Secure Programming for Linux and Unix HOWTO

David A. Wheeler, dwheeler@dwheeler.com

1. Introduction

2. Background

• 2.1 History of Unix, Linux, and Open Source Software
• 2.2 Security Principles
• 2.3 Types of Secure Programs
• 2.4 Paranoia is a Virtue
• 2.5 Why Did I Write This Document?
• 2.6 Sources of Design and Implementation Guidelines
• 2.7 Document Conventions

3. Summary of Linux and Unix Security Features

• 3.1 Processes
• 3.2 Files
• 3.3 System V IPC
• 3.4 Sockets and Network Connections
• 3.5 Signals
• 3.6 Quotas and Limits
• 3.7 Dynamically Linked Libraries
• 3.8 Audit
• 3.9 PAM

4. Validate All Input

• 4.1 Command line
• 4.2 Environment Variables
• 4.3 File Descriptors
• 4.4 File Contents
• 4.5 CGI Inputs
• 4.6 Other Inputs
• 4.7 Character Encoding
• 4.8 Limit Valid Input Time and Load Level

5. Avoid Buffer Overflow

• 5.1 Dangers in C/C++
• 5.2 Library Solutions in C/C++
• 5.3 Compilation Solutions in C/C++
• 5.4 Other Languages

6. Structure Program Internals and Approach

• 6.1 Secure the Interface
• 6.2 Minimize Privileges
• 6.3 Configure Safely and Use Safe Defaults
• 6.4 Fail Safe
• 6.5 Avoid Race Conditions
• 6.6 Trust Only Trustworthy Channels
• 6.7 Use Internal Consistency-Checking Code
• 6.8 Self-limit Resources

7. Carefully Call Out to Other Resources

• 7.1 Limit Call-outs to Valid Values
• 7.2 Check All System Call Returns

8. Send Information Back Judiciously

• 8.1 Minimize Feedback
• 8.2 Handle Full/Unresponsive Output

9. Special Topics

• 9.1 Locking
• 9.2 Passwords
• 9.3 Random Numbers
• 9.4 Cryptographic Algorithms and Protocols
• 9.5 Java
• 9.6 PAM
• 9.7 Miscellaneous

10. Conclusion

11. References

12. Credits

13. Document License