| version 1.9, 1998/08/12 22:13:02 |
version 1.10, 1998/08/13 23:11:18 |
|
|
| <li>OpenBSD does NOT compress man pages. |
<li>OpenBSD does NOT compress man pages. |
| <li>OpenBSD does NOT require <code>-lcrypt</code>.<br> |
<li>OpenBSD does NOT require <code>-lcrypt</code>.<br> |
| DES encryption is part of the standard <code>libc</code>. |
DES encryption is part of the standard <code>libc</code>. |
| <li>OpenBSD requests all <code>mktemp</code> warnings to be fixed. |
<li>OpenBSD is strongly security-oriented. You should read and understand |
| This is not as simple as <code>s/mktemp/mkstemp/g</code>. If |
this page's <a href="#security">security section</a>. |
| |
<li>Be sure to add the <code>$</code><code>OpenBSD$</code> CVS tag to |
| |
the Makefile. If importing a port from another system be sure to |
| |
leave their tag in the Makefile, too. However, replace the FreeBSD |
| |
<code>$</code><code>Id$</code> tag with the |
| |
<code>$</code><code>FreeBSD$</code> tag. |
| |
<li>The goal is to get all ported applications to support OpenBSD. To |
| |
achieve this goal you <strong>must</strong> feed any OpenBSD patches |
| |
back to the application maintainer. |
| |
</ul> |
| |
<a name=security> |
| |
<h3><font color=#0000e0>Security recommendations</font></h3> |
| |
There are many security problems to worry about. If |
| you are not absolutely sure of what you are doing please request |
you are not absolutely sure of what you are doing please request |
| help from the <a href="mailto:ports@openbsd.org">ports</a> mailing |
help from the <a href="mailto:ports@openbsd.org">ports</a> mailing |
| list. |
list. |
| |
|
| |
<ul> |
| |
<li>Do <emph>not</emph> use alpha or beta code when preparing a port. Use the |
| |
latest regular or patch release. |
| |
|
| <li>Any software to be installed as a server should be scanned |
<li>Any software to be installed as a server should be scanned |
| for buffer overflows, especially unsafe use of |
for buffer overflows, especially unsafe use of |
| <code>strcat/strcpy/strcmp/sprintf</code>. In general, |
<code>strcat/strcpy/strcmp/sprintf</code>. In general, |
| <code>sprintf</code> should be replaced with <code>snprintf</code>. |
<code>sprintf</code> should be replaced with <code>snprintf</code>. |
| <li>Be sure to add the <code>$</code><code>OpenBSD$</code> CVS tag to |
|
| the Makefile. If importing a port from another system be sure to |
<li>Never use filenames when you need security. There are numerous race |
| leave their tag in the Makefile, too. However, replace the FreeBSD |
conditions where you don't have proper control. For instance, an attacker |
| <code>$</code><code>Id$</code> tag with the |
who already has user privileges on your machines may replace files in |
| <code>$</code><code>FreeBSD$</code> tag. |
<code>/tmp</code> with symbolic links to more strategic files, such as |
| <li>Do NOT use alpha or beta code when preparing a port. Use the |
<code>/etc/passwd</code>. For instance, the bsd linker warns about |
| latest regular or patch release. |
<code>mktemp</code> uses. <strong>These must be fixed</strong>. |
| <li>The goal is to get all ported applications to support OpenBSD. To |
This is not quite as simple as <code>s/mktemp/mkstemp/g</code>. |
| achieve this goal you MUST feed any OpenBSD patches back to the |
|
| application maintainer. |
<li>Just because you can read it doesn't mean you should. A well-known hole |
| |
of this nature was the <code>startx</code> problem. As a setuid program, |
| |
you could launch startx with any file as a script. If the file was not |
| |
a valid shell script, a syntax error message would follow, along with the |
| |
first line of the offending file, without any further permission check. |
| |
Pretty handy to grab the first line of a shadow passwd file, considering |
| |
these often start with root entry. Once again, don't trust filenames: |
| |
open your file, and do an <code>fstat</code> on the open descriptor to |
| |
check the actual rights. |
| |
|
| |
<li>Don't use anything that forks a shell in setuid programs before dropping |
| |
your privileges. This includes <code>popen</code> and <code>system</code>. |
| |
Use <code>fork</code>, <code>pipe</code> and <code>execve</code> instead. |
| |
|
| |
<li>Pass open descriptors instead of filenames to other programs to avoid race |
| |
conditions. Even if a program does not accept file descriptors, you can |
| |
still use <code>/dev/fd/0</code>. |
| |
|
| |
<li>Access rights are attached to file descriptors. If you need setuid rights |
| |
to open a file, open that file, then drop your privileges. You can still |
| |
access the open descriptor, but you have less to worry about. This is |
| |
double-edged: even after dropping privileges, you should still watch out |
| |
for those descriptors. |
| |
|
| |
<li>Avoid root setuid as much as you can. Basically, root can do anything, |
| |
but root rights are very rarely needed, except maybe to create socket ports with |
| |
a number under 1024. It is arguably better to keep that under <code>inetd</code> |
| |
control and just add the relevant entries to <code>inetd.conf</code>. |
| |
You must know the appropriate magic for writing daemons to achieve that. |
| |
It could be argued that you have no business writing setuid programs if you don't |
| |
know how to do that. |
| |
|
| |
<li>Use setgid instead of setuid. Apart from those specific files needed by setgid |
| |
programs, most files are not group-writable. Hence, a security problem in a setgid |
| |
program won't compromise your system as much: with only group rights, the worst |
| |
an intruder will be able to do is hack a games score table or some such. |
| |
See the <code>xkobo</code> port for an instance of such a change. |
| |
|
| |
<li>Don't trust group-writable files. Even though they are audited, setgid programs |
| |
are not perceived as important potential security holes. Hence stuff they can tamper |
| |
with shouldn't be considered sensitive information. |
| |
|
| |
<li>Don't trust your environment ! This involves simple things such as your <code>PATH</code> |
| |
(never use <code>system</code> with an unqualified name), but also more subtle items |
| |
such as your locale, timezone, termcap, and so on. Be aware of transitivity: even though you're |
| |
taking full precautions, programs you call directly won't necessarily. <strong>Never</strong> |
| |
use <code>system</code> in privileged programs, build your command line, a controlled environment, |
| |
and call <code>execvp</code> directly. The <code>perlsec</code> man page is a good tutorial on |
| |
such problems. |
| |
|
| |
<li>Never used setuid shell-scripts. These are inherently insecure. Wrap them into some C code |
| |
that ensures a proper environment. On the other hand, OpenBSD features secure perl scripts. |
| |
|
| |
<li>Beware the dynamic loader. If you are running setuid, it will only use trusted libraries |
| |
that were scanned with ldconfig. Setgid is not enough. |
| |
|
| |
<li>Dynamic libraries are tricky. C++ code sets a similar problem. Basically, libraries may take |
| |
some action based upon your environment before your main program even gets to check its setuid |
| |
status. OpenBSD <code>issetugid</code> addresses this problem, from the library writer point |
| |
of view. Don't try to port libraries unless you understand this issue thoroughly. |
| </ul> |
</ul> |
| |
<h3><font color=#0000e0>Generic porting hints</font></h3> |
| |
<ul> |
| |
<li><code>__OpenBSD__</code> should be used sparingly, if at all. |
| |
Constructs that look like |
| |
<pre> |
| |
#if defined(__NetBSD__) || defined(__FreeBSD__) |
| |
</pre> |
| |
are often inappropriate. Don't add blindly <code>__OpenBSD__</code> |
| |
to it. Instead, try to figure out what's going on, and what actual |
| |
feature is needed. Manual pages are often useful, as they include |
| |
historic comments, stating when a particular feature was incorporated |
| |
into BSD. Checking the numeric value of <code>BSD</code> against known |
| |
releases is often the right way. See |
| |
<a href="http://www.netbsd.org/Documentation/netbsd/Packages.txt">the NetBSD package guide</a> |
| |
for more information. |
| |
<li>Defining <code>BSD</code> is a bad idea. Try to include <code>sys/param.h</code>. |
| |
This not only defines <code>BSD</code>, it also gives it a proper value. |
| |
The right code fragment should look like: |
| |
<pre> |
| |
#if (defined(__unix__) || defined(unix)) && !defined(USG) |
| |
#include <sys/param.h> |
| |
#endif |
| |
</pre> |
| |
<li>Test for features, not for specific OSes. In the long run, it is much |
| |
better to test whether <code>tcgetattr</code> works than whether you're running |
| |
under BSD 4.3 or later, or SystemVR4. These kind of tests just confuse the |
| |
issue. The way to go about it is, for instance, to test for one particular |
| |
system, set up a slew of <code>HAVE_TCGETATTR</code> defines, then proceed to |
| |
the next system. This technique separates features tests from specific OSes. |
| |
In a hurry, another porter can just add the whole set of <code>-DHAVE_XXX</code> |
| |
defines to the Makefile. One may also write or add to a configure script to check for |
| |
that feature and add it automatically. As an example not to follow, check nethack 3.2.2 |
| |
source: it assumes loads of things based on the system type. Most of these assumptions |
| |
are obsolete and no longer reflect reality: POSIX functions are more useful than older |
| |
BSD versus SystemV differences, to the point that some traditional bsd functions are |
| |
now only supported through compatibility libraries. |
| |
|
| |
<li>Avoid include files that include other includes that... First, because |
| |
this is inefficient. Your project will end up including a file that includes |
| |
everything. Also, because it makes some problems difficult to correct. It |
| |
becomes harder to <em>not</em> include one particular file at a given point. |
| |
|
| |
<li>Avoid bizarre macro tricks. Undefining a macro that was defined by a |
| |
header file is a bad idea. Defining macros to get some specific behavior |
| |
from an include file is also a bad idea: compilation modes should be global. |
| |
If you want POSIX behavior, say so, and <code>#define POSIX_C_SOURCE</code> |
| |
throughout the whole project, not when you feel like it. |
| |
|
| |
<li>Don't ever write system function prototypes. All modern systems, |
| |
OpenBSD included, have a standard location for these prototypes. Likely |
| |
places include <code>unistd.h</code>, <code>fcntl.h</code> or <code>termios.h</code>. |
| |
The man page frequently states where the prototype lies. You might need |
| |
another slew of <code>HAVE_XXX</code> macros to procure the right file. |
| |
Don't worry about including the same file twice, include files have guards |
| |
that prevent all kinds of nastiness.<br> |
| |
If some broken system needs you to write the prototype, don't impose |
| |
on all other systems. Roll-your-own prototypes will break because they may |
| |
use types that are equivalent on your system, but are not portable to other |
| |
systems (<code>unsigned long</code> instead of <code>size_t</code>), or get some |
| |
<code>const</code> status wrong. Also, some compilers, such as OpenBSD's own gcc, |
| |
are able to do a better job with some very frequent functions such as |
| |
<code>strlen</code> if you include the right header file. |
| |
|
| |
<li>Don't use the name of a standard system function for anything else. |
| |
If you want to write your own function, give it its own name, and call that |
| |
function everywhere. If you wish to revert to the default system function, |
| |
you just need to comment your code out, and define your own name to the |
| |
system function. Don't do it the other way round. Code should look like this |
| |
<pre> |
| |
/* prototype part */ |
| |
#ifdef USE_OWN_GCVT |
| |
char *foo_gcvt(double number, size_t ndigit, char *buf); |
| |
#else |
| |
/* include correct file */ |
| |
#include <stdlib.h> |
| |
/* use system function */ |
| |
#define foo_gcvt gcvt |
| |
#endif |
| |
|
| |
/* definition part */ |
| |
#ifdef USE_OWN_GCVT |
| |
char *foo_gcvt(double number, size_t ndigit, char *buf) |
| |
{ |
| |
/* proper definition */ |
| |
} |
| |
|
| |
/* typical use */ |
| |
s = foo_gcvt(n, 15, b); |
| |
</pre> |
| |
</ul> |
| <h3><font color=#0000e0>Other Helpful Hints</font></h3> |
<h3><font color=#0000e0>Other Helpful Hints</font></h3> |
| <ul> |
<ul> |
| <li>Do not assume <code>/usr/local/bin</code> or |
<li>Do not assume <code>/usr/local/bin</code> or |
|
|
| <code>ncurses.h ==> curses.h</code><br> |
<code>ncurses.h ==> curses.h</code><br> |
| <code>-lncurses ==> -lcurses</code><br> |
<code>-lncurses ==> -lcurses</code><br> |
| ``Old curses'' is available as <code>ocurses.h/libocurses</code>. |
``Old curses'' is available as <code>ocurses.h/libocurses</code>. |
| |
<li>In OpenBSD, terminal discipline has been upgraded from the older <code>sgtty</code> |
| |
standard BSD <code>fcntl</code> to the newer POSIX <code>tcgetattr</code> family. |
| |
Avoid the older style in new code. Some code may define <code>tcgetattr</code> |
| |
to be a synonym for the older <code>fcntl</code>, but this is at best a stopgap |
| |
measure on OpenBSD. The <code>xterm</code> source code is a very good example of |
| |
what not to do. |
| |
Try to get your system functionality right: you want a type that remembers |
| |
the state of your terminal (possible typedef), you want a function that |
| |
extracts the current state, and a function that sets the new state. |
| |
Functions that modify this state are more difficult, as they tend to vary |
| |
depending upon the system. Also, don't forget that you will have to handle |
| |
cases where you are not connected to the terminal, and that you need to |
| |
handle signals: not only termination, but also getting put in the background |
| |
you should leave your terminal in a sane state. Do your tests under an |
| |
older shell, such as sh, which does not reset the terminal in any way at |
| |
program's termination. |
| |
<li>The newer termcap and curses, as included with OpenBSD, include standard sequences |
| |
for controlling color terminals. You should use these if possible, reverting |
| |
to standard ANSI color sequences on other systems. However, some terminal descriptions |
| |
have not been updated yet, and you may need to be able to specify these sequences manually. |
| |
This is the way vim5.1 handles it. This is not strictly necessary. Except for privileged |
| |
programs, it is generally possible to override a termcap definition through the |
| |
<code>TERMCAP</code> variable and get it to work properly. |
| |
<li>Signal semantics are tricky, and vary from one system to another. Use <code>sigaction</code> |
| |
to ensure a specific semantics, along with other system calls referenced in its manpage. |
| </ul> |
</ul> |
| <hr> |
<hr> |
| <a href="index.html"><img height=24 width=24 src=back.gif border=0 alt=OpenBSD></a> |
<a href="index.html"><img height=24 width=24 src=back.gif border=0 alt=OpenBSD></a> |
![[BACK]](/icons/back.gif){kind=icon}
Return to porting.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www