Site hosted by Angelfire.com: Build your free website today!

Secure Programming for Linux and Unix HOWTO

David A. Wheeler

Copyright © 1999, 2000 by David A. Wheeler

This paper provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, Python, TCL, and Ada95 are included.

Table of Contents
1. Introduction
2. Background
History of Unix, Linux, and Open Source / Free Software
Unix
Free Software Foundation
Linux
Open Source / Free Software
Comparing Linux and Unix
Security Principles
Types of Secure Programs
Paranoia is a Virtue
Why Did I Write This Document?
Sources of Design and Implementation Guidelines
Other Sources of Security Information
Document Conventions
3. Summary of Linux and Unix Security Features
Processes
Process Attributes
POSIX Capabilities
Process Creation and Manipulation
Files
Filesystem Object Attributes
Creation Time Initial Values
Changing Access Control Attributes
Using Access Control Attributes
Filesystem Hierarchy
System V IPC
Sockets and Network Connections
Signals
Quotas and Limits
Dynamically Linked Libraries
Audit
PAM
4. Validate All Input
Command line
Environment Variables
Some Environment Variables are Dangerous
Environment Variable Storage Format is Dangerous
The Solution - Extract and Erase
File Descriptors
File Contents
Web-Based Applications (Especially CGI Scripts)
Other Inputs
Human Language (Locale) Selection
How Locales are Selected
Locale Support Mechanisms
Legal Values
Bottom Line
Character Encoding
Limit Valid Input Time and Load Level
5. Avoid Buffer Overflow
Dangers in C/C++
Library Solutions in C/C++
Standard C Library Solution
Static and Dynamically Allocated Buffers
strlcpy and strlcat
libmib
Libsafe
Other Libraries
Compilation Solutions in C/C++
Other Languages
6. Structure Program Internals and Approach
Secure the Interface
Minimize Privileges
Minimize the Privileges Granted
Minimize the Time the Privilege Can Be Used
Minimize the Time the Privilege is Active
Minimize the Modules Granted the Privilege
Consider Using FSUID To Limit Privileges
Consider Using Chroot to Minimize Available Files
Consider Minimizing the Accessible Data
Avoid Creating Setuid/Setgid Scripts
Configure Safely and Use Safe Defaults
Fail Safe
Avoid Race Conditions
Sequencing (Non-Atomic) Problems
Locking
Trust Only Trustworthy Channels
Use Internal Consistency-Checking Code
Self-limit Resources
7. Carefully Call Out to Other Resources
Limit Call-outs to Valid Values
Check All System Call Returns
8. Send Information Back Judiciously
Minimize Feedback
Handle Full/Unresponsive Output
Control Data Formatting
9. Language-Specific Issues
C/C++
Perl
Python
Shell Scripting Languages (sh and csh Derivatives)
Ada
Java
TCL
10. Special Topics
Passwords
Random Numbers
Specially Protect Secrets (Passwords and Keys) in User Memory
Cryptographic Algorithms and Protocols
PAM
Tools
Miscellaneous
11. Conclusion
12. Bibliography
A. History
B. Acknowledgements
C. About the Documentation License
D. GNU Free Documentation License
E. Endorsements
F. About the Author
List of Tables
4-1. Illegal UTF-8 initial sequences
  Next
  Introduction