summaryrefslogtreecommitdiffstats
path: root/share
diff options
context:
space:
mode:
Diffstat (limited to 'share')
-rw-r--r--share/man/man7/sdoc.7183
-rw-r--r--share/man/man7/sec-doc.7183
2 files changed, 208 insertions, 158 deletions
diff --git a/share/man/man7/sdoc.7 b/share/man/man7/sdoc.7
index e3b6e4d..e4e805e 100644
--- a/share/man/man7/sdoc.7
+++ b/share/man/man7/sdoc.7
@@ -32,8 +32,9 @@
.Nm sec-doc
.Nd guide to adding security considerations sections to manual pages
.Sh DESCRIPTION
-This document presents guidelines for adding security considerations
-sections to manual pages. It provides two typical examples.
+This document presents guidelines for
+adding security considerations sections to manual pages.
+It provides two typical examples.
.Pp
The guidelines for writing
.Fx
@@ -41,23 +42,26 @@ manual pages in
.Xr groff_mdoc 7
mandate that each manual page describing a feature of the
.Fx
-system should contain a security considerations section describing
-what security requirements can be broken through the misuse of that
-feature. When writing these sections, authors should attempt to
-achieve a happy medium between two conflicting goals: brevity and
-completeness. On one hand, security consideration sections must not
-be too verbose, or busy readers might be dissuaded from reading them.
-On the other hand, security consideration sections must not be
-incomplete, or they will fail in their purpose of instructing the
-reader on how to avoid all insecure uses. This document provides
-guidelines for balancing brevity and completeness in the security
-consideration section for a given feature of the
+system should contain a security considerations section
+describing what security requirements can be broken
+through the misuse of that feature.
+When writing these sections, authors should attempt to
+achieve a happy medium between two conflicting goals:
+brevity and completeness.
+On one hand, security consideration sections must not be too verbose,
+or busy readers might be dissuaded from reading them.
+On the other hand, security consideration sections must not be incomplete,
+or they will fail in their purpose of
+instructing the reader on how to avoid all insecure uses.
+This document provides guidelines for balancing brevity and completeness
+in the security consideration section for a given feature of the
.Fx
system.
.Sh WHERE TO START
Begin by listing
-those general security requirements that can be violated through the
-misuse of the feature. As described in
+those general security requirements that can be violated
+through the misuse of the feature.
+As described in
the FreeBSD Security Architecture (FSA),
there are four classes of security requirements:
.Bl -hang -offset indent
@@ -75,63 +79,78 @@ no less.)
.El
.Pp
The FSA
-contains a list of integrity, confidentiality, availability, and
-correctness requirements for the base
+contains a list of integrity, confidentiality, availability,
+and correctness requirements for the base
.Fx
-system. Many commands, tools, and utilities documented in sections 1,
-6, and 8 of the manual are partly responsible for meeting these base
-system requirements. Consequently, borrowing entries from the list in
+system.
+Many commands, tools, and utilities
+documented in sections 1, 6, and 8 of the manual
+are partly responsible for meeting these base system requirements.
+Consequently, borrowing entries from the list in
the FSA
is a good way to begin the list of requirements for these commands,
tools, and utilities.
.Pp
Complex servers and subsystems may have their own integrity,
-confidentiality, availability and correctness requirements in addition
-to the system-wide ones listed in
+confidentiality, availability and correctness requirements
+in addition to the system-wide ones listed in
the FSA.
-Listing these additional requirements will require some thought and
-analysis. Correctness requirements will most often deal with
-configuration issues, especially in cases of programs that can load
-modules containing arbitrary functionality during run-time.
+Listing these additional requirements will require
+some thought and analysis.
+Correctness requirements will most often
+deal with configuration issues,
+especially in cases of programs that can load modules
+containing arbitrary functionality during run-time.
.Pp
-For low-level features, such as the individual functions documented in
-sections 2, 3, and 9 of the manual, it is generally sufficient to
-proceed with only a single correctness requirement: simply that the
-function behaves as advertised.
+For low-level features, such as the individual functions
+documented in sections 2, 3, and 9 of the manual,
+it is generally sufficient to proceed with
+only a single correctness requirement:
+simply that the function behaves as advertised.
.Pp
-A good security considerations section should explain how the feature
-can be misused to violate each general security requirement in the
-list. Each explanation should be accompanied by instructions the
-reader should follow in order to avoid a violation. For the sake
-of brevity, assume the reader is familiar with all of the concepts in
+A good security considerations section
+should explain how the feature can be misused
+to violate each general security requirement in the list.
+Each explanation should be accompanied by instructions
+the reader should follow in order to avoid a violation.
+For the sake of brevity, assume the reader is familiar with
+all of the concepts in
the FSA.
-When referencing potential vulnerabilities described in the
-Secure Programming Practices man page,
+When referencing potential vulnerabilities
+described in the Secure Programming Practices man page,
.Xr sprog 7 ,
-likewise cross-reference that document rather than replicating
-information.
-Whenever possible, refer to this document rather than reproducing the
-material it contains.
+likewise cross-reference that document
+rather than replicating information.
+Whenever possible, refer to this document
+rather than reproducing the material it contains.
.Sh WHERE TO STOP
-Security problems are often interrelated; individual problems often
-have far-reaching implications. For example, the correctness of
-virtually any dynamically-linked program is dependent on the correct
-implementation and configuration of the run-time linker. The
-correctness of this program, in turn, depends on the correctness of
-its libraries, the compiler used to build it, the correctness of the
-preceding compiler that was used to build that compiler, and so on,
-as described by Thompson (see SEE ALSO, below).
+Security problems are often interrelated;
+individual problems often have far-reaching implications.
+For example, the correctness of virtually any dynamically-linked program
+is dependent on the correct implementation and configuration
+of the run-time linker.
+The correctness of this program, in turn,
+depends on the correctness of its libraries,
+the compiler used to build it,
+the correctness of the preceding compiler that was used to build that compiler,
+and so on,
+as described by Thompson (see
+.Sx SEE ALSO ,
+below).
.Pp
-Due to the need for brevity, security consideration sections should
-describe only those issues directly related to the feature that is the
-subject of the manual page. Refer to other manual pages rather than
-duplicating the material found there. Refer to generalized
-descriptions of problems in
+Due to the need for brevity, security consideration sections
+should describe only those issues directly related to the feature
+that is the subject of the manual page.
+Refer to other manual pages
+rather than duplicating the material found there.
+Refer to generalized descriptions of problems in
the FSA
-rather than referring to specific instances of those problems in other
-manual pages. Ideally, each specific security-relevant issue should be
-described in exactly one manual page, preferably as a specific instance of
-a general problem described in
+rather than referring to specific instances of those problems
+in other manual pages.
+Ideally, each specific security-relevant issue
+should be described in exactly one manual page,
+preferably as a specific instance of a general problem
+described in
the FSA.
.Sh EXAMPLES
Security considerations sections for most individual functions can follow
@@ -157,8 +176,9 @@ manual page:
The
.Fn strcpy
function is easily misused in a manner which enables malicious users
-to arbitrarily change a running program's functionality through a
-buffer overflow attack. (See
+to arbitrarily change a running program's functionality
+through a buffer overflow attack.
+(See
the FSA.)
.Pp
Avoid using
@@ -174,11 +194,12 @@ will not terminate the destination string if it is truncated.
.Pp
Note that
.Fn strncpy
-can also be problematic. It may be a security concern for a string to be
-truncated at all.
-Since the truncated string will not be as long as the original, it may
-refer to a completely different resource and usage of the truncated
-resource could result in very incorrect behavior.
+can also be problematic.
+It may be a security concern for a string to be truncated at all.
+Since the truncated string will not be as long as the original,
+it may refer to a completely different resource
+and usage of the truncated resource
+could result in very incorrect behavior.
Example:
.Pp
.Bd -literal
@@ -211,30 +232,34 @@ foo(const char *arbitrary_string)
}
.Ed
.Pp
-Security considerations sections for tools and commands are apt to be
-less formulaic. Let your list of potentially-violated security
-requirements be your guide; explain each one and list a solution in as
-concise a manner as possible.
+Security considerations sections for tools and commands
+are apt to be less formulaic.
+Let your list of potentially-violated security requirements
+be your guide;
+explain each one and list a solution in as concise a manner as possible.
.Pp
This is an example security considerations section for the
.Xr rtld 1
manual page:
.Pp
Using the LD_LIBRARY_PATH and LD_PRELOAD environment variables,
-malicious users can cause the dynamic linker to link shared libraries
-of their own devising into the address space of processes running
-non-set-user-ID/group-ID programs. These shared libraries can
-arbitrarily change the functionality of the program by replacing calls
-to standard library functions with calls to their own. Although this
-feature is disabled for set-user-ID and set-group-ID programs, it can
-still be used to create Trojan horses in other programs. (See
+malicious users can cause the dynamic linker
+to link shared libraries of their own devising
+into the address space of processes running non-set-user-ID/group-ID programs.
+These shared libraries can arbitrarily change the functionality
+of the program by replacing calls to standard library functions
+with calls to their own.
+Although this feature is disabled for set-user-ID and set-group-ID programs,
+it can still be used to create Trojan horses in other programs.
+(See
the FSA.)
.Pp
All users should be aware that the correct operation of non
set-user-ID/group-ID dynamically-linked programs depends on the proper
-configuration of these environment variables, and take care to avoid
-actions that might set them to values which would cause the run-time
-linker to link in shared libraries of unknown pedigree.
+configuration of these environment variables,
+and take care to avoid actions that might set them to values
+which would cause the run-time linker
+to link in shared libraries of unknown pedigree.
.Sh SEE ALSO
.Xr groff_mdoc 7 ,
.Xr security 7 ,
diff --git a/share/man/man7/sec-doc.7 b/share/man/man7/sec-doc.7
index e3b6e4d..e4e805e 100644
--- a/share/man/man7/sec-doc.7
+++ b/share/man/man7/sec-doc.7
@@ -32,8 +32,9 @@
.Nm sec-doc
.Nd guide to adding security considerations sections to manual pages
.Sh DESCRIPTION
-This document presents guidelines for adding security considerations
-sections to manual pages. It provides two typical examples.
+This document presents guidelines for
+adding security considerations sections to manual pages.
+It provides two typical examples.
.Pp
The guidelines for writing
.Fx
@@ -41,23 +42,26 @@ manual pages in
.Xr groff_mdoc 7
mandate that each manual page describing a feature of the
.Fx
-system should contain a security considerations section describing
-what security requirements can be broken through the misuse of that
-feature. When writing these sections, authors should attempt to
-achieve a happy medium between two conflicting goals: brevity and
-completeness. On one hand, security consideration sections must not
-be too verbose, or busy readers might be dissuaded from reading them.
-On the other hand, security consideration sections must not be
-incomplete, or they will fail in their purpose of instructing the
-reader on how to avoid all insecure uses. This document provides
-guidelines for balancing brevity and completeness in the security
-consideration section for a given feature of the
+system should contain a security considerations section
+describing what security requirements can be broken
+through the misuse of that feature.
+When writing these sections, authors should attempt to
+achieve a happy medium between two conflicting goals:
+brevity and completeness.
+On one hand, security consideration sections must not be too verbose,
+or busy readers might be dissuaded from reading them.
+On the other hand, security consideration sections must not be incomplete,
+or they will fail in their purpose of
+instructing the reader on how to avoid all insecure uses.
+This document provides guidelines for balancing brevity and completeness
+in the security consideration section for a given feature of the
.Fx
system.
.Sh WHERE TO START
Begin by listing
-those general security requirements that can be violated through the
-misuse of the feature. As described in
+those general security requirements that can be violated
+through the misuse of the feature.
+As described in
the FreeBSD Security Architecture (FSA),
there are four classes of security requirements:
.Bl -hang -offset indent
@@ -75,63 +79,78 @@ no less.)
.El
.Pp
The FSA
-contains a list of integrity, confidentiality, availability, and
-correctness requirements for the base
+contains a list of integrity, confidentiality, availability,
+and correctness requirements for the base
.Fx
-system. Many commands, tools, and utilities documented in sections 1,
-6, and 8 of the manual are partly responsible for meeting these base
-system requirements. Consequently, borrowing entries from the list in
+system.
+Many commands, tools, and utilities
+documented in sections 1, 6, and 8 of the manual
+are partly responsible for meeting these base system requirements.
+Consequently, borrowing entries from the list in
the FSA
is a good way to begin the list of requirements for these commands,
tools, and utilities.
.Pp
Complex servers and subsystems may have their own integrity,
-confidentiality, availability and correctness requirements in addition
-to the system-wide ones listed in
+confidentiality, availability and correctness requirements
+in addition to the system-wide ones listed in
the FSA.
-Listing these additional requirements will require some thought and
-analysis. Correctness requirements will most often deal with
-configuration issues, especially in cases of programs that can load
-modules containing arbitrary functionality during run-time.
+Listing these additional requirements will require
+some thought and analysis.
+Correctness requirements will most often
+deal with configuration issues,
+especially in cases of programs that can load modules
+containing arbitrary functionality during run-time.
.Pp
-For low-level features, such as the individual functions documented in
-sections 2, 3, and 9 of the manual, it is generally sufficient to
-proceed with only a single correctness requirement: simply that the
-function behaves as advertised.
+For low-level features, such as the individual functions
+documented in sections 2, 3, and 9 of the manual,
+it is generally sufficient to proceed with
+only a single correctness requirement:
+simply that the function behaves as advertised.
.Pp
-A good security considerations section should explain how the feature
-can be misused to violate each general security requirement in the
-list. Each explanation should be accompanied by instructions the
-reader should follow in order to avoid a violation. For the sake
-of brevity, assume the reader is familiar with all of the concepts in
+A good security considerations section
+should explain how the feature can be misused
+to violate each general security requirement in the list.
+Each explanation should be accompanied by instructions
+the reader should follow in order to avoid a violation.
+For the sake of brevity, assume the reader is familiar with
+all of the concepts in
the FSA.
-When referencing potential vulnerabilities described in the
-Secure Programming Practices man page,
+When referencing potential vulnerabilities
+described in the Secure Programming Practices man page,
.Xr sprog 7 ,
-likewise cross-reference that document rather than replicating
-information.
-Whenever possible, refer to this document rather than reproducing the
-material it contains.
+likewise cross-reference that document
+rather than replicating information.
+Whenever possible, refer to this document
+rather than reproducing the material it contains.
.Sh WHERE TO STOP
-Security problems are often interrelated; individual problems often
-have far-reaching implications. For example, the correctness of
-virtually any dynamically-linked program is dependent on the correct
-implementation and configuration of the run-time linker. The
-correctness of this program, in turn, depends on the correctness of
-its libraries, the compiler used to build it, the correctness of the
-preceding compiler that was used to build that compiler, and so on,
-as described by Thompson (see SEE ALSO, below).
+Security problems are often interrelated;
+individual problems often have far-reaching implications.
+For example, the correctness of virtually any dynamically-linked program
+is dependent on the correct implementation and configuration
+of the run-time linker.
+The correctness of this program, in turn,
+depends on the correctness of its libraries,
+the compiler used to build it,
+the correctness of the preceding compiler that was used to build that compiler,
+and so on,
+as described by Thompson (see
+.Sx SEE ALSO ,
+below).
.Pp
-Due to the need for brevity, security consideration sections should
-describe only those issues directly related to the feature that is the
-subject of the manual page. Refer to other manual pages rather than
-duplicating the material found there. Refer to generalized
-descriptions of problems in
+Due to the need for brevity, security consideration sections
+should describe only those issues directly related to the feature
+that is the subject of the manual page.
+Refer to other manual pages
+rather than duplicating the material found there.
+Refer to generalized descriptions of problems in
the FSA
-rather than referring to specific instances of those problems in other
-manual pages. Ideally, each specific security-relevant issue should be
-described in exactly one manual page, preferably as a specific instance of
-a general problem described in
+rather than referring to specific instances of those problems
+in other manual pages.
+Ideally, each specific security-relevant issue
+should be described in exactly one manual page,
+preferably as a specific instance of a general problem
+described in
the FSA.
.Sh EXAMPLES
Security considerations sections for most individual functions can follow
@@ -157,8 +176,9 @@ manual page:
The
.Fn strcpy
function is easily misused in a manner which enables malicious users
-to arbitrarily change a running program's functionality through a
-buffer overflow attack. (See
+to arbitrarily change a running program's functionality
+through a buffer overflow attack.
+(See
the FSA.)
.Pp
Avoid using
@@ -174,11 +194,12 @@ will not terminate the destination string if it is truncated.
.Pp
Note that
.Fn strncpy
-can also be problematic. It may be a security concern for a string to be
-truncated at all.
-Since the truncated string will not be as long as the original, it may
-refer to a completely different resource and usage of the truncated
-resource could result in very incorrect behavior.
+can also be problematic.
+It may be a security concern for a string to be truncated at all.
+Since the truncated string will not be as long as the original,
+it may refer to a completely different resource
+and usage of the truncated resource
+could result in very incorrect behavior.
Example:
.Pp
.Bd -literal
@@ -211,30 +232,34 @@ foo(const char *arbitrary_string)
}
.Ed
.Pp
-Security considerations sections for tools and commands are apt to be
-less formulaic. Let your list of potentially-violated security
-requirements be your guide; explain each one and list a solution in as
-concise a manner as possible.
+Security considerations sections for tools and commands
+are apt to be less formulaic.
+Let your list of potentially-violated security requirements
+be your guide;
+explain each one and list a solution in as concise a manner as possible.
.Pp
This is an example security considerations section for the
.Xr rtld 1
manual page:
.Pp
Using the LD_LIBRARY_PATH and LD_PRELOAD environment variables,
-malicious users can cause the dynamic linker to link shared libraries
-of their own devising into the address space of processes running
-non-set-user-ID/group-ID programs. These shared libraries can
-arbitrarily change the functionality of the program by replacing calls
-to standard library functions with calls to their own. Although this
-feature is disabled for set-user-ID and set-group-ID programs, it can
-still be used to create Trojan horses in other programs. (See
+malicious users can cause the dynamic linker
+to link shared libraries of their own devising
+into the address space of processes running non-set-user-ID/group-ID programs.
+These shared libraries can arbitrarily change the functionality
+of the program by replacing calls to standard library functions
+with calls to their own.
+Although this feature is disabled for set-user-ID and set-group-ID programs,
+it can still be used to create Trojan horses in other programs.
+(See
the FSA.)
.Pp
All users should be aware that the correct operation of non
set-user-ID/group-ID dynamically-linked programs depends on the proper
-configuration of these environment variables, and take care to avoid
-actions that might set them to values which would cause the run-time
-linker to link in shared libraries of unknown pedigree.
+configuration of these environment variables,
+and take care to avoid actions that might set them to values
+which would cause the run-time linker
+to link in shared libraries of unknown pedigree.
.Sh SEE ALSO
.Xr groff_mdoc 7 ,
.Xr security 7 ,
OpenPOWER on IntegriCloud