Secure Programming for Linux HOWTO

David A. Wheeler, dwheeler@dwheeler.com

1. Introduction

2. Background

• 2.1 Linux and Open Source Software
• 2.2 Security Principles
• 2.3 Types of Secure Programs
• 2.4 Paranoia is a Virtue
• 2.5 Sources of Design and Implementation Guidelines
• 2.6 Document Conventions

3. Summary of Linux Security Features

• 3.1 Processes
• 3.2 Filesystem
• 3.3 System V IPC
• 3.4 Sockets and Network Connections
• 3.5 Quotas and Limits
• 3.6 Audit
• 3.7 PAM

4. Validate All Input

• 4.1 Command line
• 4.2 Environment Variables
• 4.3 File Descriptors
• 4.4 File Contents
• 4.5 CGI Inputs
• 4.6 Other Inputs
• 4.7 Limit Valid Input Time and Load Level

5. Avoid Buffer Overflow

• 5.1 Dangers in C/C++
• 5.2 Library Solutions in C/C++
• 5.3 Compilation Solutions in C/C++
• 5.4 Other Languages

6. Structure Program Internals and Approach

• 6.1 Secure the Interface
• 6.2 Minimize Permissions
• 6.3 Use Safe Defaults
• 6.4 Fail Open
• 6.5 Avoid Race Conditions
• 6.6 Trust Only Trustworthy Channels
• 6.7 Use Internal Consistency-Checking Code
• 6.8 Self-limit Resources

7. Carefully Call Out to Other Resources

• 7.1 Limit Call-outs to Valid Values
• 7.2 Check All System Call Returns

8. Send Information Back Judiciously

• 8.1 Minimize Feedback
• 8.2 Handle Full/Unresponsive Output

9. Special Topics

• 9.1 Locking
• 9.2 Passwords
• 9.3 Random Numbers
• 9.4 Cryptographic Algorithms and Protocols
• 9.5 Java
• 9.6 PAM
• 9.7 Miscellaneous

10. Conclusions

11. References

12. Document License