Bring in the new security guide.

Submitted by:	jkb

en/security/advisories.xml

@@ -1,77 +1,95 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN" [
 <!ENTITY base CDATA "..">
-<!ENTITY date "$Date: 1998-12-13 23:19:25 $">
-<!ENTITY title "FreeBSD Security Guide">
+<!ENTITY date "$Date: 1998-12-19 09:55:30 $">
+<!ENTITY title "FreeBSD Security Information">
 <!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
 ]>
-<!-- $Id: advisories.xml,v 1.8 1998-12-13 23:19:25 steve Exp $ -->
+<!-- $Id: advisories.xml,v 1.9 1998-12-19 09:55:30 jkh Exp $ -->
 
 <html>
     &header;
 
-<P>This guide attempts to document some of the tips and tricks used by
-many FreeBSD security experts for securing systems and writing secure
-code.  It is designed to help you learn about the various ways of protecting
-a FreeBSD system against outside attacks and how to recover from such attacks
-if and when they should happen.  It also lists the various ways in which
-the systems programmer can become more security conscious so he will
- less likely introduce security holes in the first place.</P>
+<H2>Introduction</H2>
 
-<P>We welcome your comments on the contents and correctness of this page.
-Please send email to the <A HREF="mailto:security-officer@FreeBSD.org">
-FreeBSD Security Officers</A> if you have changes you'd like to see here.</P>
+<P>This web page is designed to assist both new and experienced users
+in the area of security for the FreeBSD Operating System.  The FreeBSD
+Development team takes security very seriously and is constantly working
+on making the OS as secure as possible.</P>
 
-<H2>The FreeBSD security officer</H2>
+<P>Here you will find additional information, or links to information,
+on how to protect your system against various types of outside attack,
+whom to contact if you find a security related bug, etc.  There is
+also a section on the various ways that the systems programmer can
+become more security conscious so he or she is less likely to
+introduce security holes in the first place.</P>
 
-<P>FreeBSD takes security seriously, a dedicated team of security officers
-providing a focal point for security related communications. A security
-officers' main task is to send out advisories when there are known security
-holes and otherwise keep abreast of security issues.  The security officers
-also communicate with the various <A HREF="http://www.cert.org/">CERT</A>
-and <A HREF="http://www.first.org/">FIRST</A> teams around the world,
-sharing information about vulnerabilities in FreeBSD or utilities commonly
-used by FreeBSD, and keeping up to date on security issues in the world at
-large.  The security officers are also active members of those
-organizations.</P>
+<H2>Table Of Content</H2>
+<UL>
+<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
+<LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
+<LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
+<LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
+<LI><A HREF="#spg">Secure Programing Guidelines</A></LI>
+<LI><A HREF="#misc">Other Related Security Information</A></LI>
+</UL>
 
-<P>When you need to contact the security officers about a sensitive matter,
-please use their
-<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
-to encrypt your message before sending it.</P>
+<A NAME=sec></A>
+<H2>The FreeBSD Security Officer</H2>
 
-<H2>FreeBSD security advisories:</H2>
+<P>To better coordinate information exchange with others in the security
+community, FreeBSD has a focal point for security related communications:
+The FreeBSD <a href="mailto:security-officer@freebsd.org">security officer</a>.
+The position is actually staffed by a team of dedicated security officers,
+their main tasks being to send out advisories when there are known security
+holes and to act on reports of possible security problems with FreeBSD.</P>
 
-<P>The FreeBSD security officers provide security advisories for
-the following releases of FreeBSD:</P>
+<P>If you need to contact someone from the FreeBSD team about a
+possible security bug, you should therefore please <A
+HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer</A>
+with a description of what you've found and the type of vulnerability it
+represents.  The Security Officers also communicate with the various
+<A HREF="http://www.cert.org">CERT </A>and <A
+HREF="http://www.first.org/"> FIRST</A> teams around the world,
+sharing information about possible vulnerabilities in FreeBSD or
+utilities commonly used by FreeBSD.  The Security Officers are also
+active members of those organizations.</P>
+
+<P>If you do need to contact the Security Officer about a particularly
+sensitive matter, please use their <A
+HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key
+</A> to encrypt your message before sending it.</P>
+
+<A NAME=adv></A>
+<H2>FreeBSD Security Advisories</H2>
+
+<P>The FreeBSD Security Officers provide security advisories for the
+following releases of FreeBSD:</P>
 
 <UL>
-<LI>	the most recent official release of FreeBSD,
-<LI>	FreeBSD-current,
+<LI>	The most recent official release of FreeBSD.
+<LI>	FreeBSD-current.
 <LI>	FreeBSD-stable, when at least 2 releases are based on it.
-<LI>	the previous FreeBSD-stable when a "new stable" does not
-        yet have 2 releases based on it.
+<LI>	The previous FreeBSD-stable when a "new stable" does not yet
+	have 2 releases based on it.
 </UL>
 
 At this time, security advisories are available for:
 <UL>
-<LI>	FreeBSD 2.2.6
+<LI>	FreeBSD 2.2.7
+<LI>	FreeBSD 2.2.8
+<LI>	FreeBSD 3.0
 <LI>	FreeBSD-current
 <LI>	FreeBSD-stable
 </UL>
 
-<P>Older releases will not be actively maintained and users are strongly
-encouraged to upgrade to one of the supported releases.</P>
-
-<P>An advisory will be sent out when a security hole exists that is
-either being actively abused (as indicated to us via reports from end
-users or CERT like organizations), or when the security hole is public
-knowledge (e.g. because a report has been posted to a public mailing
-list).</P>
+<P>Older releases are not maintained and users are strongly encouraged
+to upgrade to one of the supported releases mentioned above.</P>
 
 <P>Like all development efforts, security fixes are first brought into
-the <A HREF="../handbook/current.html">FreeBSD-current</A>
-branch.  After a couple of days and some testing, the fix is retrofitted
-into the supported FreeBSD-stable branch(es) and an advisory then sent out.</P>
+the <A HREF="../handbook/current.html">FreeBSD-current</A> branch.
+After a couple of days and some testing, the fix is retrofitted into
+the supported FreeBSD-stable branch(es) and an advisory then sent
+out.</P>
 
 <P>Advisories are sent to the following FreeBSD mailing lists:
 <UL>
@@ -80,9 +98,10 @@ into the supported FreeBSD-stable branch(es) and an advisory then sent out.</P>
 <LI>FreeBSD-announce@freebsd.org
 </UL>
 
-<P>Advisories are always signed using the FreeBSD security officer
-<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
-and are archived, along with their associated patches, at our
+
+<P>Advisories are always signed using the FreeBSD Security Officer
+<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc"> PGP key
+</A> and are archived, along with their associated patches, at our
 <A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/index.html">FTP CERT
 repository</A>.  At the time of this writing, the following advisories are
 currently available:</P>
@@ -117,98 +136,317 @@ currently available:</P>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:04.mmap.asc">FreeBSD-SA-98:04.mmap.asc</A></LI>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:05.nfs.asc">FreeBSD-SA-98:05.nfs.asc</A></LI>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:06.icmp.asc">FreeBSD-SA-98:06.icmp.asc</A></LI>
+<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:07.rst.asc">FreeBSD-SA-98:07.rst.asc</A></LI>
+<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:08.fragment.asc">FreeBSD-SA-98:08.fragment.asc</A></LI>
 </UL>
 
-<H2>FreeBSD security related information</H2>
+<A NAME=ml></A>
+<H2>FreeBSD Security Mailing Lists Information</H2>
 
-<P>If you want to stay up to date on FreeBSD security, you can subscribe
-yorself to one of the following mailing lists:</P>
+<P>If you are administering or using any number of FreeBSD systems, you
+should probably be subscribed to one or more of the following lists:</P>
 
 <PRE>
-freebsd-security		General security related discussion
-freebsd-security-notifications	Security notifications (moderated mailing list)
+freebsd-security                General security related discussion
+freebsd-security-notification   Security notifications (moderated mailing list)
 </PRE>
 
-Send mail to <A HREF="mailto:majordomo@freebsd.org">majordomo@FreeBSD.ORG</A>
-with
+Send mail to <A HREF="mailto:majordomo@freebsd.org">
+majordomo@FreeBSD.ORG</A> with
 <PRE>
      subscribe &lt;listname&gt;  [&lt;optional address&gt;]
 </PRE>
 in the body of the message in order to subscribe yourself.
+For example:
+<PRE>
+% echo "subscribe freebsd-security" | mail majordomo@freebsd.org
+</PRE>
+and if you would like to unsubscribe from a mailing list:
+<PRE>
+% echo "unsubscribe freebsd-security" | mail majordomo@freebsd.org
+</PRE>
 
-<H2>What to do when you detect a security compromise:</H2>
+<A NAME=spg></A>
+<H2>Secure Programing Guidelines</H2>
+<P><P><UL>
+<LI>Never trust any source of input, i.e. command line arguments,
+environment variables, configuration files, incoming TCP/UDP/ICMP packets,
+hostname lookups, function arguments, etc.  If the length of or contents of
+the date received is at all subject to outside control, then the program or
+function should watch for this when copying it around.  Specific security
+issues to watch for in this are are:
+<P></P>
+  <UL>
 
-<UL>
-<LI><B>Determine the level of security breach:</B><BR>
-What privilege did the attack get? That of another user or more (up to
-root privileges)?</LI>
+<LI>strcpy() and sprintf() calls from unbounded data.  Use strncpy and
+snprintf() when the length is known (or implement some other form of
+bounds-checking when the length is unknown).  In fact, never ever use
+gets() or sprintf(), period.  If you do - will send evil dwarfs after you.
+<P></P></LI>
 
-<LI><B>Determine those parts of the system which are not in their original state
-anymore:</B><BR>
-What software has been tampered with? You may decide to re-install the
-operating system from a safe medium, or you might have MD5 checksums of
-the original software with which you can check your system. The tripwire
-package also keeps MD5 checksums, though be aware that tripwire might
-be tampered with as well and be sure and use a known-good copy.</LI>
+<LI>If you have to check the user input so it does not contain bad
+characters of some sort, do NOT check for those bad characters.  Instead
+simply verify that it consists ONLY of those characters that you do
+allow.  In general concept is: disallow anything that is not 
+explicitly allowed. 
+<P></P></LI>
 
-<LI><B>Find out how the breakin was done:</B><BR>
-Via a well-known security bug? A misconfiguration?  If it's a new bug,
-you should warn the <A HREF="mailto:security-officer@freebsd.org">
-FreeBSD Security Officer</A>.</LI>
+<LI>Read man pages for strncpy() and strncat() calls.  Be sure to 
+understand how they work!!! While strncpy() might not append a terminating
+\0, strncat() on the other hand adds the \0.
+<P></P></LI>
 
-<LI><B>Fix the hole(s):</B><BR>
-Install new software that fixes the problems. If you aren't able to get
-a fix quickly, you should temporarily disable remote access to your system
-until you have done so.</LI>
+<LI>Watch for strvis() and getenv() abuse.  With strvis() it is easy to get
+the destination string wrong for, and getenv() can return strings much
+longer then the program might expect.  These two functions are one of the
+key ways an attack is often made on a program, causing it to overwrite stack
+or variables by setting its environment variables to unexpected values.  If
+your program reads environment variables, be paranoid.  Be very paranoid!
+<P></P></LI>
+
+<LI>Ever time you use open() or stat() call - ask yourself: "What if it
+is a symbolic link?"
+<P></P></LI>
+
+<LI>Make sure to use mkstemp() instead of mktemp(), tempnam(), mkstemp() and
+etc.  Also make sure to look for races in /tmp in general, being aware that
+there are very few things which can be atomic in /tmp:
+	<UL>
+	<LI>Creating a directory.  This will either succeed or fail.</LI>
+	<LI>Opening a file O_CREAT | O_EXECL</LI>
+	</UL>
+If you use mkstemp - above cases will be properly handled for you.  Hence
+all temp files should use mkstemp() to guarantee there is not race
+condition and that the permissions are correct.
+<P></P></LI>
+
+<LI>If an attacker can force packets to go/come from another arbitrary 
+system then that attacker has complete control over the data that we get 
+and <B>NONE</B>of it should be trusted.
+<P></P></LI>
+
+<LI>Never trust a configuration file is correctly formatted or that it was
+generated by the appropriate utility.  Don't trust user input such as
+terminal names or language strings to be free of '/' or '../../../' if
+there is any chance that they can be used in a path name.  Don't trust
+<B>ANY</B> paths supplied by the user when you are running setuid root.
+<P></P></LI>
+
+<LI>Look for holes or weaknesses in how data is stored.  All temp files
+should have 600 permission in order to be protected from prying eyes.
+<P></P></LI>
+
+<LI>Don't just grep for the usual suspects in programs which run with
+elevated privileges.  Look line by line for possible overflows in these
+cases since there are a lot more ways to cause buffer overflows then
+by abusing strcpy() and friends.
+<P></P></LI>
+
+<LI>Just because you drop privileges somewhere, it does not mean that no
+exploit is possible.  The attacker may put the necessary code on the
+stack to regain the privileges before executing /bin/sh.</LI></UL>
+<P></P></LI>
+
+<LI>Do uid management.  Do drop privileges as soon as possible, and really
+do drop them.  Switching between euid and uid is NOT enough.  Use setuid()
+when you can.
+<P></P></LI>
+
+<LI>Never display configuration file contents on errors.  A line number and
+perhaps position count is enough.  This is true for all libs and for any
+suid/sgid program.
+<P></P></LI>
+
+<LI>Tips for those reviewing existing code for security problems:<P></P><UL>
+
+<LI>If you are unsure of your security fixes, send them to a reviewer with
+whom you have already arrangements for a second glance over your 
+code.  Don't commit code you are not sure about since breaking something
+in the name of security fix is rather embarrassing.
+<P></P></LI>
+
+<LI>Those without CVS commit privileges should make sure that a reviewer
+with such privileges is among the last to review the changes.  That person
+will both review and incorporate the final version you would like to have
+go into the tree.
+<P></P></LI>
+
+<LI>When sending changes around for review, always use context or unidiff
+format diffs - this way diffs can be easily fed to patch(1).  Do not simply
+send the whole files.  Diffs are much easier to read and apply to local
+sources (especially those in which multiple, simultaneous changes may be
+taking place).  All changed should be relative to the -current branch of
+development.
+<P></P></LI>
+
+<LI>Always directly test your changes (e.g. build and run the affected
+sources) before sending them to a reviewer.  Nobody likes being sent
+obviously broken stuff for review, and it just makes it appear as though
+the submitter didn't even really look at what he was (which is also hardly
+confidence building).  If you need accounts on a machine with a specific
+version which you don't have available - just ask.  The project has
+resources available for exactly such purposes.
+<P></P></LI>
+
+<LI>Note for committers: do not forget to retrofit -current patches into 
+the -stable branch as appropriate.
+<P></P></LI>
+
+<LI>Do not needlessly rewrite code to suit your style/tastes - it only 
+makes the reviewer's job needlessly more difficult.  Do so only if there
+are clear reasons for it.</LI></UL
+<P></P></LI>
+
+<LI>Look out for programs doing complex things in with signal 
+handlers.  Many routines in the various libraries are not sufficiently
+reentrant to make this safe.
+<P></P></LI>
+
+<LI>Pay special attention to realloc() usage - more often then not the
+function is not used correctly.
+<P></P></LI>
+
+<LI>When using a fixed size buffers, use sizeof() to prevent lossage
+when a buffer size is changed but the code which uses it isn't.  For
+example:
+<LISTING>       
+        char buf[1024];
+        struct foo { ... };
+        ...
+BAD:
+        xxx(buf, 1024)
+        xxx(yyy, sizeof(struct foo))
+GOOD:
+        xxx(buf, sizeof(buf))
+        xxx(yyy, sizeof(yyy))
+</LISTING>
+Be careful though with sizeof of pointers when you really want the size
+of where it points to!
+<P></P></LI>
+
+<LI>Every time you see "char foo[###]", check every usage of foo to make
+sure that it can't be overflowed.  If you can't avoid overflow (and cases
+of this have been seen), then at least malloc the buffer so that one can't
+walk on the stack.
+<P></P></LI>
+
+<LI>Always close file descriptors as soon as you can - this makes it more
+likely that the stdio buffer contents will be discarded.  In library
+routines, always set any file descriptors that you open to close-on-exec.
+<P><P></LI>
 </UL>
 
-<P><B>Other questions you may ask yourself are:</B></P>
+<A NAME=tat></A>
+<H2>FreeBSD Security Tips and Tricks</H2>
+<P>There are several steps one must take to secure a FreeBSD system, or
+in fact any Unix system:
 <UL>
-<LI>Who do I warn? You can contact the security officer, or even the
-local authorities. The choice is up to you.</LI>
 
-<LI>Do I want to trace the person responsible? By not fixing the hole
-right away, you have a chance to catch the cracker. Then again, you have
-the chance the cracker wipes your disk. The choice is up to you.</LI>
+<LI>Disabling potentially dangerous software<BR><P></P>
+A lot of software has to be run as a special privileged user to make
+use of specific resources, by making the executable set-uid.  An
+example is UUCP or PPP software that makes use of a serial port, or
+sendmail which has to write in the mail spool and bind to a privileged
+network port.  When you are not using UUCP, it is of little use to have
+software on your system and it may be wise to disable it.  Of course,
+this requires good knowledge of what can be thrown away and what not,
+as well as good indication whether or not you will want the functionality
+in the future.<BR><P></P>
+Also some utilities you may find not useful enough to have them
+around and pose a possible security risk, like swapinfo. If you remove
+the set-uid bit for the executable (via 'chmod ug-s filename' command)
+you can always keep on using swapinfo when you're root. It is however
+not a good idea stripping so many sbits you have to be root all
+the time.<BR><P></P>
+Not only remove programs that you don't use, also remove services you
+don't want or need to provide. This can be done by editing the
+<TT>/etc/inetd.conf</TT> and <TT>/etc/rc.conf</TT> files and turning
+off all services you don't use.<P></P>
 
+<LI>Fixing software which has security bugs (or how to stay one step ahead
+of crackers)<BR><P></P>
+Make sure you are subscribed to various <A HREF="#ml">FreeBSD Security 
+mailing lists</A> so you could get updates on security bugs and get
+fixes.  Apply the fixes immediately.<P></P>
+
+<LI>Backups - repair your system if security breach does occur<BR><P></P>
+Always have backups and a clean version of the operating system (e.g. on
+CD-Rom).  Make sure your backups don't contain corrupted or modified by
+attackers data.<P></P>
+
+<LI>Install software to watch the state of the system<BR><P></P>
+Programs like the tcp wrappers and tripwire (both in packages/ports) can
+help you to monitor activity on your system.  This makes it easier
+to detect break-ins.  Also read outputs of the /etc/security scripts
+which are run daily and mailed to the root account.<P></P>
+
+<LI>Educating the people who work on the system<BR><P></P>
+Users should know that they are doing. They should be told to never give
+out their password to anyone and to also use hard to guess passwords.
+Let them understand that the security of the system/network is partly
+in their hands.<P></P>
 </UL>
 
-<H2><A href="secure.html">How to secure a FreeBSD system</A></H2>
 
-<P>There are several steps involved in securing a FreeBSD system, or in
-fact, any UNIX system:</P>
+<P>There is also a FreeBSD Security How-To available which provides some
+advanced tips on how to improve security of your system.  You can 
+find it at <A HREF="http://www.freebsd.org/~jkb/howto.html">
+http://www.freebsd.org/~jkb/howto.html</A>.</P>
+<P>Security is an ongoing process.  Make sure you are following the latest
+developments in the security arena.</P>
 
-<H2><a href="programmers.html">Security Do's and Don'ts for Programmers</a></H2>
+<A NAME=misc></A>
+<H2>What to do when you detect a security compromise</H2>
 
-<H2>Other useful security information:</H2>
+<UL>
+<LI><B>Determine the level of the security breach</B><BR>
+What privileges did the attacker get? Did the attacker managed to get
+root access? Did the attacker only managed to get user level access?</LI>
 
+<LI><B>Determine if the state of system (kernel or userland) has been
+tampered with</B><BR>
+What software has been tampered with? Was new kernel installed? Were any
+of the system binaries (such as telnetd, login, etc) modified? If you
+believe an attacker could have done any tampering with an OS, you may want
+to re-install the operating system from a safe medium.</LI>
+
+<LI><B>Find out how the break-in was done</B><BR>
+Did the breaking occur via a well know security bug? If that is the case,
+make sure to install the correct patches.  Was the breaking successful due
+to a misconfiguration? Was the breakin result of a new bug? If you believe
+the breakin occurred via a new bug, you should warn the
+<A HREF="mailto:security-officer@freebsd.org"> FreeBSD Security 
+Officer</A>.</LI>
+
+<LI><B>Fix the security hole</B><BR>
+Install new software or apply patches to the old one in order to fix the
+problems.  Disable already compromised accounts.</LI>
+
+<LI><B>Other resources</B><BR>
+<A HREF="http://www.cert.org">CERT</A> also offers 
+<A HREF="http://www.cert.org/nav/recovering.html">detailed information</A>
+on what steps to take in case of a system compromise.</LI>
+</UL>
+
+<H2>Other Related Security Information</H2>
 <UL>
 <LI><A href="http://www.cs.purdue.edu/coast/archive/index.html">The COAST
-	archive</A>
-	Contains a huge collection of security related material.</LI>
+archive</A> contains a huge collection of security related materials.</LI>
 
-<LI><A href="http://www.cs.purdue.edu/coast/hotlist/">
-	The COAST Security hotlist</A>
-	This page is THE place to start looking for security related
-	material. It contains hundreds of useful
-	security pointers. Everything you always wanted to know about
-	security...and more...</LI>
+<LI><A href="http://www.cs.purdue.edu/coast/hotlist/">The COAST Security
+Hotlist</A> is the place to start looking for security related materials.
+It contains hundreds of useful security pointers.  Everything you always
+wanted to know about security... and more.</LI>
 
-<LI>The various CERTs (e.g. <A href="http://www.cert.org/">www.cert.org</A> and
-	<A href="http://www.auscert.org.au/">www.auscert.org.au</A>)</LI>
-
-<li><a href="http://SecurityPortal.com/">SecurityPortal.com</a>
-is intended to be the comprehensive Web site for Internet
-Security.   It is dedicated to providing corporate security professionals
-with the information and resources needed to protect their networks. We
-summarize breaking security news and provide a jumping off point for
-Security Alerts, Products, Tools, Tips & Tricks and other Resources.
-</li>
-
-<LI>Mailing lists: Bugtraq, BOS, etc.</LI>
+<LI>The various CERT teams such as <A href="http://www.cert.org">
+http://www.cert.org</A> and <A href="http://www.auscert.org.au">
+http://www.auscert.org.au</A>.</LI>
 
+<LI>Mailing lists such as <A HREF="http://www.geek-girl.com/bugtraq/">
+Bugtraq</A> and <A HREF="http://www.nfr.net/forum/firewall-wizards.html">
+Firewall Wizards</A>.</LI>
 </UL>
 
-      &footer
-  </body>
+	&footer
+    </body>
 </html>

en/security/security.sgml

@@ -1,77 +1,95 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN" [
 <!ENTITY base CDATA "..">
-<!ENTITY date "$Date: 1998-12-13 23:19:25 $">
-<!ENTITY title "FreeBSD Security Guide">
+<!ENTITY date "$Date: 1998-12-19 09:55:30 $">
+<!ENTITY title "FreeBSD Security Information">
 <!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
 ]>
-<!-- $Id: security.sgml,v 1.8 1998-12-13 23:19:25 steve Exp $ -->
+<!-- $Id: security.sgml,v 1.9 1998-12-19 09:55:30 jkh Exp $ -->
 
 <html>
     &header;
 
-<P>This guide attempts to document some of the tips and tricks used by
-many FreeBSD security experts for securing systems and writing secure
-code.  It is designed to help you learn about the various ways of protecting
-a FreeBSD system against outside attacks and how to recover from such attacks
-if and when they should happen.  It also lists the various ways in which
-the systems programmer can become more security conscious so he will
- less likely introduce security holes in the first place.</P>
+<H2>Introduction</H2>
 
-<P>We welcome your comments on the contents and correctness of this page.
-Please send email to the <A HREF="mailto:security-officer@FreeBSD.org">
-FreeBSD Security Officers</A> if you have changes you'd like to see here.</P>
+<P>This web page is designed to assist both new and experienced users
+in the area of security for the FreeBSD Operating System.  The FreeBSD
+Development team takes security very seriously and is constantly working
+on making the OS as secure as possible.</P>
 
-<H2>The FreeBSD security officer</H2>
+<P>Here you will find additional information, or links to information,
+on how to protect your system against various types of outside attack,
+whom to contact if you find a security related bug, etc.  There is
+also a section on the various ways that the systems programmer can
+become more security conscious so he or she is less likely to
+introduce security holes in the first place.</P>
 
-<P>FreeBSD takes security seriously, a dedicated team of security officers
-providing a focal point for security related communications. A security
-officers' main task is to send out advisories when there are known security
-holes and otherwise keep abreast of security issues.  The security officers
-also communicate with the various <A HREF="http://www.cert.org/">CERT</A>
-and <A HREF="http://www.first.org/">FIRST</A> teams around the world,
-sharing information about vulnerabilities in FreeBSD or utilities commonly
-used by FreeBSD, and keeping up to date on security issues in the world at
-large.  The security officers are also active members of those
-organizations.</P>
+<H2>Table Of Content</H2>
+<UL>
+<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
+<LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
+<LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
+<LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
+<LI><A HREF="#spg">Secure Programing Guidelines</A></LI>
+<LI><A HREF="#misc">Other Related Security Information</A></LI>
+</UL>
 
-<P>When you need to contact the security officers about a sensitive matter,
-please use their
-<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
-to encrypt your message before sending it.</P>
+<A NAME=sec></A>
+<H2>The FreeBSD Security Officer</H2>
 
-<H2>FreeBSD security advisories:</H2>
+<P>To better coordinate information exchange with others in the security
+community, FreeBSD has a focal point for security related communications:
+The FreeBSD <a href="mailto:security-officer@freebsd.org">security officer</a>.
+The position is actually staffed by a team of dedicated security officers,
+their main tasks being to send out advisories when there are known security
+holes and to act on reports of possible security problems with FreeBSD.</P>
 
-<P>The FreeBSD security officers provide security advisories for
-the following releases of FreeBSD:</P>
+<P>If you need to contact someone from the FreeBSD team about a
+possible security bug, you should therefore please <A
+HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer</A>
+with a description of what you've found and the type of vulnerability it
+represents.  The Security Officers also communicate with the various
+<A HREF="http://www.cert.org">CERT </A>and <A
+HREF="http://www.first.org/"> FIRST</A> teams around the world,
+sharing information about possible vulnerabilities in FreeBSD or
+utilities commonly used by FreeBSD.  The Security Officers are also
+active members of those organizations.</P>
+
+<P>If you do need to contact the Security Officer about a particularly
+sensitive matter, please use their <A
+HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key
+</A> to encrypt your message before sending it.</P>
+
+<A NAME=adv></A>
+<H2>FreeBSD Security Advisories</H2>
+
+<P>The FreeBSD Security Officers provide security advisories for the
+following releases of FreeBSD:</P>
 
 <UL>
-<LI>	the most recent official release of FreeBSD,
-<LI>	FreeBSD-current,
+<LI>	The most recent official release of FreeBSD.
+<LI>	FreeBSD-current.
 <LI>	FreeBSD-stable, when at least 2 releases are based on it.
-<LI>	the previous FreeBSD-stable when a "new stable" does not
-        yet have 2 releases based on it.
+<LI>	The previous FreeBSD-stable when a "new stable" does not yet
+	have 2 releases based on it.
 </UL>
 
 At this time, security advisories are available for:
 <UL>
-<LI>	FreeBSD 2.2.6
+<LI>	FreeBSD 2.2.7
+<LI>	FreeBSD 2.2.8
+<LI>	FreeBSD 3.0
 <LI>	FreeBSD-current
 <LI>	FreeBSD-stable
 </UL>
 
-<P>Older releases will not be actively maintained and users are strongly
-encouraged to upgrade to one of the supported releases.</P>
-
-<P>An advisory will be sent out when a security hole exists that is
-either being actively abused (as indicated to us via reports from end
-users or CERT like organizations), or when the security hole is public
-knowledge (e.g. because a report has been posted to a public mailing
-list).</P>
+<P>Older releases are not maintained and users are strongly encouraged
+to upgrade to one of the supported releases mentioned above.</P>
 
 <P>Like all development efforts, security fixes are first brought into
-the <A HREF="../handbook/current.html">FreeBSD-current</A>
-branch.  After a couple of days and some testing, the fix is retrofitted
-into the supported FreeBSD-stable branch(es) and an advisory then sent out.</P>
+the <A HREF="../handbook/current.html">FreeBSD-current</A> branch.
+After a couple of days and some testing, the fix is retrofitted into
+the supported FreeBSD-stable branch(es) and an advisory then sent
+out.</P>
 
 <P>Advisories are sent to the following FreeBSD mailing lists:
 <UL>
@@ -80,9 +98,10 @@ into the supported FreeBSD-stable branch(es) and an advisory then sent out.</P>
 <LI>FreeBSD-announce@freebsd.org
 </UL>
 
-<P>Advisories are always signed using the FreeBSD security officer
-<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
-and are archived, along with their associated patches, at our
+
+<P>Advisories are always signed using the FreeBSD Security Officer
+<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc"> PGP key
+</A> and are archived, along with their associated patches, at our
 <A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/index.html">FTP CERT
 repository</A>.  At the time of this writing, the following advisories are
 currently available:</P>
@@ -117,98 +136,317 @@ currently available:</P>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:04.mmap.asc">FreeBSD-SA-98:04.mmap.asc</A></LI>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:05.nfs.asc">FreeBSD-SA-98:05.nfs.asc</A></LI>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:06.icmp.asc">FreeBSD-SA-98:06.icmp.asc</A></LI>
+<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:07.rst.asc">FreeBSD-SA-98:07.rst.asc</A></LI>
+<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:08.fragment.asc">FreeBSD-SA-98:08.fragment.asc</A></LI>
 </UL>
 
-<H2>FreeBSD security related information</H2>
+<A NAME=ml></A>
+<H2>FreeBSD Security Mailing Lists Information</H2>
 
-<P>If you want to stay up to date on FreeBSD security, you can subscribe
-yorself to one of the following mailing lists:</P>
+<P>If you are administering or using any number of FreeBSD systems, you
+should probably be subscribed to one or more of the following lists:</P>
 
 <PRE>
-freebsd-security		General security related discussion
-freebsd-security-notifications	Security notifications (moderated mailing list)
+freebsd-security                General security related discussion
+freebsd-security-notification   Security notifications (moderated mailing list)
 </PRE>
 
-Send mail to <A HREF="mailto:majordomo@freebsd.org">majordomo@FreeBSD.ORG</A>
-with
+Send mail to <A HREF="mailto:majordomo@freebsd.org">
+majordomo@FreeBSD.ORG</A> with
 <PRE>
      subscribe &lt;listname&gt;  [&lt;optional address&gt;]
 </PRE>
 in the body of the message in order to subscribe yourself.
+For example:
+<PRE>
+% echo "subscribe freebsd-security" | mail majordomo@freebsd.org
+</PRE>
+and if you would like to unsubscribe from a mailing list:
+<PRE>
+% echo "unsubscribe freebsd-security" | mail majordomo@freebsd.org
+</PRE>
 
-<H2>What to do when you detect a security compromise:</H2>
+<A NAME=spg></A>
+<H2>Secure Programing Guidelines</H2>
+<P><P><UL>
+<LI>Never trust any source of input, i.e. command line arguments,
+environment variables, configuration files, incoming TCP/UDP/ICMP packets,
+hostname lookups, function arguments, etc.  If the length of or contents of
+the date received is at all subject to outside control, then the program or
+function should watch for this when copying it around.  Specific security
+issues to watch for in this are are:
+<P></P>
+  <UL>
 
-<UL>
-<LI><B>Determine the level of security breach:</B><BR>
-What privilege did the attack get? That of another user or more (up to
-root privileges)?</LI>
+<LI>strcpy() and sprintf() calls from unbounded data.  Use strncpy and
+snprintf() when the length is known (or implement some other form of
+bounds-checking when the length is unknown).  In fact, never ever use
+gets() or sprintf(), period.  If you do - will send evil dwarfs after you.
+<P></P></LI>
 
-<LI><B>Determine those parts of the system which are not in their original state
-anymore:</B><BR>
-What software has been tampered with? You may decide to re-install the
-operating system from a safe medium, or you might have MD5 checksums of
-the original software with which you can check your system. The tripwire
-package also keeps MD5 checksums, though be aware that tripwire might
-be tampered with as well and be sure and use a known-good copy.</LI>
+<LI>If you have to check the user input so it does not contain bad
+characters of some sort, do NOT check for those bad characters.  Instead
+simply verify that it consists ONLY of those characters that you do
+allow.  In general concept is: disallow anything that is not 
+explicitly allowed. 
+<P></P></LI>
 
-<LI><B>Find out how the breakin was done:</B><BR>
-Via a well-known security bug? A misconfiguration?  If it's a new bug,
-you should warn the <A HREF="mailto:security-officer@freebsd.org">
-FreeBSD Security Officer</A>.</LI>
+<LI>Read man pages for strncpy() and strncat() calls.  Be sure to 
+understand how they work!!! While strncpy() might not append a terminating
+\0, strncat() on the other hand adds the \0.
+<P></P></LI>
 
-<LI><B>Fix the hole(s):</B><BR>
-Install new software that fixes the problems. If you aren't able to get
-a fix quickly, you should temporarily disable remote access to your system
-until you have done so.</LI>
+<LI>Watch for strvis() and getenv() abuse.  With strvis() it is easy to get
+the destination string wrong for, and getenv() can return strings much
+longer then the program might expect.  These two functions are one of the
+key ways an attack is often made on a program, causing it to overwrite stack
+or variables by setting its environment variables to unexpected values.  If
+your program reads environment variables, be paranoid.  Be very paranoid!
+<P></P></LI>
+
+<LI>Ever time you use open() or stat() call - ask yourself: "What if it
+is a symbolic link?"
+<P></P></LI>
+
+<LI>Make sure to use mkstemp() instead of mktemp(), tempnam(), mkstemp() and
+etc.  Also make sure to look for races in /tmp in general, being aware that
+there are very few things which can be atomic in /tmp:
+	<UL>
+	<LI>Creating a directory.  This will either succeed or fail.</LI>
+	<LI>Opening a file O_CREAT | O_EXECL</LI>
+	</UL>
+If you use mkstemp - above cases will be properly handled for you.  Hence
+all temp files should use mkstemp() to guarantee there is not race
+condition and that the permissions are correct.
+<P></P></LI>
+
+<LI>If an attacker can force packets to go/come from another arbitrary 
+system then that attacker has complete control over the data that we get 
+and <B>NONE</B>of it should be trusted.
+<P></P></LI>
+
+<LI>Never trust a configuration file is correctly formatted or that it was
+generated by the appropriate utility.  Don't trust user input such as
+terminal names or language strings to be free of '/' or '../../../' if
+there is any chance that they can be used in a path name.  Don't trust
+<B>ANY</B> paths supplied by the user when you are running setuid root.
+<P></P></LI>
+
+<LI>Look for holes or weaknesses in how data is stored.  All temp files
+should have 600 permission in order to be protected from prying eyes.
+<P></P></LI>
+
+<LI>Don't just grep for the usual suspects in programs which run with
+elevated privileges.  Look line by line for possible overflows in these
+cases since there are a lot more ways to cause buffer overflows then
+by abusing strcpy() and friends.
+<P></P></LI>
+
+<LI>Just because you drop privileges somewhere, it does not mean that no
+exploit is possible.  The attacker may put the necessary code on the
+stack to regain the privileges before executing /bin/sh.</LI></UL>
+<P></P></LI>
+
+<LI>Do uid management.  Do drop privileges as soon as possible, and really
+do drop them.  Switching between euid and uid is NOT enough.  Use setuid()
+when you can.
+<P></P></LI>
+
+<LI>Never display configuration file contents on errors.  A line number and
+perhaps position count is enough.  This is true for all libs and for any
+suid/sgid program.
+<P></P></LI>
+
+<LI>Tips for those reviewing existing code for security problems:<P></P><UL>
+
+<LI>If you are unsure of your security fixes, send them to a reviewer with
+whom you have already arrangements for a second glance over your 
+code.  Don't commit code you are not sure about since breaking something
+in the name of security fix is rather embarrassing.
+<P></P></LI>
+
+<LI>Those without CVS commit privileges should make sure that a reviewer
+with such privileges is among the last to review the changes.  That person
+will both review and incorporate the final version you would like to have
+go into the tree.
+<P></P></LI>
+
+<LI>When sending changes around for review, always use context or unidiff
+format diffs - this way diffs can be easily fed to patch(1).  Do not simply
+send the whole files.  Diffs are much easier to read and apply to local
+sources (especially those in which multiple, simultaneous changes may be
+taking place).  All changed should be relative to the -current branch of
+development.
+<P></P></LI>
+
+<LI>Always directly test your changes (e.g. build and run the affected
+sources) before sending them to a reviewer.  Nobody likes being sent
+obviously broken stuff for review, and it just makes it appear as though
+the submitter didn't even really look at what he was (which is also hardly
+confidence building).  If you need accounts on a machine with a specific
+version which you don't have available - just ask.  The project has
+resources available for exactly such purposes.
+<P></P></LI>
+
+<LI>Note for committers: do not forget to retrofit -current patches into 
+the -stable branch as appropriate.
+<P></P></LI>
+
+<LI>Do not needlessly rewrite code to suit your style/tastes - it only 
+makes the reviewer's job needlessly more difficult.  Do so only if there
+are clear reasons for it.</LI></UL
+<P></P></LI>
+
+<LI>Look out for programs doing complex things in with signal 
+handlers.  Many routines in the various libraries are not sufficiently
+reentrant to make this safe.
+<P></P></LI>
+
+<LI>Pay special attention to realloc() usage - more often then not the
+function is not used correctly.
+<P></P></LI>
+
+<LI>When using a fixed size buffers, use sizeof() to prevent lossage
+when a buffer size is changed but the code which uses it isn't.  For
+example:
+<LISTING>       
+        char buf[1024];
+        struct foo { ... };
+        ...
+BAD:
+        xxx(buf, 1024)
+        xxx(yyy, sizeof(struct foo))
+GOOD:
+        xxx(buf, sizeof(buf))
+        xxx(yyy, sizeof(yyy))
+</LISTING>
+Be careful though with sizeof of pointers when you really want the size
+of where it points to!
+<P></P></LI>
+
+<LI>Every time you see "char foo[###]", check every usage of foo to make
+sure that it can't be overflowed.  If you can't avoid overflow (and cases
+of this have been seen), then at least malloc the buffer so that one can't
+walk on the stack.
+<P></P></LI>
+
+<LI>Always close file descriptors as soon as you can - this makes it more
+likely that the stdio buffer contents will be discarded.  In library
+routines, always set any file descriptors that you open to close-on-exec.
+<P><P></LI>
 </UL>
 
-<P><B>Other questions you may ask yourself are:</B></P>
+<A NAME=tat></A>
+<H2>FreeBSD Security Tips and Tricks</H2>
+<P>There are several steps one must take to secure a FreeBSD system, or
+in fact any Unix system:
 <UL>
-<LI>Who do I warn? You can contact the security officer, or even the
-local authorities. The choice is up to you.</LI>
 
-<LI>Do I want to trace the person responsible? By not fixing the hole
-right away, you have a chance to catch the cracker. Then again, you have
-the chance the cracker wipes your disk. The choice is up to you.</LI>
+<LI>Disabling potentially dangerous software<BR><P></P>
+A lot of software has to be run as a special privileged user to make
+use of specific resources, by making the executable set-uid.  An
+example is UUCP or PPP software that makes use of a serial port, or
+sendmail which has to write in the mail spool and bind to a privileged
+network port.  When you are not using UUCP, it is of little use to have
+software on your system and it may be wise to disable it.  Of course,
+this requires good knowledge of what can be thrown away and what not,
+as well as good indication whether or not you will want the functionality
+in the future.<BR><P></P>
+Also some utilities you may find not useful enough to have them
+around and pose a possible security risk, like swapinfo. If you remove
+the set-uid bit for the executable (via 'chmod ug-s filename' command)
+you can always keep on using swapinfo when you're root. It is however
+not a good idea stripping so many sbits you have to be root all
+the time.<BR><P></P>
+Not only remove programs that you don't use, also remove services you
+don't want or need to provide. This can be done by editing the
+<TT>/etc/inetd.conf</TT> and <TT>/etc/rc.conf</TT> files and turning
+off all services you don't use.<P></P>
 
+<LI>Fixing software which has security bugs (or how to stay one step ahead
+of crackers)<BR><P></P>
+Make sure you are subscribed to various <A HREF="#ml">FreeBSD Security 
+mailing lists</A> so you could get updates on security bugs and get
+fixes.  Apply the fixes immediately.<P></P>
+
+<LI>Backups - repair your system if security breach does occur<BR><P></P>
+Always have backups and a clean version of the operating system (e.g. on
+CD-Rom).  Make sure your backups don't contain corrupted or modified by
+attackers data.<P></P>
+
+<LI>Install software to watch the state of the system<BR><P></P>
+Programs like the tcp wrappers and tripwire (both in packages/ports) can
+help you to monitor activity on your system.  This makes it easier
+to detect break-ins.  Also read outputs of the /etc/security scripts
+which are run daily and mailed to the root account.<P></P>
+
+<LI>Educating the people who work on the system<BR><P></P>
+Users should know that they are doing. They should be told to never give
+out their password to anyone and to also use hard to guess passwords.
+Let them understand that the security of the system/network is partly
+in their hands.<P></P>
 </UL>
 
-<H2><A href="secure.html">How to secure a FreeBSD system</A></H2>
 
-<P>There are several steps involved in securing a FreeBSD system, or in
-fact, any UNIX system:</P>
+<P>There is also a FreeBSD Security How-To available which provides some
+advanced tips on how to improve security of your system.  You can 
+find it at <A HREF="http://www.freebsd.org/~jkb/howto.html">
+http://www.freebsd.org/~jkb/howto.html</A>.</P>
+<P>Security is an ongoing process.  Make sure you are following the latest
+developments in the security arena.</P>
 
-<H2><a href="programmers.html">Security Do's and Don'ts for Programmers</a></H2>
+<A NAME=misc></A>
+<H2>What to do when you detect a security compromise</H2>
 
-<H2>Other useful security information:</H2>
+<UL>
+<LI><B>Determine the level of the security breach</B><BR>
+What privileges did the attacker get? Did the attacker managed to get
+root access? Did the attacker only managed to get user level access?</LI>
 
+<LI><B>Determine if the state of system (kernel or userland) has been
+tampered with</B><BR>
+What software has been tampered with? Was new kernel installed? Were any
+of the system binaries (such as telnetd, login, etc) modified? If you
+believe an attacker could have done any tampering with an OS, you may want
+to re-install the operating system from a safe medium.</LI>
+
+<LI><B>Find out how the break-in was done</B><BR>
+Did the breaking occur via a well know security bug? If that is the case,
+make sure to install the correct patches.  Was the breaking successful due
+to a misconfiguration? Was the breakin result of a new bug? If you believe
+the breakin occurred via a new bug, you should warn the
+<A HREF="mailto:security-officer@freebsd.org"> FreeBSD Security 
+Officer</A>.</LI>
+
+<LI><B>Fix the security hole</B><BR>
+Install new software or apply patches to the old one in order to fix the
+problems.  Disable already compromised accounts.</LI>
+
+<LI><B>Other resources</B><BR>
+<A HREF="http://www.cert.org">CERT</A> also offers 
+<A HREF="http://www.cert.org/nav/recovering.html">detailed information</A>
+on what steps to take in case of a system compromise.</LI>
+</UL>
+
+<H2>Other Related Security Information</H2>
 <UL>
 <LI><A href="http://www.cs.purdue.edu/coast/archive/index.html">The COAST
-	archive</A>
-	Contains a huge collection of security related material.</LI>
+archive</A> contains a huge collection of security related materials.</LI>
 
-<LI><A href="http://www.cs.purdue.edu/coast/hotlist/">
-	The COAST Security hotlist</A>
-	This page is THE place to start looking for security related
-	material. It contains hundreds of useful
-	security pointers. Everything you always wanted to know about
-	security...and more...</LI>
+<LI><A href="http://www.cs.purdue.edu/coast/hotlist/">The COAST Security
+Hotlist</A> is the place to start looking for security related materials.
+It contains hundreds of useful security pointers.  Everything you always
+wanted to know about security... and more.</LI>
 
-<LI>The various CERTs (e.g. <A href="http://www.cert.org/">www.cert.org</A> and
-	<A href="http://www.auscert.org.au/">www.auscert.org.au</A>)</LI>
-
-<li><a href="http://SecurityPortal.com/">SecurityPortal.com</a>
-is intended to be the comprehensive Web site for Internet
-Security.   It is dedicated to providing corporate security professionals
-with the information and resources needed to protect their networks. We
-summarize breaking security news and provide a jumping off point for
-Security Alerts, Products, Tools, Tips & Tricks and other Resources.
-</li>
-
-<LI>Mailing lists: Bugtraq, BOS, etc.</LI>
+<LI>The various CERT teams such as <A href="http://www.cert.org">
+http://www.cert.org</A> and <A href="http://www.auscert.org.au">
+http://www.auscert.org.au</A>.</LI>
 
+<LI>Mailing lists such as <A HREF="http://www.geek-girl.com/bugtraq/">
+Bugtraq</A> and <A HREF="http://www.nfr.net/forum/firewall-wizards.html">
+Firewall Wizards</A>.</LI>
 </UL>
 
-      &footer
-  </body>
+	&footer
+    </body>
 </html>

share/sgml/advisories.xml

@@ -1,77 +1,95 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN" [
 <!ENTITY base CDATA "..">
-<!ENTITY date "$Date: 1998-12-13 23:19:25 $">
-<!ENTITY title "FreeBSD Security Guide">
+<!ENTITY date "$Date: 1998-12-19 09:55:30 $">
+<!ENTITY title "FreeBSD Security Information">
 <!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
 ]>
-<!-- $Id: advisories.xml,v 1.8 1998-12-13 23:19:25 steve Exp $ -->
+<!-- $Id: advisories.xml,v 1.9 1998-12-19 09:55:30 jkh Exp $ -->
 
 <html>
     &header;
 
-<P>This guide attempts to document some of the tips and tricks used by
-many FreeBSD security experts for securing systems and writing secure
-code.  It is designed to help you learn about the various ways of protecting
-a FreeBSD system against outside attacks and how to recover from such attacks
-if and when they should happen.  It also lists the various ways in which
-the systems programmer can become more security conscious so he will
- less likely introduce security holes in the first place.</P>
+<H2>Introduction</H2>
 
-<P>We welcome your comments on the contents and correctness of this page.
-Please send email to the <A HREF="mailto:security-officer@FreeBSD.org">
-FreeBSD Security Officers</A> if you have changes you'd like to see here.</P>
+<P>This web page is designed to assist both new and experienced users
+in the area of security for the FreeBSD Operating System.  The FreeBSD
+Development team takes security very seriously and is constantly working
+on making the OS as secure as possible.</P>
 
-<H2>The FreeBSD security officer</H2>
+<P>Here you will find additional information, or links to information,
+on how to protect your system against various types of outside attack,
+whom to contact if you find a security related bug, etc.  There is
+also a section on the various ways that the systems programmer can
+become more security conscious so he or she is less likely to
+introduce security holes in the first place.</P>
 
-<P>FreeBSD takes security seriously, a dedicated team of security officers
-providing a focal point for security related communications. A security
-officers' main task is to send out advisories when there are known security
-holes and otherwise keep abreast of security issues.  The security officers
-also communicate with the various <A HREF="http://www.cert.org/">CERT</A>
-and <A HREF="http://www.first.org/">FIRST</A> teams around the world,
-sharing information about vulnerabilities in FreeBSD or utilities commonly
-used by FreeBSD, and keeping up to date on security issues in the world at
-large.  The security officers are also active members of those
-organizations.</P>
+<H2>Table Of Content</H2>
+<UL>
+<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
+<LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
+<LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
+<LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
+<LI><A HREF="#spg">Secure Programing Guidelines</A></LI>
+<LI><A HREF="#misc">Other Related Security Information</A></LI>
+</UL>
 
-<P>When you need to contact the security officers about a sensitive matter,
-please use their
-<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
-to encrypt your message before sending it.</P>
+<A NAME=sec></A>
+<H2>The FreeBSD Security Officer</H2>
 
-<H2>FreeBSD security advisories:</H2>
+<P>To better coordinate information exchange with others in the security
+community, FreeBSD has a focal point for security related communications:
+The FreeBSD <a href="mailto:security-officer@freebsd.org">security officer</a>.
+The position is actually staffed by a team of dedicated security officers,
+their main tasks being to send out advisories when there are known security
+holes and to act on reports of possible security problems with FreeBSD.</P>
 
-<P>The FreeBSD security officers provide security advisories for
-the following releases of FreeBSD:</P>
+<P>If you need to contact someone from the FreeBSD team about a
+possible security bug, you should therefore please <A
+HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer</A>
+with a description of what you've found and the type of vulnerability it
+represents.  The Security Officers also communicate with the various
+<A HREF="http://www.cert.org">CERT </A>and <A
+HREF="http://www.first.org/"> FIRST</A> teams around the world,
+sharing information about possible vulnerabilities in FreeBSD or
+utilities commonly used by FreeBSD.  The Security Officers are also
+active members of those organizations.</P>
+
+<P>If you do need to contact the Security Officer about a particularly
+sensitive matter, please use their <A
+HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key
+</A> to encrypt your message before sending it.</P>
+
+<A NAME=adv></A>
+<H2>FreeBSD Security Advisories</H2>
+
+<P>The FreeBSD Security Officers provide security advisories for the
+following releases of FreeBSD:</P>
 
 <UL>
-<LI>	the most recent official release of FreeBSD,
-<LI>	FreeBSD-current,
+<LI>	The most recent official release of FreeBSD.
+<LI>	FreeBSD-current.
 <LI>	FreeBSD-stable, when at least 2 releases are based on it.
-<LI>	the previous FreeBSD-stable when a "new stable" does not
-        yet have 2 releases based on it.
+<LI>	The previous FreeBSD-stable when a "new stable" does not yet
+	have 2 releases based on it.
 </UL>
 
 At this time, security advisories are available for:
 <UL>
-<LI>	FreeBSD 2.2.6
+<LI>	FreeBSD 2.2.7
+<LI>	FreeBSD 2.2.8
+<LI>	FreeBSD 3.0
 <LI>	FreeBSD-current
 <LI>	FreeBSD-stable
 </UL>
 
-<P>Older releases will not be actively maintained and users are strongly
-encouraged to upgrade to one of the supported releases.</P>
-
-<P>An advisory will be sent out when a security hole exists that is
-either being actively abused (as indicated to us via reports from end
-users or CERT like organizations), or when the security hole is public
-knowledge (e.g. because a report has been posted to a public mailing
-list).</P>
+<P>Older releases are not maintained and users are strongly encouraged
+to upgrade to one of the supported releases mentioned above.</P>
 
 <P>Like all development efforts, security fixes are first brought into
-the <A HREF="../handbook/current.html">FreeBSD-current</A>
-branch.  After a couple of days and some testing, the fix is retrofitted
-into the supported FreeBSD-stable branch(es) and an advisory then sent out.</P>
+the <A HREF="../handbook/current.html">FreeBSD-current</A> branch.
+After a couple of days and some testing, the fix is retrofitted into
+the supported FreeBSD-stable branch(es) and an advisory then sent
+out.</P>
 
 <P>Advisories are sent to the following FreeBSD mailing lists:
 <UL>
@@ -80,9 +98,10 @@ into the supported FreeBSD-stable branch(es) and an advisory then sent out.</P>
 <LI>FreeBSD-announce@freebsd.org
 </UL>
 
-<P>Advisories are always signed using the FreeBSD security officer
-<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
-and are archived, along with their associated patches, at our
+
+<P>Advisories are always signed using the FreeBSD Security Officer
+<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc"> PGP key
+</A> and are archived, along with their associated patches, at our
 <A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/index.html">FTP CERT
 repository</A>.  At the time of this writing, the following advisories are
 currently available:</P>
@@ -117,98 +136,317 @@ currently available:</P>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:04.mmap.asc">FreeBSD-SA-98:04.mmap.asc</A></LI>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:05.nfs.asc">FreeBSD-SA-98:05.nfs.asc</A></LI>
 <LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:06.icmp.asc">FreeBSD-SA-98:06.icmp.asc</A></LI>
+<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:07.rst.asc">FreeBSD-SA-98:07.rst.asc</A></LI>
+<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:08.fragment.asc">FreeBSD-SA-98:08.fragment.asc</A></LI>
 </UL>
 
-<H2>FreeBSD security related information</H2>
+<A NAME=ml></A>
+<H2>FreeBSD Security Mailing Lists Information</H2>
 
-<P>If you want to stay up to date on FreeBSD security, you can subscribe
-yorself to one of the following mailing lists:</P>
+<P>If you are administering or using any number of FreeBSD systems, you
+should probably be subscribed to one or more of the following lists:</P>
 
 <PRE>
-freebsd-security		General security related discussion
-freebsd-security-notifications	Security notifications (moderated mailing list)
+freebsd-security                General security related discussion
+freebsd-security-notification   Security notifications (moderated mailing list)
 </PRE>
 
-Send mail to <A HREF="mailto:majordomo@freebsd.org">majordomo@FreeBSD.ORG</A>
-with
+Send mail to <A HREF="mailto:majordomo@freebsd.org">
+majordomo@FreeBSD.ORG</A> with
 <PRE>
      subscribe &lt;listname&gt;  [&lt;optional address&gt;]
 </PRE>
 in the body of the message in order to subscribe yourself.
+For example:
+<PRE>
+% echo "subscribe freebsd-security" | mail majordomo@freebsd.org
+</PRE>
+and if you would like to unsubscribe from a mailing list:
+<PRE>
+% echo "unsubscribe freebsd-security" | mail majordomo@freebsd.org
+</PRE>
 
-<H2>What to do when you detect a security compromise:</H2>
+<A NAME=spg></A>
+<H2>Secure Programing Guidelines</H2>
+<P><P><UL>
+<LI>Never trust any source of input, i.e. command line arguments,
+environment variables, configuration files, incoming TCP/UDP/ICMP packets,
+hostname lookups, function arguments, etc.  If the length of or contents of
+the date received is at all subject to outside control, then the program or
+function should watch for this when copying it around.  Specific security
+issues to watch for in this are are:
+<P></P>
+  <UL>
 
-<UL>
-<LI><B>Determine the level of security breach:</B><BR>
-What privilege did the attack get? That of another user or more (up to
-root privileges)?</LI>
+<LI>strcpy() and sprintf() calls from unbounded data.  Use strncpy and
+snprintf() when the length is known (or implement some other form of
+bounds-checking when the length is unknown).  In fact, never ever use
+gets() or sprintf(), period.  If you do - will send evil dwarfs after you.
+<P></P></LI>
 
-<LI><B>Determine those parts of the system which are not in their original state
-anymore:</B><BR>
-What software has been tampered with? You may decide to re-install the
-operating system from a safe medium, or you might have MD5 checksums of
-the original software with which you can check your system. The tripwire
-package also keeps MD5 checksums, though be aware that tripwire might
-be tampered with as well and be sure and use a known-good copy.</LI>
+<LI>If you have to check the user input so it does not contain bad
+characters of some sort, do NOT check for those bad characters.  Instead
+simply verify that it consists ONLY of those characters that you do
+allow.  In general concept is: disallow anything that is not 
+explicitly allowed. 
+<P></P></LI>
 
-<LI><B>Find out how the breakin was done:</B><BR>
-Via a well-known security bug? A misconfiguration?  If it's a new bug,
-you should warn the <A HREF="mailto:security-officer@freebsd.org">
-FreeBSD Security Officer</A>.</LI>
+<LI>Read man pages for strncpy() and strncat() calls.  Be sure to 
+understand how they work!!! While strncpy() might not append a terminating
+\0, strncat() on the other hand adds the \0.
+<P></P></LI>
 
-<LI><B>Fix the hole(s):</B><BR>
-Install new software that fixes the problems. If you aren't able to get
-a fix quickly, you should temporarily disable remote access to your system
-until you have done so.</LI>
+<LI>Watch for strvis() and getenv() abuse.  With strvis() it is easy to get
+the destination string wrong for, and getenv() can return strings much
+longer then the program might expect.  These two functions are one of the
+key ways an attack is often made on a program, causing it to overwrite stack
+or variables by setting its environment variables to unexpected values.  If
+your program reads environment variables, be paranoid.  Be very paranoid!
+<P></P></LI>
+
+<LI>Ever time you use open() or stat() call - ask yourself: "What if it
+is a symbolic link?"
+<P></P></LI>
+
+<LI>Make sure to use mkstemp() instead of mktemp(), tempnam(), mkstemp() and
+etc.  Also make sure to look for races in /tmp in general, being aware that
+there are very few things which can be atomic in /tmp:
+	<UL>
+	<LI>Creating a directory.  This will either succeed or fail.</LI>
+	<LI>Opening a file O_CREAT | O_EXECL</LI>
+	</UL>
+If you use mkstemp - above cases will be properly handled for you.  Hence
+all temp files should use mkstemp() to guarantee there is not race
+condition and that the permissions are correct.
+<P></P></LI>
+
+<LI>If an attacker can force packets to go/come from another arbitrary 
+system then that attacker has complete control over the data that we get 
+and <B>NONE</B>of it should be trusted.
+<P></P></LI>
+
+<LI>Never trust a configuration file is correctly formatted or that it was
+generated by the appropriate utility.  Don't trust user input such as
+terminal names or language strings to be free of '/' or '../../../' if
+there is any chance that they can be used in a path name.  Don't trust
+<B>ANY</B> paths supplied by the user when you are running setuid root.
+<P></P></LI>
+
+<LI>Look for holes or weaknesses in how data is stored.  All temp files
+should have 600 permission in order to be protected from prying eyes.
+<P></P></LI>
+
+<LI>Don't just grep for the usual suspects in programs which run with
+elevated privileges.  Look line by line for possible overflows in these
+cases since there are a lot more ways to cause buffer overflows then
+by abusing strcpy() and friends.
+<P></P></LI>
+
+<LI>Just because you drop privileges somewhere, it does not mean that no
+exploit is possible.  The attacker may put the necessary code on the
+stack to regain the privileges before executing /bin/sh.</LI></UL>
+<P></P></LI>
+
+<LI>Do uid management.  Do drop privileges as soon as possible, and really
+do drop them.  Switching between euid and uid is NOT enough.  Use setuid()
+when you can.
+<P></P></LI>
+
+<LI>Never display configuration file contents on errors.  A line number and
+perhaps position count is enough.  This is true for all libs and for any
+suid/sgid program.
+<P></P></LI>
+
+<LI>Tips for those reviewing existing code for security problems:<P></P><UL>
+
+<LI>If you are unsure of your security fixes, send them to a reviewer with
+whom you have already arrangements for a second glance over your 
+code.  Don't commit code you are not sure about since breaking something
+in the name of security fix is rather embarrassing.
+<P></P></LI>
+
+<LI>Those without CVS commit privileges should make sure that a reviewer
+with such privileges is among the last to review the changes.  That person
+will both review and incorporate the final version you would like to have
+go into the tree.
+<P></P></LI>
+
+<LI>When sending changes around for review, always use context or unidiff
+format diffs - this way diffs can be easily fed to patch(1).  Do not simply
+send the whole files.  Diffs are much easier to read and apply to local
+sources (especially those in which multiple, simultaneous changes may be
+taking place).  All changed should be relative to the -current branch of
+development.
+<P></P></LI>
+
+<LI>Always directly test your changes (e.g. build and run the affected
+sources) before sending them to a reviewer.  Nobody likes being sent
+obviously broken stuff for review, and it just makes it appear as though
+the submitter didn't even really look at what he was (which is also hardly
+confidence building).  If you need accounts on a machine with a specific
+version which you don't have available - just ask.  The project has
+resources available for exactly such purposes.
+<P></P></LI>
+
+<LI>Note for committers: do not forget to retrofit -current patches into 
+the -stable branch as appropriate.
+<P></P></LI>
+
+<LI>Do not needlessly rewrite code to suit your style/tastes - it only 
+makes the reviewer's job needlessly more difficult.  Do so only if there
+are clear reasons for it.</LI></UL
+<P></P></LI>
+
+<LI>Look out for programs doing complex things in with signal 
+handlers.  Many routines in the various libraries are not sufficiently
+reentrant to make this safe.
+<P></P></LI>
+
+<LI>Pay special attention to realloc() usage - more often then not the
+function is not used correctly.
+<P></P></LI>
+
+<LI>When using a fixed size buffers, use sizeof() to prevent lossage
+when a buffer size is changed but the code which uses it isn't.  For
+example:
+<LISTING>       
+        char buf[1024];
+        struct foo { ... };
+        ...
+BAD:
+        xxx(buf, 1024)
+        xxx(yyy, sizeof(struct foo))
+GOOD:
+        xxx(buf, sizeof(buf))
+        xxx(yyy, sizeof(yyy))
+</LISTING>
+Be careful though with sizeof of pointers when you really want the size
+of where it points to!
+<P></P></LI>
+
+<LI>Every time you see "char foo[###]", check every usage of foo to make
+sure that it can't be overflowed.  If you can't avoid overflow (and cases
+of this have been seen), then at least malloc the buffer so that one can't
+walk on the stack.
+<P></P></LI>
+
+<LI>Always close file descriptors as soon as you can - this makes it more
+likely that the stdio buffer contents will be discarded.  In library
+routines, always set any file descriptors that you open to close-on-exec.
+<P><P></LI>
 </UL>
 
-<P><B>Other questions you may ask yourself are:</B></P>
+<A NAME=tat></A>
+<H2>FreeBSD Security Tips and Tricks</H2>
+<P>There are several steps one must take to secure a FreeBSD system, or
+in fact any Unix system:
 <UL>
-<LI>Who do I warn? You can contact the security officer, or even the
-local authorities. The choice is up to you.</LI>
 
-<LI>Do I want to trace the person responsible? By not fixing the hole
-right away, you have a chance to catch the cracker. Then again, you have
-the chance the cracker wipes your disk. The choice is up to you.</LI>
+<LI>Disabling potentially dangerous software<BR><P></P>
+A lot of software has to be run as a special privileged user to make
+use of specific resources, by making the executable set-uid.  An
+example is UUCP or PPP software that makes use of a serial port, or
+sendmail which has to write in the mail spool and bind to a privileged
+network port.  When you are not using UUCP, it is of little use to have
+software on your system and it may be wise to disable it.  Of course,
+this requires good knowledge of what can be thrown away and what not,
+as well as good indication whether or not you will want the functionality
+in the future.<BR><P></P>
+Also some utilities you may find not useful enough to have them
+around and pose a possible security risk, like swapinfo. If you remove
+the set-uid bit for the executable (via 'chmod ug-s filename' command)
+you can always keep on using swapinfo when you're root. It is however
+not a good idea stripping so many sbits you have to be root all
+the time.<BR><P></P>
+Not only remove programs that you don't use, also remove services you
+don't want or need to provide. This can be done by editing the
+<TT>/etc/inetd.conf</TT> and <TT>/etc/rc.conf</TT> files and turning
+off all services you don't use.<P></P>
 
+<LI>Fixing software which has security bugs (or how to stay one step ahead
+of crackers)<BR><P></P>
+Make sure you are subscribed to various <A HREF="#ml">FreeBSD Security 
+mailing lists</A> so you could get updates on security bugs and get
+fixes.  Apply the fixes immediately.<P></P>
+
+<LI>Backups - repair your system if security breach does occur<BR><P></P>
+Always have backups and a clean version of the operating system (e.g. on
+CD-Rom).  Make sure your backups don't contain corrupted or modified by
+attackers data.<P></P>
+
+<LI>Install software to watch the state of the system<BR><P></P>
+Programs like the tcp wrappers and tripwire (both in packages/ports) can
+help you to monitor activity on your system.  This makes it easier
+to detect break-ins.  Also read outputs of the /etc/security scripts
+which are run daily and mailed to the root account.<P></P>
+
+<LI>Educating the people who work on the system<BR><P></P>
+Users should know that they are doing. They should be told to never give
+out their password to anyone and to also use hard to guess passwords.
+Let them understand that the security of the system/network is partly
+in their hands.<P></P>
 </UL>
 
-<H2><A href="secure.html">How to secure a FreeBSD system</A></H2>
 
-<P>There are several steps involved in securing a FreeBSD system, or in
-fact, any UNIX system:</P>
+<P>There is also a FreeBSD Security How-To available which provides some
+advanced tips on how to improve security of your system.  You can 
+find it at <A HREF="http://www.freebsd.org/~jkb/howto.html">
+http://www.freebsd.org/~jkb/howto.html</A>.</P>
+<P>Security is an ongoing process.  Make sure you are following the latest
+developments in the security arena.</P>
 
-<H2><a href="programmers.html">Security Do's and Don'ts for Programmers</a></H2>
+<A NAME=misc></A>
+<H2>What to do when you detect a security compromise</H2>
 
-<H2>Other useful security information:</H2>
+<UL>
+<LI><B>Determine the level of the security breach</B><BR>
+What privileges did the attacker get? Did the attacker managed to get
+root access? Did the attacker only managed to get user level access?</LI>
 
+<LI><B>Determine if the state of system (kernel or userland) has been
+tampered with</B><BR>
+What software has been tampered with? Was new kernel installed? Were any
+of the system binaries (such as telnetd, login, etc) modified? If you
+believe an attacker could have done any tampering with an OS, you may want
+to re-install the operating system from a safe medium.</LI>
+
+<LI><B>Find out how the break-in was done</B><BR>
+Did the breaking occur via a well know security bug? If that is the case,
+make sure to install the correct patches.  Was the breaking successful due
+to a misconfiguration? Was the breakin result of a new bug? If you believe
+the breakin occurred via a new bug, you should warn the
+<A HREF="mailto:security-officer@freebsd.org"> FreeBSD Security 
+Officer</A>.</LI>
+
+<LI><B>Fix the security hole</B><BR>
+Install new software or apply patches to the old one in order to fix the
+problems.  Disable already compromised accounts.</LI>
+
+<LI><B>Other resources</B><BR>
+<A HREF="http://www.cert.org">CERT</A> also offers 
+<A HREF="http://www.cert.org/nav/recovering.html">detailed information</A>
+on what steps to take in case of a system compromise.</LI>
+</UL>
+
+<H2>Other Related Security Information</H2>
 <UL>
 <LI><A href="http://www.cs.purdue.edu/coast/archive/index.html">The COAST
-	archive</A>
-	Contains a huge collection of security related material.</LI>
+archive</A> contains a huge collection of security related materials.</LI>
 
-<LI><A href="http://www.cs.purdue.edu/coast/hotlist/">
-	The COAST Security hotlist</A>
-	This page is THE place to start looking for security related
-	material. It contains hundreds of useful
-	security pointers. Everything you always wanted to know about
-	security...and more...</LI>
+<LI><A href="http://www.cs.purdue.edu/coast/hotlist/">The COAST Security
+Hotlist</A> is the place to start looking for security related materials.
+It contains hundreds of useful security pointers.  Everything you always
+wanted to know about security... and more.</LI>
 
-<LI>The various CERTs (e.g. <A href="http://www.cert.org/">www.cert.org</A> and
-	<A href="http://www.auscert.org.au/">www.auscert.org.au</A>)</LI>
-
-<li><a href="http://SecurityPortal.com/">SecurityPortal.com</a>
-is intended to be the comprehensive Web site for Internet
-Security.   It is dedicated to providing corporate security professionals
-with the information and resources needed to protect their networks. We
-summarize breaking security news and provide a jumping off point for
-Security Alerts, Products, Tools, Tips & Tricks and other Resources.
-</li>
-
-<LI>Mailing lists: Bugtraq, BOS, etc.</LI>
+<LI>The various CERT teams such as <A href="http://www.cert.org">
+http://www.cert.org</A> and <A href="http://www.auscert.org.au">
+http://www.auscert.org.au</A>.</LI>
 
+<LI>Mailing lists such as <A HREF="http://www.geek-girl.com/bugtraq/">
+Bugtraq</A> and <A HREF="http://www.nfr.net/forum/firewall-wizards.html">
+Firewall Wizards</A>.</LI>
 </UL>
 
-      &footer
-  </body>
+	&footer
+    </body>
 </html>