Implement a new manual page category ``SECURITY CONSIDERATIONS''

(suggested by mycroft)

games/dm/dm.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: dm.8,v 1.5 1998/04/28 06:00:52 fair Exp $
+.\"	$NetBSD: dm.8,v 1.6 1998/06/08 12:41:41 lukem Exp $
 .\"
 .\" Copyright (c) 1987, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -86,26 +86,26 @@ game logging file
 .El
 .Sh SEE ALSO
 .Xr dm.conf 5
-.Sh BUGS
-Two problems result from
-.Nm
-running the games setuid
-.Dq games .
-First, all games that allow users to run
-.Ux
-commands should carefully
-set both the real and effective user id's immediately before executing
-those commands.  Probably more important is that
-.Nm
-never be setuid
-anything but
-.Dq games
-so that compromising a game will result only in
-the user's ability to play games at will.  Secondly, games which previously
-had no reason to run setuid and which accessed user files may have to
-be modified.
 .Sh HISTORY
 The
 .Nm
 command appeared in
 .Bx 4.3 tahoe .
+.Sh SECURITY CONSIDERATIONS
+Two issues result from
+.Nm
+running the games setgid
+.Dq games .
+First, all games that allow users to run
+.Ux
+commands should carefully
+set both the real and effective group id's immediately before executing
+those commands.
+Probably more important is that
+.Nm
+never be setgid anything but
+.Dq games
+so that compromising a game will result only in
+the user's ability to play games at will.
+Secondly, games which previously had no reason to run setgid and which
+accessed user files may have to be modified.

lib/libc/gen/getcwd.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: getcwd.3,v 1.9 1998/02/05 18:46:29 perry Exp $
+.\"	$NetBSD: getcwd.3,v 1.10 1998/06/08 12:41:42 lukem Exp $
 .\"
 .\" Copyright (c) 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -150,10 +150,13 @@ The
 .Fn getwd
 function appeared in 
 .Bx 4.0 .
-.Sh BUGS
-The
+.Sh SECURITY CONSIDERATIONS
+As
 .Fn getwd
-function
-does not do sufficient error checking and is not able to return very
-long, but valid, paths.
-It is provided for compatibility.
+does not know the length of the supplied buffer, it is possible
+for a long (but valid) path to overflow the buffer and provide
+a means for an attacker to exploit the caller.
+.Fn getcwd
+should be used in place of
+.Fn getwd
+(the latter is only provided for compatibility purposes).

lib/libc/gen/getpass.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: getpass.3,v 1.5 1998/02/05 18:46:52 perry Exp $
+.\"	$NetBSD: getpass.3,v 1.6 1998/06/08 12:41:42 lukem Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -86,7 +86,7 @@ a pointer to that object.
 Subsequent calls to
 .Nm getpass
 will modify the same object.
-.Pp
+.Sh SECURITY CONSIDERATIONS
 The calling process should zero the password as soon as possible to
 avoid leaving the cleartext password visible in the process's address
 space.

lib/libc/stdio/fgets.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: fgets.3,v 1.8 1998/04/28 20:58:01 fair Exp $
+.\"	$NetBSD: fgets.3,v 1.9 1998/06/08 12:41:42 lukem Exp $
 .\"
 .\" Copyright (c) 1990, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -140,7 +140,7 @@ and
 .Fn gets
 conform to
 .St -ansiC .
-.Sh BUGS
+.Sh SECURITY CONSIDERATIONS
 Since it is usually impossible to ensure that the next input line
 is less than some arbitrary length, and because overflowing the
 input buffer is almost invariably a security violation, programs

lib/libc/stdio/mktemp.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: mktemp.3,v 1.10 1998/06/01 20:16:37 kleink Exp $
+.\"	$NetBSD: mktemp.3,v 1.11 1998/06/08 12:41:42 lukem Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -139,7 +139,7 @@ A
 .Fn mktemp
 function appeared in
 .At v7 .
-.Sh BUGS
+.Sh SECURITY CONSIDERATIONS
 The use of
 .Fn mktemp
 should generally be avoided, as a hostile process can exploit a race

lib/libc/stdio/printf.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: printf.3,v 1.8 1998/04/28 20:58:01 fair Exp $
+.\"	$NetBSD: printf.3,v 1.9 1998/06/08 12:41:42 lukem Exp $
 .\"
 .\" Copyright (c) 1990, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -625,14 +625,16 @@ and
 conversions, as well as other nonsensical combinations such as
 .Cm %Ld ,
 are not standard; such combinations should be avoided.
-.Pp
+.Sh SECURITY CONSIDERATIONS
 Because
 .Fn sprintf
 and
 .Fn vsprintf
 assume an infinitely long string, callers must be careful not to
 overflow the actual space; this is often impossible to assure.
-For safety, programmers should use the
+For safety, programmers should use
 .Fn snprintf
-interface instead.
+or
+.Fn vsnprintf
+instead.
 Unfortunately, this interface is not portable.

lib/libc/stdio/tmpnam.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: tmpnam.3,v 1.7 1998/04/28 20:59:29 fair Exp $
+.\"	$NetBSD: tmpnam.3,v 1.8 1998/06/08 12:41:42 lukem Exp $
 .\"
 .\" Copyright (c) 1988, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -196,7 +196,7 @@ compatibility only.
 The
 .Xr mkstemp 3
 interface is strongly preferred.
-.Pp
+.Sh SECURITY CONSIDERATIONS
 There are four important problems with these interfaces (as well as
 with the historic
 .Xr mktemp 3

libexec/ftpd/ftpd.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: ftpd.8,v 1.25 1998/06/08 07:13:13 lukem Exp $
+.\"	$NetBSD: ftpd.8,v 1.26 1998/06/08 12:41:42 lukem Exp $
 .\"
 .\" Copyright (c) 1985, 1988, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -581,9 +581,18 @@ The server must run as the super-user to create sockets with
 privileged port numbers.
 It maintains an effective user id of the logged in user, reverting
 to the super-user only when binding addresses to sockets.
-The possible security holes have been extensively scrutinized, but
-are possibly incomplete.
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
 .Pp
+The
+.Pa /etc/ftpd.conf
+functionality was implemented in
+.Nx 1.3
+by Luke Mewburn, based on work by Simon Burge.
+.Sh SECURITY CONSIDERATIONS
 .Cm RFC-959
 provides no restrictions on the PORT command, and this can lead
 to security problems, as
@@ -599,14 +608,3 @@ will be rejected.
 Use of this option is
 .Em strongly
 recommended.
-.Sh HISTORY
-The
-.Nm
-command appeared in
-.Bx 4.2 .
-.Pp
-The
-.Pa /etc/ftpd.conf
-functionality was implemented in
-.Nx 1.3
-by Luke Mewburn, based on work by Simon Burge.

libexec/rexecd/rexecd.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: rexecd.8,v 1.5 1998/04/29 08:33:12 fair Exp $
+.\"	$NetBSD: rexecd.8,v 1.6 1998/06/08 12:41:43 lukem Exp $
 .\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -145,3 +145,9 @@ The
 .Nm
 command appeared in
 .Bx 4.2 .
+.Sh SECURITY CONSIDERATIONS
+As the passwords exchanged by the client and
+.Nm
+are not encrypted, it is
+.Em strongly
+recommended that this service is not enabled.

libexec/rpc.sprayd/rpc.sprayd.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: rpc.sprayd.8,v 1.5 1997/10/20 02:51:47 enami Exp $
+.\"	$NetBSD: rpc.sprayd.8,v 1.6 1998/06/08 12:41:43 lukem Exp $
 .\" 
 .\" Copyright (c) 1994 Christos Zoulas
 .\" All rights reserved.
@@ -52,3 +52,11 @@ uses an RPC protocol defined in
 .Pa /usr/include/rpcsvc/spray.x .
 .Sh SEE ALSO
 .Xr spray 8
+.Sh SECURITY CONSIDERATIONS
+As
+.Nm
+responds to packets generated by
+.Xr spray 8 ,
+remote users can cause a denial of network service against the local
+host by saturating requests to
+.Nm "" .

libexec/tftpd/tftpd.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: tftpd.8,v 1.6 1998/02/06 05:43:16 perry Exp $
+.\"	$NetBSD: tftpd.8,v 1.7 1998/06/08 12:41:43 lukem Exp $
 .\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -103,9 +103,19 @@ relative filenames.
 .Nm
 will
 .Xr chroot 2
-on startup; therefore the remote host is not expected to pass the directory
-as part of the file name to transfer.  This option is intended primarily for
-compatibility with SunOS boot ROMs which do not include a directory name.
+on startup.
+This is recommended for security reasons (so that files other than
+those in the 
+.Pa /tftpboot
+directory aren't accessable).
+If the remote host passes the directory name as part of the
+file name to transfer, you may have to create a symbolic link
+from
+.Sq tftpboot
+to
+.Sq \&.
+under
+.Pa /tftpboot .
 .El
 .Pp
 .Sh SEE ALSO
@@ -121,3 +131,25 @@ The
 .Fl s
 flag appeared in
 .Nx 1.0 .
+.Sh SECURITY CONSIDERATIONS
+You are
+.Em strongly
+advised to setup
+.Nm
+using the
+.Fl s
+flag in conjunction with the name of the directory that
+contains the files that
+.Nm
+will serve to remote hosts (e.g.,
+.Pa /tftpboot ) .
+This ensures that only the files that should be served
+to remote hosts can be accessed by them.
+.Pp
+Because there is no user-login or validation within
+the
+.Tn TFTP
+protocol, the remote site will probably have some
+sort of file-access restrictions in place.  The
+exact methods are specific to each site and therefore
+difficult to document here.

sbin/fsirand/fsirand.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: fsirand.8,v 1.2 1997/09/14 14:58:53 lukem Exp $
+.\"	$NetBSD: fsirand.8,v 1.3 1998/06/08 12:41:43 lukem Exp $
 .\"
 .\" Copyright (c) 1997 Christos Zoulas
 .\" All rights reserved.
@@ -60,9 +60,9 @@ Print the current inode generation numbers; the filesystem is not modified.
 .Pp
 .Nm
 exits zero on success, non-zero on failure.
-.Sh BUGS
-The current implementation does not use a good random number generator,
-so the randomization can be predicted.
 .Sh SEE ALSO
 .Xr fsck_ffs 8 ,
 .Xr newfs 8 
+.Sh SECURITY CONSIDERATIONS
+The current implementation does not use a good random number generator,
+so the randomization can be predicted.

share/man/man7/mdoc.7

@@ -1,4 +1,4 @@
-.\"	$NetBSD: mdoc.7,v 1.8 1998/02/06 06:13:20 perry Exp $
+.\"	$NetBSD: mdoc.7,v 1.9 1998/06/08 12:41:43 lukem Exp $
 .\"
 .\" Copyright (c) 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -121,6 +121,8 @@ If a standard is not applicable, the history
 of the subject should be given.
 .It Ar BUGS
 Gotchas and caveats.
+.It Ar SECURITY CONSIDERATIONS
+Security issues to be aware of.
 .It Ar other
 Customized headers may be added at
 the authors discretion.

usr.bin/shar/shar.1

@@ -1,4 +1,4 @@
-.\"	$NetBSD: shar.1,v 1.5 1997/10/19 23:05:28 lukem Exp $
+.\"	$NetBSD: shar.1,v 1.6 1998/06/08 12:41:44 lukem Exp $
 .\"
 .\" Copyright (c) 1990, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -67,19 +67,6 @@ or
 .Nm
 makes no provisions for special types of files or files containing
 magic characters.
-.Pp
-It is easy to insert trojan horses into
-.Nm
-files.
-It is strongly recommended that all shell archive files be examined
-before running them through
-.Xr sh  1  .
-Archives produced using this implementation of
-.Nm
-may be easily examined with the command:
-.Bd -literal -offset indent
-egrep -v '^[X#]' shar.file
-.Ed
 .Sh EXAMPLES
 To create a shell archive of the program
 .Xr ls  1
@@ -103,3 +90,16 @@ The
 .Nm
 command appears in
 .Bx 4.4 .
+.Sh SECURITY CONSIDERATIONS
+It is easy to insert trojan horses into
+.Nm
+files.
+It is strongly recommended that all shell archive files be examined
+before running them through
+.Xr sh  1  .
+Archives produced using this implementation of
+.Nm
+may be easily examined with the command:
+.Bd -literal -offset indent
+egrep -v '^[X#]' shar.file
+.Ed

usr.bin/tftp/tftp.1

@@ -1,4 +1,4 @@
-.\"	$NetBSD: tftp.1,v 1.7 1998/04/28 06:00:57 fair Exp $
+.\"	$NetBSD: tftp.1,v 1.8 1998/06/08 12:41:44 lukem Exp $
 .\"
 .\" Copyright (c) 1990, 1993, 1994
 .\"	The Regents of the University of California.  All rights reserved.
@@ -159,8 +159,12 @@ Toggle packet tracing.
 .It Cm verbose
 Toggle verbose mode.
 .El
-.Sh BUGS
-.Pp
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.3 .
+.Sh SECURITY CONSIDERATIONS
 Because there is no user-login or validation within
 the
 .Tn TFTP
@@ -168,8 +172,3 @@ protocol, the remote site will probably have some
 sort of file-access restrictions in place.  The
 exact methods are specific to each site and therefore
 difficult to document here.
-.Sh HISTORY
-The
-.Nm
-command appeared in
-.Bx 4.3 .

usr.sbin/chroot/chroot.8

@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     from: @(#)chroot.8	8.1 (Berkeley) 6/9/93
-.\"	$NetBSD: chroot.8,v 1.5 1997/10/18 04:06:28 lukem Exp $
+.\"	$NetBSD: chroot.8,v 1.6 1998/06/08 12:41:44 lukem Exp $
 .\"
 .Dd June 9, 1993
 .Dt CHROOT 8
@@ -74,12 +74,12 @@ is used.
 .Xr chdir 2 ,
 .Xr chroot 2 ,
 .Xr environ 7
-.Sh CAVEATS
-.Nm
-should never be installed setuid root, as it would then be possible
-to exploit the program to gain root privileges.
 .Sh HISTORY
 The
 .Nm
 utility first appeared in
 .Bx 4.4 .
+.Sh SECURITY CONSIDERATIONS
+.Nm
+should never be installed setuid root, as it would then be possible
+to exploit the program to gain root privileges.

usr.sbin/inetd/inetd.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: inetd.8,v 1.15 1998/05/01 01:57:26 thorpej Exp $
+.\"	$NetBSD: inetd.8,v 1.16 1998/06/08 12:41:44 lukem Exp $
 .\"
 .\" Copyright (c) 1998 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -261,13 +261,13 @@ on a socket and eventually time out, the server is said to be
 and should use a
 .Dq wait
 entry.
-.Xr Comsat 8
+.Xr comsat 8
 .Pq Xr biff 1
 and
 .Xr talkd 8
 are both examples of the latter type of
 datagram server.
-.Xr Tftpd 8
+.Xr tftpd 8
 is an exception; it is a datagram server that establishes pseudo-connections.
 It must be listed as
 .Dq wait
@@ -391,3 +391,12 @@ based services is modeled after that
 provided by SunOS 4.1.
 Support for specifying the socket buffer sizes was added in
 .Nx 1.4 .
+.Sh SECURITY CONSIDERATIONS
+Enabling the
+.Dq echo ,
+.Dq discard ,
+and 
+.Dq chargen
+built-in trivial services is not recommended because remote
+users may abuse these to cause a denial of network service to 
+or from the local host.