xref: /freebsd/share/man/man7/sprog.7 (revision e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6)
1.\"
2.\" Copyright (c) 2001 Eric Melville <eric@FreeBSD.org>
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
26.Dd June 3, 2001
27.Dt SPROG 7
28.Os
29.Sh NAME
30.Nm sprog
31.Nd secure programming practices
32.Sh DESCRIPTION
33Security issues have crept into many systems over the years.
34This document is a guide for programming practices that prevent these problems.
35.Ss Overview
36Writing secure applications takes a very scrutinous and pessimistic outlook.
37Applications should be run with the principle of
38.Dq Li least privilege
39so that no process is ever running with more than the bare minimum access it
40needs to accomplish its function.
41Previously tested code should be reused whenever possible.
42Generally, anything beyond the control of a program should never be trusted.
43This includes all forms of user input, system resources, interprocess
44communication, and the timing of events.
45.Ss Buffer Overflows
46One of the most common types of security problems is the buffer overflow.
47In short, if a program is not careful with the data it receives, it may be
48possible for this data to be written across memory, overwriting the return
49address for a function call, and the program will be forced to run code that
50does unfriendly things.
51.Pp
52A good number of functions in the standard C library make it difficult or
53even impossible to prevent buffer overflows when used.
54These include
55.Xr fscanf 3 ,
56.Xr gets 3 ,
57.Xr getwd 3 ,
58.Xr realpath 3 ,
59.Xr scanf 3 ,
60.Xr sprintf 3 ,
61.Xr strcat 3 ,
62.Xr strcpy 3 ,
63.Xr vscanf 3 ,
64and
65.Xr vsprintf 3 .
66.Pp
67Many other functions that deal with strings can also open up a potential
68buffer overflow when not used carefully.
69For example,
70.Xr strncat 3
71does not go out of its way to provide
72.Tn NUL
73character termination.
74Of course, the proper length must always be specified.
75Usage of
76.Xr strlcat 3
77and
78.Xr strlcpy 3
79ensure that strings are null terminated and of the specified length.
80.Pp
81Functions that receive a string format must also be used carefully.
82It is possible for a string to contain additional format specifiers, which
83open up another possibility for a buffer overflow.
84Never pass a string with untrusted data without using
85.Ql %s .
86Always use the proper secure idiom:
87.Pp
88.Dl function("%s", string);
89.Pp
90There are mechanisms that provide a backstop for these problems at the
91library and compiler levels, however, there is no substitute for simply
92writing good code.
93.Ss Set-user-ID Issues
94In many cases, it may be necessary for a program to operate with an increased
95set of permissions.
96Reasons for this include binding to protected sockets, reading and writing
97certain files and directories, and access to various resources.
98Using a setuid program is frequently the solution.
99However, it is important that programs give up these privileges as soon as
100possible.
101For example, if a program is binding to a protected socket, it should give
102up its privileges as soon as it has finished binding to that socket.
103This is accomplished with the
104.Xr setuid 2
105family of system calls.
106.Ss Limited Environments
107The traditional method of restricting a process is with the
108.Xr chroot 2
109system call.
110This system call changes the root directory from which all other paths are
111referenced for a process and any child processes.
112Of course, the process must have access to this path to begin with.
113The new environment does not actually take effect until
114.Xr chdir 2
115is called to place the process into the new environment.
116Unfortunately, a process can break out of this environment if root access is
117obtained.
118.Pp
119Often,
120.Xr jail 2
121can be used to create a more complete and enclosed environment than
122.Xr chroot 2
123can provide.
124A jail limits all processes inside that environment, including processes with
125superuser privileges.
126.Pp
127Fine grained privileges, as described by
128.Tn POSIX Ns .1e
129extensions, are currently a work in progress, and the focus of the
130.Tn TrustedBSD
131Project.
132More information can be found at
133.Pa http://www.TrustedBSD.org/ .
134.Ss Trust
135Programs should not make assumptions about the environment in which they are
136running.
137This includes user input, signals, environment variables, system resources,
138interprocess communications, and shared memory, amongst other things that are
139beyond the control of the program.
140They should not assume that all forms of invalid data can be detected either.
141Instead, they should use positive filtering, and only allow a specific subset
142of inputs that are known to be safe.
143This is the same logic that an administrator should apply to a firewall, that
144is, deny by default and specify what is to be accepted.
145.Ss Race Conditions
146A race condition is anomalous behavior caused by the relative timing of
147events.
148Programs should not assume that a particular event will occur before another.
149The most common causes of race conditions are signals, access checks, and
150file reads.
151Signals are asynchronous by nature, so special care must be taken
152while dealing with them.
153Attempting to check access with sequential non-atomic operations is a very
154bad idea, as files can be moved and changed at any given time.
155Instead of using a sequence of
156.Xr access 2
157and
158.Xr open 2 ,
159use
160.Xr seteuid 2
161and then call
162.Xr open 2
163directly.
164Set
165.Xr umask 2
166properly beforehand.
167.Sh SEE ALSO
168.Xr jail 2 ,
169.Xr setuid 2 ,
170.Xr strlcat 3 ,
171.Xr strlcpy 3
172.Sh AUTHORS
173.An -nosplit
174.An Eric Melville Aq Mt eric@FreeBSD.org
175originally wrote this document based on a chapter of the
176.%B "FreeBSD Developer's Handbook"
177written by
178.An Murray Stokely Aq Mt murray@FreeBSD.org .
179