597 lines
18 KiB
Text
597 lines
18 KiB
Text
# AUTHOR <EMAIL@ADDRESS>, YEAR.
|
|
#
|
|
# Translators:
|
|
msgid ""
|
|
msgstr ""
|
|
"Project-Id-Version: Defensive Coding Guide\n"
|
|
"POT-Creation-Date: 2013-03-12T03:19:44\n"
|
|
"PO-Revision-Date: 2013-03-19 15:29+0000\n"
|
|
"Last-Translator: Automatically generated\n"
|
|
"Language-Team: Tibetan <trans-bo@lists.fedoraproject.org>\n"
|
|
"MIME-Version: 1.0\n"
|
|
"Content-Type: text/plain; charset=UTF-8\n"
|
|
"Content-Transfer-Encoding: 8bit\n"
|
|
"Language: bo\n"
|
|
"Plural-Forms: nplurals=1; plural=0;\n"
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Processes"
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Safe process creation"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"This section describes how to create new child processes in a safe manner. "
|
|
"In addition to the concerns addressed below, there is the possibility of "
|
|
"file descriptor leaks, see <xref linkend=\"sect-Defensive_Coding-Tasks-"
|
|
"Descriptors-Child_Processes\" />."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Obtaining the program path and the command line template"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The name and path to the program being invoked should be hard-coded or "
|
|
"controlled by a static configuration file stored at a fixed location (at an "
|
|
"file system absolute path). The same applies to the template for generating "
|
|
"the command line."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The configured program name should be an absolute path. If it is a relative "
|
|
"path, the contents of the <envar>PATH</envar> must be obtained in s secure "
|
|
"manner (see <xref linkend=\"sect-Defensive_Coding-Tasks-secure_getenv\" />)."
|
|
" If the <envar>PATH</envar> variable is not set or untrusted, the safe "
|
|
"default <literal>/bin:/usr/bin</literal> must be used."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"If too much flexibility is provided here, it may allow invocation of "
|
|
"arbitrary programs without proper authorization."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Bypassing the shell"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid "Child processes should be created without involving the system shell."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"For C/C++, <function>system</function> should not be used. The "
|
|
"<function>posix_spawn</function> function can be used instead, or a "
|
|
"combination <function>fork</function> and <function>execve</function>. (In "
|
|
"some cases, it may be preferable to use <function>vfork</function> or the "
|
|
"Linux-specific <function>clone</function> system call instead of "
|
|
"<function>fork</function>.)"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"In Python, the <literal>subprocess</literal> module bypasses the shell by "
|
|
"default (when the <literal>shell</literal> keyword argument is not set to "
|
|
"true). <function>os.system</function> should not be used."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The Java class <type>java.lang.ProcessBuilder</type> can be used to create "
|
|
"subprocesses without interference from the system shell."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Portability notice"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"On Windows, there is no argument vector, only a single argument string. Each"
|
|
" application is responsible for parsing this string into an argument vector."
|
|
" There is considerable variance among the quoting style recognized by "
|
|
"applications. Some of them expand shell wildcards, others do not. Extensive "
|
|
"application-specific testing is required to make this secure."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Note that some common applications (notably <application>ssh</application>) "
|
|
"unconditionally introduce the use of a shell, even if invoked directly "
|
|
"without a shell. It is difficult to use these applications in a secure "
|
|
"manner. In this case, untrusted data should be supplied by other means. For "
|
|
"example, standard input could be used, instead of the command line."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Specifying the process environment"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Child processes should be created with a minimal set of environment "
|
|
"variables. This is absolutely essential if there is a trust transition "
|
|
"involved, either when the parent process was created, or during the creation"
|
|
" of the child process."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"In C/C++, the environment should be constructed as an array of strings and "
|
|
"passed as the <varname>envp</varname> argument to "
|
|
"<function>posix_spawn</function> or <function>execve</function>. The "
|
|
"functions <function>setenv</function>, <function>unsetenv</function> and "
|
|
"<function>putenv</function> should not be used. They are not thread-safe and"
|
|
" suffer from memory leaks."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Python programs need to specify a <literal>dict</literal> for the the "
|
|
"<varname>env</varname> argument of the <function>subprocess.Popen</function>"
|
|
" constructor. The Java class <literal>java.lang.ProcessBuilder</literal> "
|
|
"provides a <function>environment()</function> method, which returns a map "
|
|
"that can be manipulated."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The following list provides guidelines for selecting the set of environment "
|
|
"variables passed to the child process."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"<envar>PATH</envar> should be initialized to "
|
|
"<literal>/bin:/usr/bin</literal>."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"<envar>USER</envar> and <envar>HOME</envar> can be inhereted from the parent"
|
|
" process environment, or they can be initialized from the "
|
|
"<literal>pwent</literal> structure for the user."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The <envar>DISPLAY</envar> and <envar>XAUTHORITY</envar> variables should be"
|
|
" passed to the subprocess if it is an X program. Note that this will "
|
|
"typically not work across trust boundaries because <envar>XAUTHORITY</envar>"
|
|
" refers to a file with <literal>0600</literal> permissions."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The location-related environment variables <envar>LANG</envar>, "
|
|
"<envar>LANGUAGE</envar>, <envar>LC_ADDRESS</envar>, <envar>LC_ALL</envar>, "
|
|
"<envar>LC_COLLATE</envar>, <envar>LC_CTYPE</envar>, "
|
|
"<envar>LC_IDENTIFICATION</envar>, <envar>LC_MEASUREMENT</envar>, "
|
|
"<envar>LC_MESSAGES</envar>, <envar>LC_MONETARY</envar>, "
|
|
"<envar>LC_NAME</envar>, <envar>LC_NUMERIC</envar>, <envar>LC_PAPER</envar>, "
|
|
"<envar>LC_TELEPHONE</envar> and <envar>LC_TIME</envar> can be passed to the "
|
|
"subprocess if present."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The called process may need application-specific environment variables, for "
|
|
"example for passing passwords. (See <xref linkend=\"sect-Defensive_Coding-"
|
|
"Tasks-Processes-Command_Line_Visibility\" />.)"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"All other environment variables should be dropped. Names for new environment"
|
|
" variables should not be accepted from untrusted sources."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Robust argument list processing"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"When invoking a program, it is sometimes necessary to include data from "
|
|
"untrusted sources. Such data should be check against embedded "
|
|
"<literal>NUL</literal> characters because the system APIs will sliently "
|
|
"truncate argument strings at the first <literal>NUL</literal> character."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The following recommendations assume that the program being invoked uses "
|
|
"GNU-style option processing using <function>getopt_long</function>. This "
|
|
"convention is widely used, but it is just that, and individual programs "
|
|
"might interpret a command line in a different way."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"If the untrusted data has to go into an option, use the <literal>--option-"
|
|
"name=VALUE</literal> syntax, placing the option and its value into the same "
|
|
"command line argument. This avoids any potential confusion if the data "
|
|
"starts with <literal>-</literal>."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"For positional arguments, terminate the option list with a single "
|
|
"<option>--</option> marker after the last option, and include the data at "
|
|
"the right position. The <option>--</option> marker terminates option "
|
|
"processing, and the data will not be treated as an option even if it starts "
|
|
"with a dash."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Passing secrets to subprocesses"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The command line (the name of the program and its argument) of a running "
|
|
"process is traditionally available to all local users. The called program "
|
|
"can overwrite this information, but only after it has run for a bit of time,"
|
|
" during which the information may have been read by other processes. "
|
|
"However, on Linux, the process environment is restricted to the user who "
|
|
"runs the process. Therefore, if you need a convenient way to pass a password"
|
|
" to a child process, use an environment variable, and not a command line "
|
|
"argument. (See <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-"
|
|
"environ\" />.)"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"On some UNIX-like systems (notably Solaris), environment variables can be "
|
|
"read by any system user, just like command lines."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"If the environment-based approach cannot be used due to portability "
|
|
"concerns, the data can be passed on standard input. Some programs (notably "
|
|
"<application>gpg</application>) use special file descriptors whose numbers "
|
|
"are specified on the command line. Temporary files are an option as well, "
|
|
"but they might give digital forensics access to sensitive data (such as "
|
|
"passphrases) because it is difficult to safely delete them in all cases."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Handling child process termination"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"When child processes terminate, the parent process is signalled. A stub of "
|
|
"the terminated processes (a <emphasis>zombie</emphasis>, shown as "
|
|
"<literal><defunct></literal> by <application>ps</application>) is kept"
|
|
" around until the status information is collected "
|
|
"(<emphasis>reaped</emphasis>) by the parent process. Over the years, several"
|
|
" interfaces for this have been invented:"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The parent process calls <function>wait</function>, "
|
|
"<function>waitpid</function>, <function>waitid</function>, "
|
|
"<function>wait3</function> or <function>wait4</function>, without specifying"
|
|
" a process ID. This will deliver any matching process ID. This approach is "
|
|
"typically used from within event loops."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The parent process calls <function>waitpid</function>, "
|
|
"<function>waitid</function>, or <function>wait4</function>, with a specific "
|
|
"process ID. Only data for the specific process ID is returned. This is "
|
|
"typically used in code which spawns a single subprocess in a synchronous "
|
|
"manner."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The parent process installs a handler for the <literal>SIGCHLD</literal> "
|
|
"signal, using <function>sigaction</function>, and specifies to the "
|
|
"<literal>SA_NOCLDWAIT</literal> flag. This approach could be used by event "
|
|
"loops as well."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"None of these approaches can be used to wait for child process terminated in"
|
|
" a completely thread-safe manner. The parent process might execute an event "
|
|
"loop in another thread, which could pick up the termination signal. This "
|
|
"means that libraries typically cannot make free use of child processes (for "
|
|
"example, to run problematic code with reduced privileges in a separate "
|
|
"address space)."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"At the moment, the parent process should explicitly wait for termination of "
|
|
"the child process using <function>waitpid</function> or "
|
|
"<function>waitpid</function>, and hope that the status is not collected by "
|
|
"an event loop first."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "<literal>SUID</literal>/<literal>SGID</literal> processes"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Programs can be marked in the file system to indicate to the kernel that a "
|
|
"trust transition should happen if the program is run. The "
|
|
"<literal>SUID</literal> file permission bit indicates that an executable "
|
|
"should run with the effective user ID equal to the owner of the executable "
|
|
"file. Similarly, with the <literal>SGID</literal> bit, the effective group "
|
|
"ID is set to the group of the executable file."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Linux supports <emphasis>fscaps</emphasis>, which can grant additional "
|
|
"capabilities to a process in a finer-grained manner. Additional mechanisms "
|
|
"can be provided by loadable security modules."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"When such a trust transition has happened, the process runs in a potentially"
|
|
" hostile environment. Additional care is necessary not to rely on any "
|
|
"untrusted information. These concerns also apply to libraries which can be "
|
|
"linked into such processes."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Accessing environment variables"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"The following steps are required so that a program does not accidentally "
|
|
"pick up untrusted data from environment variables."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Compile your C/C++ sources with <literal>-D_GNU_SOURCE</literal>. The "
|
|
"Autoconf macro <literal>AC_GNU_SOURCE</literal> ensures this."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Check for the presence of the <function>secure_getenv</function> and "
|
|
"<function>__secure_getenv</function> function. The Autoconf directive "
|
|
"<literal>AC_CHECK_FUNCS([__secure_getenv secure_getenv])</literal> performs "
|
|
"these checks."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Arrange for a proper definition of the <function>secure_getenv</function> "
|
|
"function. See <xref linkend=\"ex-Defensive_Coding-Tasks-secure_getenv\" />."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Use <function>secure_getenv</function> instead of "
|
|
"<function>getenv</function> to obtain the value of critical environment "
|
|
"variables. <function>secure_getenv</function> will pretend the variable has "
|
|
"not bee set if the process environment is not trusted."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Critical environment variables are debugging flags, configuration file "
|
|
"locations, plug-in and log file locations, and anything else that might be "
|
|
"used to bypass security restrictions or cause a privileged process to behave"
|
|
" in an unexpected way."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Either the <function>secure_getenv</function> function or the "
|
|
"<function>__secure_getenv</function> is available from GNU libc."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Obtaining a definition for <function>secure_getenv</function>"
|
|
msgstr ""
|
|
|
|
#. Tag: programlisting
|
|
#, no-c-format
|
|
msgid ""
|
|
"\n"
|
|
"\n"
|
|
"#include <stdlib.h>\n"
|
|
"\n"
|
|
"#ifndef HAVE_SECURE_GETENV\n"
|
|
"# ifdef HAVE__SECURE_GETENV\n"
|
|
"# define secure_getenv __secure_getenv\n"
|
|
"# else\n"
|
|
"# error neither secure_getenv nor __secure_getenv are available\n"
|
|
"# endif\n"
|
|
"#endif\n"
|
|
"\n"
|
|
"\t"
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Daemons"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Background processes providing system services "
|
|
"(<emphasis>daemons</emphasis>) need to decouple themselves from the "
|
|
"controlling terminal and the parent process environment:"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid "Fork."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"In the child process, call <function>setsid</function>. The parent process "
|
|
"can simply exit (using <function>_exit</function>, to avoid running clean-up"
|
|
" actions twice)."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"In the child process, fork again. Processing continues in the child process."
|
|
" Again, the parent process should just exit."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Replace the descriptors 0, 1, 2 with a descriptor for "
|
|
"<filename>/dev/null</filename>. Logging should be redirected to "
|
|
"<application>syslog</application>."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Older instructions for creating daemon processes recommended a call to "
|
|
"<literal>umask(0)</literal>. This is risky because it often leads to world-"
|
|
"writable files and directories, resulting in security vulnerabilities such "
|
|
"as arbitrary process termination by untrusted local users, or log file "
|
|
"truncation. If the <emphasis>umask</emphasis> needs setting, a restrictive "
|
|
"value such as <literal>027</literal> or <literal>077</literal> is "
|
|
"recommended."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Other aspects of the process environment may have to changed as well "
|
|
"(environment variables, signal handler disposition)."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"It is increasingly common that server processes do not run as background "
|
|
"processes, but as regular foreground process under a supervising master "
|
|
"process (such as <application>systemd</application>). Server processes "
|
|
"should offer a command line option which disables forking and replacement of"
|
|
" the standard output and standard error streams. Such an option is also "
|
|
"useful for debugging."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "Semantics of command line arguments"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"After process creation and option processing, it is up to the child process "
|
|
"to interpret the arguments. Arguments can be file names, host names, or "
|
|
"URLs, and many other things. URLs can refer to the local network, some "
|
|
"server on the Internet, or to the local file system. Some applications even "
|
|
"accept arbitrary code in arguments (for example, "
|
|
"<application>python</application> with the <option>-c</option> option)."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Similar concerns apply to environment variables, the contents of the current"
|
|
" directory and its subdirectories."
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"Consequently, careful analysis is required if it is safe to pass untrusted "
|
|
"data to another program."
|
|
msgstr ""
|
|
|
|
#. Tag: title
|
|
#, no-c-format
|
|
msgid "<function>fork</function> as a primitive for parallelism"
|
|
msgstr ""
|
|
|
|
#. Tag: para
|
|
#, no-c-format
|
|
msgid ""
|
|
"A call to <function>fork</function> which is not immediately followed by a "
|
|
"call to <function>execve</function> (perhaps after rearranging and closing "
|
|
"file descriptors) is typically unsafe, especially from a library which does "
|
|
"not control the state of the entire process. Such use of "
|
|
"<function>fork</function> should be replaced with proper child processes or "
|
|
"threads."
|
|
msgstr ""
|