doc/share/sgml/advisories.xml

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$Date: 1999-01-26 18:40:51 $">
<!ENTITY title "FreeBSD Security Information">
<!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
]>
<!-- $Id: advisories.xml,v 1.10 1999-01-26 18:40:51 wosch Exp $ -->

<html>
    &header;

<H2>Introduction</H2>

<P>This web page is designed to assist both new and experienced users
in the area of security for the FreeBSD Operating System.  The FreeBSD
Development team takes security very seriously and is constantly working
on making the OS as secure as possible.</P>

<P>Here you will find additional information, or links to information,
on how to protect your system against various types of outside attack,
whom to contact if you find a security related bug, etc.  There is
also a section on the various ways that the systems programmer can
become more security conscious so he or she is less likely to
introduce security holes in the first place.</P>

<H2>Table Of Content</H2>
<UL>
<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
<LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
<LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
<LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
<LI><A HREF="#spg">Secure Programing Guidelines</A></LI>
<LI><A HREF="#misc">Other Related Security Information</A></LI>
</UL>

<A NAME=sec></A>
<H2>The FreeBSD Security Officer</H2>

<P>To better coordinate information exchange with others in the security
community, FreeBSD has a focal point for security related communications:
The FreeBSD <a href="mailto:security-officer@freebsd.org">security officer</a>.
The position is actually staffed by a team of dedicated security officers,
their main tasks being to send out advisories when there are known security
holes and to act on reports of possible security problems with FreeBSD.</P>

<P>If you need to contact someone from the FreeBSD team about a
possible security bug, you should therefore please <A
HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer</A>
with a description of what you've found and the type of vulnerability it
represents.  The Security Officers also communicate with the various
<A HREF="http://www.cert.org">CERT </A>and <A
HREF="http://www.first.org/"> FIRST</A> teams around the world,
sharing information about possible vulnerabilities in FreeBSD or
utilities commonly used by FreeBSD.  The Security Officers are also
active members of those organizations.</P>

<P>If you do need to contact the Security Officer about a particularly
sensitive matter, please use their <A
HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key
</A> to encrypt your message before sending it.</P>

<A NAME=adv></A>
<H2>FreeBSD Security Advisories</H2>

<P>The FreeBSD Security Officers provide security advisories for the
following releases of FreeBSD:</P>

<UL>
<LI>	The most recent official release of FreeBSD.
<LI>	FreeBSD-current.
<LI>	FreeBSD-stable, when at least 2 releases are based on it.
<LI>	The previous FreeBSD-stable when a "new stable" does not yet
	have 2 releases based on it.
</UL>

At this time, security advisories are available for:
<UL>
<LI>	FreeBSD 2.2.7
<LI>	FreeBSD 2.2.8
<LI>	FreeBSD 3.0
<LI>	FreeBSD-current
<LI>	FreeBSD-stable
</UL>

<P>Older releases are not maintained and users are strongly encouraged
to upgrade to one of the supported releases mentioned above.</P>

<P>Like all development efforts, security fixes are first brought into
the <A HREF="../handbook/current.html">FreeBSD-current</A> branch.
After a couple of days and some testing, the fix is retrofitted into
the supported FreeBSD-stable branch(es) and an advisory then sent
out.</P>

<P>Advisories are sent to the following FreeBSD mailing lists:
<UL>
<LI>FreeBSD-security-notifications@freebsd.org
<LI>FreeBSD-security@freebsd.org
<LI>FreeBSD-announce@freebsd.org
</UL>


<P>Advisories are always signed using the FreeBSD Security Officer
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc"> PGP key
</A> and are archived, along with their associated patches, at our
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/index.html">FTP CERT
repository</A>.  At the time of this writing, the following advisories are
currently available:</P>

<UL>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:01.sliplogin.asc">FreeBSD-SA-96:01.sliplogin.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:02.apache.asc">FreeBSD-SA-96:02.apache.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc">FreeBSD-SA-96:03.sendmail-suggestion.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:08.syslog.asc">FreeBSD-SA-96:08.syslog.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:09.vfsload.asc">FreeBSD-SA-96:09.vfsload.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:10.mount_union.asc">FreeBSD-SA-96:10.mount_union.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:11.man.asc">FreeBSD-SA-96:11.man.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:12.perl.asc">FreeBSD-SA-96:12.perl.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:13.comsat.asc">FreeBSD-SA-96:13.comsat.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:14.ipfw.asc">FreeBSD-SA-96:14.ipfw.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:15.ppp.asc">FreeBSD-SA-96:15.ppp.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:16.rdist.asc">FreeBSD-SA-96:16.rdist.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:17.rzsz.asc">FreeBSD-SA-96:17.rzsz.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:18.lpr.asc">FreeBSD-SA-96:18.lpr.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:19.modstat.asc">FreeBSD-SA-96:19.modstat.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:20.stack-overflow.asc">FreeBSD-SA-96:20.stack-overflow.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:21.talkd.asc">FreeBSD-SA-96:21.talkd.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:01.setlocale">FreeBSD-SA-97:01.setlocale</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:02.lpd.asc">FreeBSD-SA-97:02.lpd.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:03.sysinstall.asc">FreeBSD-SA-97:03.sysinstall.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:04.procfs.asc">FreeBSD-SA-97:04.procfs.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:05.open.asc">FreeBSD-SA-97:05.open.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:06.f00f.asc">FreeBSD-SA-97:06.f00f.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:01.land.asc">FreeBSD-SA-98:01.land.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:02.mmap.asc">FreeBSD-SA-98:02.mmap.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:03.ttcp.asc">FreeBSD-SA-98:03.ttcp.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:04.mmap.asc">FreeBSD-SA-98:04.mmap.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:05.nfs.asc">FreeBSD-SA-98:05.nfs.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:06.icmp.asc">FreeBSD-SA-98:06.icmp.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:07.rst.asc">FreeBSD-SA-98:07.rst.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:08.fragment.asc">FreeBSD-SA-98:08.fragment.asc</A></LI>
</UL>

<A NAME=ml></A>
<H2>FreeBSD Security Mailing Lists Information</H2>

<P>If you are administering or using any number of FreeBSD systems, you
should probably be subscribed to one or more of the following lists:</P>

<PRE>
freebsd-security                General security related discussion
freebsd-security-notifications  Security notifications (moderated mailing list)
</PRE>

Send mail to <A HREF="mailto:majordomo@freebsd.org">
majordomo@FreeBSD.ORG</A> with
<PRE>
     subscribe &lt;listname&gt;  [&lt;optional address&gt;]
</PRE>
in the body of the message in order to subscribe yourself.
For example:
<PRE>
% echo "subscribe freebsd-security" | mail majordomo@freebsd.org
</PRE>
and if you would like to unsubscribe from a mailing list:
<PRE>
% echo "unsubscribe freebsd-security" | mail majordomo@freebsd.org
</PRE>

<A NAME=spg></A>
<H2>Secure Programing Guidelines</H2>
<P><P><UL>
<LI>Never trust any source of input, i.e. command line arguments,
environment variables, configuration files, incoming TCP/UDP/ICMP packets,
hostname lookups, function arguments, etc.  If the length of or contents of
the date received is at all subject to outside control, then the program or
function should watch for this when copying it around.  Specific security
issues to watch for in this are are:
<P></P>
  <UL>

<LI>strcpy() and sprintf() calls from unbounded data.  Use strncpy and
snprintf() when the length is known (or implement some other form of
bounds-checking when the length is unknown).  In fact, never ever use
gets() or sprintf(), period.  If you do - will send evil dwarfs after you.
<P></P></LI>

<LI>If you have to check the user input so it does not contain bad
characters of some sort, do NOT check for those bad characters.  Instead
simply verify that it consists ONLY of those characters that you do
allow.  In general concept is: disallow anything that is not 
explicitly allowed. 
<P></P></LI>

<LI>Read man pages for strncpy() and strncat() calls.  Be sure to 
understand how they work!!! While strncpy() might not append a terminating
\0, strncat() on the other hand adds the \0.
<P></P></LI>

<LI>Watch for strvis() and getenv() abuse.  With strvis() it is easy to get
the destination string wrong for, and getenv() can return strings much
longer then the program might expect.  These two functions are one of the
key ways an attack is often made on a program, causing it to overwrite stack
or variables by setting its environment variables to unexpected values.  If
your program reads environment variables, be paranoid.  Be very paranoid!
<P></P></LI>

<LI>Ever time you use open() or stat() call - ask yourself: "What if it
is a symbolic link?"
<P></P></LI>

<LI>Make sure to use mkstemp() instead of mktemp(), tempnam(), mkstemp() and
etc.  Also make sure to look for races in /tmp in general, being aware that
there are very few things which can be atomic in /tmp:
	<UL>
	<LI>Creating a directory.  This will either succeed or fail.</LI>
	<LI>Opening a file O_CREAT | O_EXECL</LI>
	</UL>
If you use mkstemp - above cases will be properly handled for you.  Hence
all temp files should use mkstemp() to guarantee there is not race
condition and that the permissions are correct.
<P></P></LI>

<LI>If an attacker can force packets to go/come from another arbitrary 
system then that attacker has complete control over the data that we get 
and <B>NONE</B>of it should be trusted.
<P></P></LI>

<LI>Never trust a configuration file is correctly formatted or that it was
generated by the appropriate utility.  Don't trust user input such as
terminal names or language strings to be free of '/' or '../../../' if
there is any chance that they can be used in a path name.  Don't trust
<B>ANY</B> paths supplied by the user when you are running setuid root.
<P></P></LI>

<LI>Look for holes or weaknesses in how data is stored.  All temp files
should have 600 permission in order to be protected from prying eyes.
<P></P></LI>

<LI>Don't just grep for the usual suspects in programs which run with
elevated privileges.  Look line by line for possible overflows in these
cases since there are a lot more ways to cause buffer overflows then
by abusing strcpy() and friends.
<P></P></LI>

<LI>Just because you drop privileges somewhere, it does not mean that no
exploit is possible.  The attacker may put the necessary code on the
stack to regain the privileges before executing /bin/sh.</LI></UL>
<P></P></LI>

<LI>Do uid management.  Do drop privileges as soon as possible, and really
do drop them.  Switching between euid and uid is NOT enough.  Use setuid()
when you can.
<P></P></LI>

<LI>Never display configuration file contents on errors.  A line number and
perhaps position count is enough.  This is true for all libs and for any
suid/sgid program.
<P></P></LI>

<LI>Tips for those reviewing existing code for security problems:<P></P><UL>

<LI>If you are unsure of your security fixes, send them to a reviewer with
whom you have already arrangements for a second glance over your 
code.  Don't commit code you are not sure about since breaking something
in the name of security fix is rather embarrassing.
<P></P></LI>

<LI>Those without CVS commit privileges should make sure that a reviewer
with such privileges is among the last to review the changes.  That person
will both review and incorporate the final version you would like to have
go into the tree.
<P></P></LI>

<LI>When sending changes around for review, always use context or unidiff
format diffs - this way diffs can be easily fed to patch(1).  Do not simply
send the whole files.  Diffs are much easier to read and apply to local
sources (especially those in which multiple, simultaneous changes may be
taking place).  All changed should be relative to the -current branch of
development.
<P></P></LI>

<LI>Always directly test your changes (e.g. build and run the affected
sources) before sending them to a reviewer.  Nobody likes being sent
obviously broken stuff for review, and it just makes it appear as though
the submitter didn't even really look at what he was (which is also hardly
confidence building).  If you need accounts on a machine with a specific
version which you don't have available - just ask.  The project has
resources available for exactly such purposes.
<P></P></LI>

<LI>Note for committers: do not forget to retrofit -current patches into 
the -stable branch as appropriate.
<P></P></LI>

<LI>Do not needlessly rewrite code to suit your style/tastes - it only 
makes the reviewer's job needlessly more difficult.  Do so only if there
are clear reasons for it.</LI></UL
<P></P></LI>

<LI>Look out for programs doing complex things in with signal 
handlers.  Many routines in the various libraries are not sufficiently
reentrant to make this safe.
<P></P></LI>

<LI>Pay special attention to realloc() usage - more often then not the
function is not used correctly.
<P></P></LI>

<LI>When using a fixed size buffers, use sizeof() to prevent lossage
when a buffer size is changed but the code which uses it isn't.  For
example:
<LISTING>       
        char buf[1024];
        struct foo { ... };
        ...
BAD:
        xxx(buf, 1024)
        xxx(yyy, sizeof(struct foo))
GOOD:
        xxx(buf, sizeof(buf))
        xxx(yyy, sizeof(yyy))
</LISTING>
Be careful though with sizeof of pointers when you really want the size
of where it points to!
<P></P></LI>

<LI>Every time you see "char foo[###]", check every usage of foo to make
sure that it can't be overflowed.  If you can't avoid overflow (and cases
of this have been seen), then at least malloc the buffer so that one can't
walk on the stack.
<P></P></LI>

<LI>Always close file descriptors as soon as you can - this makes it more
likely that the stdio buffer contents will be discarded.  In library
routines, always set any file descriptors that you open to close-on-exec.
<P><P></LI>
</UL>

<A NAME=tat></A>
<H2>FreeBSD Security Tips and Tricks</H2>
<P>There are several steps one must take to secure a FreeBSD system, or
in fact any Unix system:
<UL>

<LI>Disabling potentially dangerous software<BR><P></P>
A lot of software has to be run as a special privileged user to make
use of specific resources, by making the executable set-uid.  An
example is UUCP or PPP software that makes use of a serial port, or
sendmail which has to write in the mail spool and bind to a privileged
network port.  When you are not using UUCP, it is of little use to have
software on your system and it may be wise to disable it.  Of course,
this requires good knowledge of what can be thrown away and what not,
as well as good indication whether or not you will want the functionality
in the future.<BR><P></P>
Also some utilities you may find not useful enough to have them
around and pose a possible security risk, like swapinfo. If you remove
the set-uid bit for the executable (via 'chmod ug-s filename' command)
you can always keep on using swapinfo when you're root. It is however
not a good idea stripping so many sbits you have to be root all
the time.<BR><P></P>
Not only remove programs that you don't use, also remove services you
don't want or need to provide. This can be done by editing the
<TT>/etc/inetd.conf</TT> and <TT>/etc/rc.conf</TT> files and turning
off all services you don't use.<P></P>

<LI>Fixing software which has security bugs (or how to stay one step ahead
of crackers)<BR><P></P>
Make sure you are subscribed to various <A HREF="#ml">FreeBSD Security 
mailing lists</A> so you could get updates on security bugs and get
fixes.  Apply the fixes immediately.<P></P>

<LI>Backups - repair your system if security breach does occur<BR><P></P>
Always have backups and a clean version of the operating system (e.g. on
CD-Rom).  Make sure your backups don't contain corrupted or modified by
attackers data.<P></P>

<LI>Install software to watch the state of the system<BR><P></P>
Programs like the tcp wrappers and tripwire (both in packages/ports) can
help you to monitor activity on your system.  This makes it easier
to detect break-ins.  Also read outputs of the /etc/security scripts
which are run daily and mailed to the root account.<P></P>

<LI>Educating the people who work on the system<BR><P></P>
Users should know that they are doing. They should be told to never give
out their password to anyone and to also use hard to guess passwords.
Let them understand that the security of the system/network is partly
in their hands.<P></P>
</UL>


<P>There is also a FreeBSD Security How-To available which provides some
advanced tips on how to improve security of your system.  You can 
find it at <A HREF="http://www.freebsd.org/~jkb/howto.html">
http://www.freebsd.org/~jkb/howto.html</A>.</P>
<P>Security is an ongoing process.  Make sure you are following the latest
developments in the security arena.</P>

<A NAME=misc></A>
<H2>What to do when you detect a security compromise</H2>

<UL>
<LI><B>Determine the level of the security breach</B><BR>
What privileges did the attacker get? Did the attacker managed to get
root access? Did the attacker only managed to get user level access?</LI>

<LI><B>Determine if the state of system (kernel or userland) has been
tampered with</B><BR>
What software has been tampered with? Was new kernel installed? Were any
of the system binaries (such as telnetd, login, etc) modified? If you
believe an attacker could have done any tampering with an OS, you may want
to re-install the operating system from a safe medium.</LI>

<LI><B>Find out how the break-in was done</B><BR>
Did the breaking occur via a well know security bug? If that is the case,
make sure to install the correct patches.  Was the breaking successful due
to a misconfiguration? Was the breakin result of a new bug? If you believe
the breakin occurred via a new bug, you should warn the
<A HREF="mailto:security-officer@freebsd.org"> FreeBSD Security 
Officer</A>.</LI>

<LI><B>Fix the security hole</B><BR>
Install new software or apply patches to the old one in order to fix the
problems.  Disable already compromised accounts.</LI>

<LI><B>Other resources</B><BR>
<A HREF="http://www.cert.org">CERT</A> also offers 
<A HREF="http://www.cert.org/nav/recovering.html">detailed information</A>
on what steps to take in case of a system compromise.</LI>
</UL>

<H2>Other Related Security Information</H2>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/archive/index.html">The COAST
archive</A> contains a huge collection of security related materials.</LI>

<LI><A href="http://www.cs.purdue.edu/coast/hotlist/">The COAST Security
Hotlist</A> is the place to start looking for security related materials.
It contains hundreds of useful security pointers.  Everything you always
wanted to know about security... and more.</LI>

<LI>The various CERT teams such as <A href="http://www.cert.org">
http://www.cert.org</A> and <A href="http://www.auscert.org.au">
http://www.auscert.org.au</A>.</LI>

<LI>Mailing lists such as <A HREF="http://www.geek-girl.com/bugtraq/">
Bugtraq</A> and <A HREF="http://www.nfr.net/forum/firewall-wizards.html">
Firewall Wizards</A>.</LI>
</UL>

	&footer
    </body>
</html>