Secure Programming for Linux and Unix HOWTO

David A. Wheeler

This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, Python, TCL, and Ada95 are included.

Table of Contents
1. Introduction
2. Background
2.1. History of Unix, Linux, and Open Source / Free Software
2.1.1. Unix
2.1.2. Free Software Foundation
2.1.3. Linux
2.1.4. Open Source / Free Software
2.1.5. Comparing Linux and Unix
2.2. Security Principles
2.3. Is Open Source Good for Security?
2.4. Types of Secure Programs
2.5. Paranoia is a Virtue
2.6. Why Did I Write This Document?
2.7. Sources of Design and Implementation Guidelines
2.8. Other Sources of Security Information
2.9. Document Conventions
3. Summary of Linux and Unix Security Features
3.1. Processes
3.1.1. Process Attributes
3.1.2. POSIX Capabilities
3.1.3. Process Creation and Manipulation
3.2. Files
3.2.1. Filesystem Object Attributes
3.2.2. Creation Time Initial Values
3.2.3. Changing Access Control Attributes
3.2.4. Using Access Control Attributes
3.2.5. Filesystem Hierarchy
3.3. System V IPC
3.4. Sockets and Network Connections
3.5. Signals
3.6. Quotas and Limits
3.7. Dynamically Linked Libraries
3.8. Audit
3.9. PAM
3.10. Specialized Security Extensions for Unix-like Systems
4. Validate All Input
4.1. Command line
4.2. Environment Variables
4.2.1. Some Environment Variables are Dangerous
4.2.2. Environment Variable Storage Format is Dangerous
4.2.3. The Solution - Extract and Erase
4.3. File Descriptors
4.4. File Contents
4.5. Web-Based Application Inputs (Especially CGI Scripts)
4.6. Other Inputs
4.7. Human Language (Locale) Selection
4.7.1. How Locales are Selected
4.7.2. Locale Support Mechanisms
4.7.3. Legal Values
4.7.4. Bottom Line
4.8. Character Encoding
4.8.1. Introduction to Character Encoding
4.8.2. Introduction to UTF-8
4.8.3. UTF-8 Security Issues
4.8.4. UTF-8 Legal Values
4.8.5. UTF-8 Illegal Values
4.8.6. UTF-8 Related Issues
4.9. Prevent Cross-site Malicious Content on Input
4.10. Filter HTML/URIs That May Be Re-presented
4.10.1. Remove or Forbid Some HTML Data
4.10.2. Encoding HTML Data
4.10.3. Validating HTML Data
4.10.4. Validating Hypertext Links (URIs/URLs)
4.10.5. Other HTML tags
4.10.6. Related Issues
4.11. Forbid HTTP GET To Perform Non-Queries
4.12. Limit Valid Input Time and Load Level
5. Avoid Buffer Overflow
5.1. Dangers in C/C++
5.2. Library Solutions in C/C++
5.2.1. Standard C Library Solution
5.2.2. Static and Dynamically Allocated Buffers
5.2.3. strlcpy and strlcat
5.2.4. libmib
5.2.5. Libsafe
5.2.6. Other Libraries
5.3. Compilation Solutions in C/C++
5.4. Other Languages
6. Structure Program Internals and Approach
6.1. Follow Good Software Engineering Principles for Secure Programs
6.2. Secure the Interface
6.3. Minimize Privileges
6.3.1. Minimize the Privileges Granted
6.3.2. Minimize the Time the Privilege Can Be Used
6.3.3. Minimize the Time the Privilege is Active
6.3.4. Minimize the Modules Granted the Privilege
6.3.5. Consider Using FSUID To Limit Privileges
6.3.6. Consider Using Chroot to Minimize Available Files
6.3.7. Consider Minimizing the Accessible Data
6.3.8. Consider Minimizing the Resources Available
6.4. Avoid Creating Setuid/Setgid Scripts
6.5. Configure Safely and Use Safe Defaults
6.6. Load Initialization Values Safely
6.7. Fail Safe
6.8. Avoid Race Conditions
6.8.1. Sequencing (Non-Atomic) Problems Atomic Actions in the Filesystem Temporary Files
6.8.2. Locking Using Files as Locks Other Approaches to Locking
6.9. Trust Only Trustworthy Channels
6.10. Set up a Trusted Path
6.11. Use Internal Consistency-Checking Code
6.12. Self-limit Resources
6.13. Prevent Cross-Site Malicious Content
6.13.1. Explanation of the Problem
6.13.2. Solutions to Cross-Site Malicious Content Identifying Special Characters Filtering Encoding
6.14. Be Careful with Data Types
7. Carefully Call Out to Other Resources
7.1. Call Only Safe Library Routines
7.2. Limit Call-outs to Valid Values
7.3. Call Only Interfaces Intended for Programmers
7.4. Check All System Call Returns
7.5. Avoid Using vfork(2)
7.6. Counter Web Bugs When Retrieving Embedded Content
7.7. Hide Sensitive Information
8. Send Information Back Judiciously
8.1. Minimize Feedback
8.2. Don't Include Comments
8.3. Handle Full/Unresponsive Output
8.4. Control Data Formatting (``Format Strings'')
8.5. Control Character Encoding in Output
8.6. Prevent Include/Configuration File Access
9. Language-Specific Issues
9.1. C/C++
9.2. Perl
9.3. Python
9.4. Shell Scripting Languages (sh and csh Derivatives)
9.5. Ada
9.6. Java
9.7. TCL
10. Special Topics
10.1. Passwords
10.2. Random Numbers
10.3. Specially Protect Secrets (Passwords and Keys) in User Memory
10.4. Cryptographic Algorithms and Protocols
10.5. Using PAM
10.6. Tools
10.7. Windows CE
10.8. Write Audit Records
10.9. Miscellaneous
11. Conclusion
12. Bibliography
A. History
B. Acknowledgements
C. About the Documentation License
D. GNU Free Documentation License
E. Endorsements
F. About the Author
List of Tables
4-1. Legal UTF-8 Sequences
4-2. Illegal UTF-8 initial sequences
List of Figures
1-1. Abstract View of a Program