Implement a new manual page category ``SECURITY CONSIDERATIONS''

(suggested by mycroft)
This commit is contained in:
lukem 1998-06-08 12:41:41 +00:00
parent d86c20ef36
commit fc90756956
17 changed files with 152 additions and 93 deletions

View File

@ -1,4 +1,4 @@
.\" $NetBSD: dm.8,v 1.5 1998/04/28 06:00:52 fair Exp $
.\" $NetBSD: dm.8,v 1.6 1998/06/08 12:41:41 lukem Exp $
.\"
.\" Copyright (c) 1987, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -86,26 +86,26 @@ game logging file
.El
.Sh SEE ALSO
.Xr dm.conf 5
.Sh BUGS
Two problems result from
.Nm
running the games setuid
.Dq games .
First, all games that allow users to run
.Ux
commands should carefully
set both the real and effective user id's immediately before executing
those commands. Probably more important is that
.Nm
never be setuid
anything but
.Dq games
so that compromising a game will result only in
the user's ability to play games at will. Secondly, games which previously
had no reason to run setuid and which accessed user files may have to
be modified.
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.3 tahoe .
.Sh SECURITY CONSIDERATIONS
Two issues result from
.Nm
running the games setgid
.Dq games .
First, all games that allow users to run
.Ux
commands should carefully
set both the real and effective group id's immediately before executing
those commands.
Probably more important is that
.Nm
never be setgid anything but
.Dq games
so that compromising a game will result only in
the user's ability to play games at will.
Secondly, games which previously had no reason to run setgid and which
accessed user files may have to be modified.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: getcwd.3,v 1.9 1998/02/05 18:46:29 perry Exp $
.\" $NetBSD: getcwd.3,v 1.10 1998/06/08 12:41:42 lukem Exp $
.\"
.\" Copyright (c) 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -150,10 +150,13 @@ The
.Fn getwd
function appeared in
.Bx 4.0 .
.Sh BUGS
The
.Sh SECURITY CONSIDERATIONS
As
.Fn getwd
function
does not do sufficient error checking and is not able to return very
long, but valid, paths.
It is provided for compatibility.
does not know the length of the supplied buffer, it is possible
for a long (but valid) path to overflow the buffer and provide
a means for an attacker to exploit the caller.
.Fn getcwd
should be used in place of
.Fn getwd
(the latter is only provided for compatibility purposes).

View File

@ -1,4 +1,4 @@
.\" $NetBSD: getpass.3,v 1.5 1998/02/05 18:46:52 perry Exp $
.\" $NetBSD: getpass.3,v 1.6 1998/06/08 12:41:42 lukem Exp $
.\"
.\" Copyright (c) 1989, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -86,7 +86,7 @@ a pointer to that object.
Subsequent calls to
.Nm getpass
will modify the same object.
.Pp
.Sh SECURITY CONSIDERATIONS
The calling process should zero the password as soon as possible to
avoid leaving the cleartext password visible in the process's address
space.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: fgets.3,v 1.8 1998/04/28 20:58:01 fair Exp $
.\" $NetBSD: fgets.3,v 1.9 1998/06/08 12:41:42 lukem Exp $
.\"
.\" Copyright (c) 1990, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -140,7 +140,7 @@ and
.Fn gets
conform to
.St -ansiC .
.Sh BUGS
.Sh SECURITY CONSIDERATIONS
Since it is usually impossible to ensure that the next input line
is less than some arbitrary length, and because overflowing the
input buffer is almost invariably a security violation, programs

View File

@ -1,4 +1,4 @@
.\" $NetBSD: mktemp.3,v 1.10 1998/06/01 20:16:37 kleink Exp $
.\" $NetBSD: mktemp.3,v 1.11 1998/06/08 12:41:42 lukem Exp $
.\"
.\" Copyright (c) 1989, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -139,7 +139,7 @@ A
.Fn mktemp
function appeared in
.At v7 .
.Sh BUGS
.Sh SECURITY CONSIDERATIONS
The use of
.Fn mktemp
should generally be avoided, as a hostile process can exploit a race

View File

@ -1,4 +1,4 @@
.\" $NetBSD: printf.3,v 1.8 1998/04/28 20:58:01 fair Exp $
.\" $NetBSD: printf.3,v 1.9 1998/06/08 12:41:42 lukem Exp $
.\"
.\" Copyright (c) 1990, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -625,14 +625,16 @@ and
conversions, as well as other nonsensical combinations such as
.Cm %Ld ,
are not standard; such combinations should be avoided.
.Pp
.Sh SECURITY CONSIDERATIONS
Because
.Fn sprintf
and
.Fn vsprintf
assume an infinitely long string, callers must be careful not to
overflow the actual space; this is often impossible to assure.
For safety, programmers should use the
For safety, programmers should use
.Fn snprintf
interface instead.
or
.Fn vsnprintf
instead.
Unfortunately, this interface is not portable.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: tmpnam.3,v 1.7 1998/04/28 20:59:29 fair Exp $
.\" $NetBSD: tmpnam.3,v 1.8 1998/06/08 12:41:42 lukem Exp $
.\"
.\" Copyright (c) 1988, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -196,7 +196,7 @@ compatibility only.
The
.Xr mkstemp 3
interface is strongly preferred.
.Pp
.Sh SECURITY CONSIDERATIONS
There are four important problems with these interfaces (as well as
with the historic
.Xr mktemp 3

View File

@ -1,4 +1,4 @@
.\" $NetBSD: ftpd.8,v 1.25 1998/06/08 07:13:13 lukem Exp $
.\" $NetBSD: ftpd.8,v 1.26 1998/06/08 12:41:42 lukem Exp $
.\"
.\" Copyright (c) 1985, 1988, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -581,9 +581,18 @@ The server must run as the super-user to create sockets with
privileged port numbers.
It maintains an effective user id of the logged in user, reverting
to the super-user only when binding addresses to sockets.
The possible security holes have been extensively scrutinized, but
are possibly incomplete.
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.2 .
.Pp
The
.Pa /etc/ftpd.conf
functionality was implemented in
.Nx 1.3
by Luke Mewburn, based on work by Simon Burge.
.Sh SECURITY CONSIDERATIONS
.Cm RFC-959
provides no restrictions on the PORT command, and this can lead
to security problems, as
@ -599,14 +608,3 @@ will be rejected.
Use of this option is
.Em strongly
recommended.
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.2 .
.Pp
The
.Pa /etc/ftpd.conf
functionality was implemented in
.Nx 1.3
by Luke Mewburn, based on work by Simon Burge.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: rexecd.8,v 1.5 1998/04/29 08:33:12 fair Exp $
.\" $NetBSD: rexecd.8,v 1.6 1998/06/08 12:41:43 lukem Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -145,3 +145,9 @@ The
.Nm
command appeared in
.Bx 4.2 .
.Sh SECURITY CONSIDERATIONS
As the passwords exchanged by the client and
.Nm
are not encrypted, it is
.Em strongly
recommended that this service is not enabled.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: rpc.sprayd.8,v 1.5 1997/10/20 02:51:47 enami Exp $
.\" $NetBSD: rpc.sprayd.8,v 1.6 1998/06/08 12:41:43 lukem Exp $
.\"
.\" Copyright (c) 1994 Christos Zoulas
.\" All rights reserved.
@ -52,3 +52,11 @@ uses an RPC protocol defined in
.Pa /usr/include/rpcsvc/spray.x .
.Sh SEE ALSO
.Xr spray 8
.Sh SECURITY CONSIDERATIONS
As
.Nm
responds to packets generated by
.Xr spray 8 ,
remote users can cause a denial of network service against the local
host by saturating requests to
.Nm "" .

View File

@ -1,4 +1,4 @@
.\" $NetBSD: tftpd.8,v 1.6 1998/02/06 05:43:16 perry Exp $
.\" $NetBSD: tftpd.8,v 1.7 1998/06/08 12:41:43 lukem Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -103,9 +103,19 @@ relative filenames.
.Nm
will
.Xr chroot 2
on startup; therefore the remote host is not expected to pass the directory
as part of the file name to transfer. This option is intended primarily for
compatibility with SunOS boot ROMs which do not include a directory name.
on startup.
This is recommended for security reasons (so that files other than
those in the
.Pa /tftpboot
directory aren't accessable).
If the remote host passes the directory name as part of the
file name to transfer, you may have to create a symbolic link
from
.Sq tftpboot
to
.Sq \&.
under
.Pa /tftpboot .
.El
.Pp
.Sh SEE ALSO
@ -121,3 +131,25 @@ The
.Fl s
flag appeared in
.Nx 1.0 .
.Sh SECURITY CONSIDERATIONS
You are
.Em strongly
advised to setup
.Nm
using the
.Fl s
flag in conjunction with the name of the directory that
contains the files that
.Nm
will serve to remote hosts (e.g.,
.Pa /tftpboot ) .
This ensures that only the files that should be served
to remote hosts can be accessed by them.
.Pp
Because there is no user-login or validation within
the
.Tn TFTP
protocol, the remote site will probably have some
sort of file-access restrictions in place. The
exact methods are specific to each site and therefore
difficult to document here.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: fsirand.8,v 1.2 1997/09/14 14:58:53 lukem Exp $
.\" $NetBSD: fsirand.8,v 1.3 1998/06/08 12:41:43 lukem Exp $
.\"
.\" Copyright (c) 1997 Christos Zoulas
.\" All rights reserved.
@ -60,9 +60,9 @@ Print the current inode generation numbers; the filesystem is not modified.
.Pp
.Nm
exits zero on success, non-zero on failure.
.Sh BUGS
The current implementation does not use a good random number generator,
so the randomization can be predicted.
.Sh SEE ALSO
.Xr fsck_ffs 8 ,
.Xr newfs 8
.Sh SECURITY CONSIDERATIONS
The current implementation does not use a good random number generator,
so the randomization can be predicted.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: mdoc.7,v 1.8 1998/02/06 06:13:20 perry Exp $
.\" $NetBSD: mdoc.7,v 1.9 1998/06/08 12:41:43 lukem Exp $
.\"
.\" Copyright (c) 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -121,6 +121,8 @@ If a standard is not applicable, the history
of the subject should be given.
.It Ar BUGS
Gotchas and caveats.
.It Ar SECURITY CONSIDERATIONS
Security issues to be aware of.
.It Ar other
Customized headers may be added at
the authors discretion.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: shar.1,v 1.5 1997/10/19 23:05:28 lukem Exp $
.\" $NetBSD: shar.1,v 1.6 1998/06/08 12:41:44 lukem Exp $
.\"
.\" Copyright (c) 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@ -67,19 +67,6 @@ or
.Nm
makes no provisions for special types of files or files containing
magic characters.
.Pp
It is easy to insert trojan horses into
.Nm
files.
It is strongly recommended that all shell archive files be examined
before running them through
.Xr sh 1 .
Archives produced using this implementation of
.Nm
may be easily examined with the command:
.Bd -literal -offset indent
egrep -v '^[X#]' shar.file
.Ed
.Sh EXAMPLES
To create a shell archive of the program
.Xr ls 1
@ -103,3 +90,16 @@ The
.Nm
command appears in
.Bx 4.4 .
.Sh SECURITY CONSIDERATIONS
It is easy to insert trojan horses into
.Nm
files.
It is strongly recommended that all shell archive files be examined
before running them through
.Xr sh 1 .
Archives produced using this implementation of
.Nm
may be easily examined with the command:
.Bd -literal -offset indent
egrep -v '^[X#]' shar.file
.Ed

View File

@ -1,4 +1,4 @@
.\" $NetBSD: tftp.1,v 1.7 1998/04/28 06:00:57 fair Exp $
.\" $NetBSD: tftp.1,v 1.8 1998/06/08 12:41:44 lukem Exp $
.\"
.\" Copyright (c) 1990, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
@ -159,8 +159,12 @@ Toggle packet tracing.
.It Cm verbose
Toggle verbose mode.
.El
.Sh BUGS
.Pp
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.3 .
.Sh SECURITY CONSIDERATIONS
Because there is no user-login or validation within
the
.Tn TFTP
@ -168,8 +172,3 @@ protocol, the remote site will probably have some
sort of file-access restrictions in place. The
exact methods are specific to each site and therefore
difficult to document here.
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.3 .

View File

@ -30,7 +30,7 @@
.\" SUCH DAMAGE.
.\"
.\" from: @(#)chroot.8 8.1 (Berkeley) 6/9/93
.\" $NetBSD: chroot.8,v 1.5 1997/10/18 04:06:28 lukem Exp $
.\" $NetBSD: chroot.8,v 1.6 1998/06/08 12:41:44 lukem Exp $
.\"
.Dd June 9, 1993
.Dt CHROOT 8
@ -74,12 +74,12 @@ is used.
.Xr chdir 2 ,
.Xr chroot 2 ,
.Xr environ 7
.Sh CAVEATS
.Nm
should never be installed setuid root, as it would then be possible
to exploit the program to gain root privileges.
.Sh HISTORY
The
.Nm
utility first appeared in
.Bx 4.4 .
.Sh SECURITY CONSIDERATIONS
.Nm
should never be installed setuid root, as it would then be possible
to exploit the program to gain root privileges.

View File

@ -1,4 +1,4 @@
.\" $NetBSD: inetd.8,v 1.15 1998/05/01 01:57:26 thorpej Exp $
.\" $NetBSD: inetd.8,v 1.16 1998/06/08 12:41:44 lukem Exp $
.\"
.\" Copyright (c) 1998 The NetBSD Foundation, Inc.
.\" All rights reserved.
@ -261,13 +261,13 @@ on a socket and eventually time out, the server is said to be
and should use a
.Dq wait
entry.
.Xr Comsat 8
.Xr comsat 8
.Pq Xr biff 1
and
.Xr talkd 8
are both examples of the latter type of
datagram server.
.Xr Tftpd 8
.Xr tftpd 8
is an exception; it is a datagram server that establishes pseudo-connections.
It must be listed as
.Dq wait
@ -391,3 +391,12 @@ based services is modeled after that
provided by SunOS 4.1.
Support for specifying the socket buffer sizes was added in
.Nx 1.4 .
.Sh SECURITY CONSIDERATIONS
Enabling the
.Dq echo ,
.Dq discard ,
and
.Dq chargen
built-in trivial services is not recommended because remote
users may abuse these to cause a denial of network service to
or from the local host.