 2 125can provide. 126A jail limits all processes inside that environment, including processes with 127superuser privileges. 128.Pp 129Fine grained privileges, as described by 130.Tn POSIX Ns .1e 131extensions, are currently a work in progress, and the focus of the 132.Tn TrustedBSD 133Project. 134More information can be found at 135.Pa http://www.TrustedBSD.org/ . 136.Ss Trust 137Programs should not make assumptions about the environment in which they are 138running. 139This includes user input, signals, environment variables, system resources, 140interprocess communications, and shared memory, amongst other things that are 141beyond the control of the program. 142They should not assume that all forms of invalid data can be detected either. 143Instead, they should use positive filtering, and only allow a specific subset 144of inputs that are known to be safe. 145This is the same logic that an administrator should apply to a firewall, that 146is, deny by default and specify what is to be accepted. 147.Ss Race Conditions 148A race condition is anomalous behavior caused by the relative timing of 149events. 150Programs should not assume that a particular event will occur before another. 151The most common causes of race conditions are signals, access checks, and 152file reads. 153Signals are asynchronous by nature, so special care must be taken 154while dealing with them. 155Attempting to check access with sequential non-atomic operations is a very 156bad idea, as files can be moved and changed at any given time. 157Instead of using a sequence of 158.Xr access 2 159and 160.Xr open 2 , 161use 162.Xr seteuid 2 163and then call 164.Xr open 2 165directly. 166Set 167.Xr umask 2 168properly beforehand. 169.Sh SEE ALSO 170.Xr jail 2 , 171.Xr setuid 2 , 172.Xr strlcat 3 , 173.Xr strlcpy 3 174.Sh AUTHORS 175.An -nosplit 176.An Eric Melville Aq Mt eric@FreeBSD.org 177originally wrote this document based on a chapter of the 178.%B "FreeBSD Developer's Handbook" 179written by 180.An Murray Stokely Aq Mt murray@FreeBSD.org . 181