2002-06-03 David A. Wheeler * Noted algorithmic complexity attacks. 2002-05-21 David A. Wheeler * Noted SafeStr. 2002-04-13 David A. Wheeler * Added more on PHP functions that execute code. 2002-04-07 David A. Wheeler * Noted PHP's safe_mode, disable_functions and open_basedir directives, as well as noting that you should NOT rely on them. * Added reference to http://www.etc.msys.ch/docs/chrooted_httpd.pdf which has a nice discussion about employing chroot (it was written specifically to discuss Apache on OpenBSD, but the principles it discusses are actually broader). 2002-03-28 David A. Wheeler * Python rexec and Bastion are gone - fundamentally flawed, just as I'd feared. Noted this. 2002-03-24 David A. Wheeler * Noted that you need to minimize the access to data. In particular, check configuration files & abort if they're writeable by all. * Added id values to some section1 headings (so their URLs will be better). 2002-03-17 David A. Wheeler * Added link to smatch. 2002-03-03 David A. Wheeler * Fixed the URL links to Eric Raymond's site: "tuxedo.org" -> "catb.org". 2002-02-18 David A. Wheeler * Clarified more about GUI applications. * Updated my picture, now it actually looks more like me. * Changed URL for libsafe. * Renamed LCLint to splint. * Mentioned dreamland. 2002-02-16 David A. Wheeler * Released version 3.007. 2002-02-02 David A. Wheeler * Noted Shamir and Tromir's paper on Factoring Large Numbers with the TWIRL device (a draft paper at this time) - the paper basically suggests that 1024-bit RSA isn't secure either. 2002-01-23 David A. Wheeler * Clarified that HttpOnly on cookies is a useful secondary defense, but don't count on it as primary. I wrote it that way before, but recent papers on "breaks" because some people thought HttpOnly was sufficient as a primary defense made me decide to state this even more clearly. 2002-01-16 David A. Wheeler * Expanded the discussion on crypto protocols, in part based on some suggestions from Pawel Krawczyk (kravietz, at echelon ,dot pl). 2002-01-16 David A. Wheeler * Referenced Quixote's interesting approach to XSS. * Mentioned RMAC. * Expanded the Tcl section significantly. Thanks to Wojciech Kocjan (wojciech, at kocjan dot org), who asked me to update the Tcl section and gave me some wrong/right examples of Tcl use that helped clarify the discussion, as well as noting that Tcl 8.0 implements other data types internally and is really more robust than older versions. 2002-01-15 David A. Wheeler * Clarified that you should not use "nobody" for your own programs (unless you're writing a webserver) - instead, use the same IDEA of creating pseudousers and groups to isolate programs from each other. Thanks to Martijn Vernooij tinus, at, win (dot) tue (dot) nl for asking me about this. 2002-12-31 David A. Wheeler * Added note about Ada's Inspection_Point. The idea of mentioning Inspection_Point was suggested by Florian Weimer (Weimer, at, CERT dot Uni-Stuttgart, dot DE) - thanks! - but the text as usual is my own. 2002-12-30 David A. Wheeler * Version 3.005. Adds major new text on handling tmp files where there are tmp cleaners running (true on most real systems), notes on avoiding buffer overflow in FD_SET/FD_CLR(), and a long discussion on a new attack against web-based systems: session fixation. I also added text about protecting secrets in memory. 2002-12-26 David A. Wheeler * Made major modifications to the tmp file section based on Michal Zalewski's (lcamtuf, at, coredump, dot cx) very nice article titled "[RAZOR] Problems with mkstemp()". In this paper, posted on Bugtraq but also sent directly to me by him (THANK YOU!), he notes the problems of tmp cleaners and how they introduce races to otherwise non-racy safe uses. Thankfully, it appears that my earlier suggestion on how to do this in C is fine, since it's file descriptor based. HOWEVER, before I had suggested NOT using temp files in shell, but if you had to, use mktemp(1). It turns out my intuition was correct - you really can't do it safely in shell at all, even with mktemp(1), in tmp cleaning environments where an attacker can influence /tmp. Since this describes a number of environments (and sometimes environments change INTO this circumstance), it's much safer to just not do it. * Expanded the discussion of OpenWall, and gave the specific rules used in the LSM version of OpenWall. That way, people can write their code to run correctly in OpenWall-protected systems running the LSM version of OpenWall. * Added a note about FD_SET() and FD_CLR() thanks to the Timo Sirainen (tss, at, iki dot fi), who very helpfully noted: Just occured to me a while ago that FD_SET() and FD_CLR() don't do any buffer size checks. After a bit of googleing I didn't see this mentioned pretty anywhere else than in recent pppd vulnerability, which exploited exactly this problem. I don't think it's obvious to most people that the check should be done, especially because fd_set isn't even defined to be an array. Linux's select() man page doesn't even say anything about FD_SETSIZE. 2002-12-19 David A. Wheeler * Added long discussion on session fixation. 2002-11-19 David A. Wheeler * Significant additional discussion about protecting secrets in memory, in particular mlock() and scrubbing secrets in memory. In particular, added discussion about what you need to do to avoid having the C/C++ compiler optimize away memory overwrites (this is an old & well-known issue, but the recent Bugtraq discussion jogged my memory and realized that I hadn't specifically discussed it in the book). * Noted Perl's File::Temp. My thanks to Steven M. Christey, coley (at, linus.mitre.org), for pointing this out. 2002-10-29 David A. Wheeler * Released version 3.000. 2002-8-13 David A. Wheeler * Added long discussion about security requirements, in particular emphasizing the Common Criteria. * Noted that SQL metacharacter insertion is often called "SQL injection". 2002-7-13 David A. Wheeler * Various small improvements. 2002-4-29 David A. Wheeler * Thanks to Bastian Kleineidam, who noted that Java's clone() returns Object, not void. 2002-4-10 David A. Wheeler * Mentioned "Mastering Regular Expressions"... he has a regular expression for checking email addresses.. and it's so long that it SHOWS how hard it is to really check email addresses. 2002-4-10 David A. Wheeler * Updated slides slightly, and re-posted. 2002-4-09 David A. Wheeler * Added link to Crypto Law Survey. 2002-4-02 David A. Wheeler * Added note about Openwall temp directory policy. 2002-3-28 David A. Wheeler * Added reference to http://www.enseirb.fr/~glaume/indexen.html (buffer overflow study) 2002-3-25 David A. Wheeler * Recommend 2048-bit, not 1024-bit, keys for RSA. Recent factoring algorithm improvements make it possible for well-funded organizations to break in 1024-bit quickly. See Bugtraq, 23 Mar 2002, "1024-bit RSA keys in danger of compromise" by "Lucky Green" . Bruce Scheier has a countering opinion, but frankly, why risk it? This is an area where using a few more bits is usually easy, so just do it. 2002-3-18 David A. Wheeler * Noted perl users want people to use sudo, not suidperl. * Noted ORDB as another anti-spam service. 2002-3-14 David A. Wheeler * Release version 2.963 to internal website. * Modified my local document generation process. It turns out that the version numbers weren't printing on the copies I was generating!! That's fixed now. * Fixed date of zlib bug (it's 2002, not 2001). My thanks to Colin Simmonds (Nortel Networks), who noticed this mistake only two days after I released my book. And wow - there must be a lot of people looking at my book, to so quickly notice a minor error in an update in the middle of the book! * Mentioned Valgrind and Electric Fence, two tools that can help counter double-free()ing problems like zlib's. 2002-3-11 David A. Wheeler * Released version 2.961. * Added note about double-free'ing, and the environment variables that can be used to counter the problem. * Added note about avoiding off-by-one bugs. That's really a general "avoid bugs" issue, but I thought it'd be worth mentioning. * Spelling error fixed ("relased" -> "released"). 2002-3-8 David A. Wheeler * Added info about spam. * Added note on CRT Eavesdropping. 2002-3-7 David A. Wheeler * Mentioned NSA's nsa1.www.conxion.com website. 2002-3-4 David A. Wheeler * Expanded slightly on the "mutually untrusting programs" description. This was hinted at in Qmail's discussion, though I didn't use any text other than that phrase. I added a note that I need to go back to the Qmail text to really deal with it further. * Fixed two small typos noted by Thomas Klausner 2002-3-2 David A. Wheeler * Released version 2.95. * Fixed URL (securingjava.com), which had a side-effect of creating a minor plucker error. 2002-2-26 David A. Wheeler * Released version 2.94 (to my website). * addition->additional, noted by Pat Gunn. * std:string in C++ doesn't auto-convert to char*, my bad. The problem is that some OTHER string libraries do so. Thanks to Per Mellstrand for pointing this out. * Made a MAJOR change on my local website in the tools I use. I now primarily use the LDP tools. As a result, the PDF is better (with hyperlinks and a nicer TOC), the HTML has section numbers, MUCH better ASCII text, a one-page HTML, and plucker format. Thus, my website's results are nicer, and I can be more certain about the results that the LDP gives too. 2002-2-21 David A. Wheeler * Mentioned Fenris. * Modified URL to Kirch's paper; unix-vs-nt.org appears to have permanently gone down, and I can't get hold of John Kirch, so I now link to the Internet Archive copy. 2002-2-9 David A. Wheeler * Released version 2.93. * Added text about semantic attacks. * More discussion about shells and their problems. 2002-2-6 David A. Wheeler * Added note from David deVitry - in some circumstances web browsers can be fooled into automatically POSTing form data. It's still a good idea to ignore GET and require POST for some operations, as discussed in the text. 2002-2-1 David A. Wheeler * Added warnings about strncpy() and seteuid(), based on comments from Philip Hazel. * Added notes on SQL metacharacters, based on http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf 2002-1-7 David A. Wheeler * Fixed UTF-8 table format. 2002-1-7 David A. Wheeler * Released version 2.91. 2002-1-3 David A. Wheeler * Changed the UTF-8 legal values table. The original table was WRONG, ack!! This stuff is quite tricky; many didn't notice the problem earlier. Thanks to Peter Astrand who noted the problem, and who pointed me to http://www.unicode.org/unicode/uni2errata/UTF-8_Corrigendum.html which has a correct table. 2002-1-3 David A. Wheeler * Added more about checking URIs; the idea was suggested by John Levon. 2001-12-28 David A. Wheeler * Added more text about PHP, based on some suggestions by Richard Lynch. 2001-12-17 David A. Wheeler * Added a reference to Cyclone, including Viega's review. * I haven't added a "why write secure programs" section. If I do, I'll probably mention gems like this one titled "Cyberattacks increase after Sept. 11" by Dibya Sarkar: "In Orlando, Florida, there has been a nearly 300-fold increase in cyberattacks, and most IP addresses show they're from the Middle East and Pakistan, said John, Matelski, Orlando's deputy CIO, who advises the mayor. Before Sept. 11, he said the city averaged about 50 intrusion attacks per month. After the attacks, the city has averaged about 14,000 per month. "Many of these intrusion attempts are not volatile. They're merely probes to find deficiencies and perhaps do harm," Matelski said. Federal Computer Week, December 3, 2001, page S19. 2001-12-11 David A. Wheeler * Added discussion of new PHP (4.1.0), which makes it easier to write PHP software with register_globals off, and warns that this will become the default. 2001-10-15 David A. Wheeler * Added reference to Kurt Seifried's paper on web authentication. 2001-10-10 David A. Wheeler * Incorporated many suggestions from Bill Brykczynski. * Switched to DocBook version 4.1 (from 3.1). * Began using a stylesheet. * Switched to a different spelling checker (aspell), which found a number of speeling priblems. * Added a lot of material about web authentication. * Added a long discussion on cryptography, including suggestions on recommended algorithms. 2001-7-24 David A. Wheeler * Added link to [LSD 2001]. 2001-7-16 David A. Wheeler * New link to BFBTester, and it now works on Linux (yay!). 2001-7-6 David A. Wheeler * Added a new section on PHP. This is based on Clowes' work, though many of the actual recommendations are my own. * Fixed a number of grammer and typo errors - my thanks to Moritz Jodeit, who sent me a nice long set of fixes! 2001-7-5 David A. Wheeler * Noted PyChecker. 2001-6-14 David A. Wheeler * Noted that to really drop privileges you may also need to reset the supplemental groups. 2001-6-08 David A. Wheeler * Fixed typo, 'fileystem'. 2001-6-04 David A. Wheeler * Added reference to Geodsoft's hardening OpenBSD info. 2001-5-31 David A. Wheeler * Added reference to Zalewski's "Delivering Signals for Fun and Profit", and some more material on signals based on it. 2001-5-30 David A. Wheeler * Fixed grammatical error in the open source security section. * Released version 2.87. 2001-5-24 David A. Wheeler * Updated the description of ITS4, added references to RATS and flawfinder. * Local release as version 2.86. 2001-5-16 David A. Wheeler * Added reference to Cox 2000 (Windows 2000 secure configuration). 2001-5-10 David A. Wheeler * Added reference to Murhammer as a general TCP/IP reference. 2001-5-09 David A. Wheeler * Mentioned the Entropy Gathering Daemon. 2001-5-07 David A. Wheeler * Mentioned Jerry Connolly's http://heap.nologin.net/aspsec.html web page for ASP input issues. * Mentioned inconsistent strlcat semantics when size==0 or there are no embedded NIL characters. * Mentioned GID==0 - it's VERY special on some Unix-like systems, and it's all-powerful on most anyway. 2001-4-23 David A. Wheeler * Extended discussion on persistent cookies, in particular noting that they are illegal on U.S. government sites (with a reference). 2001-4-23 David A. Wheeler * Mentioned linux-security-module * Referenced "Vulnerability Assessment Scanners" by Forristal. 2001-4-05 David A. Wheeler * Expanded discussion of trusted path and trustworthy channels. * Noted that when fixing a vulnerability, log later attempts. 2001-3-30 David A. Wheeler * Added cross-references and other information noting that, at installation time, you should check your system assumptions necessary for security. 2001-3-22 David A. Wheeler * Noted the problem with globbing. 2001-3-20 David A. Wheeler * Added reference to Halvar Flake's slides on disassembling closed source programs. 2001-3-06 David A. Wheeler * Added reference to http://www-syntim.inria.fr/fractales/Staff/ Raynal/LinuxMag/SecProg/Art4/index.html * Added note about rfork(). 2001-2-28 David A. Wheeler * Noted that you need to load initialization values from a trusted location (based on recent problems with Joe) * Added reference to IETF RFC 1750 (Randomness Recommendations for Security). * Noted that Mandrake 7.1 includes libsafe. 2001-2-27 David A. Wheeler * Fixed many minor typos - thanks to John Levon who identified them. * Noted various security extensions, such as FreeBSD's jail(2) and the huge numbers of research efforts for Linux (Janus, Subterfugue, NSA Linux/Flask, RSBAC, etc.). Sometime I'll have to add the information on Trusted Solaris, etc., but for the moment I refer to NSA's "Evaluated Product List" which has specific information on the security approaches of some of them. * Noted "fuzz". * Added a reference to William Stalling's excellent collection of papers, "Practical Cryptography for Data Internetworks." 2001-2-8 David A. Wheeler * Noted other shell special characters, in particular the whitespace characters that separate parameters. 2001-1-12 David A. Wheeler * Released version 2.75. * Moved from DocBook 3.0 to DocBook 3.1. I tried doing this earlier, but I forgot to change "Davenport" to "OASIS" and got lots of error messages. The right header obviously matters! * Added a figure ("program") showing my abstract view of programs; it's not deep, but it helps to logically keep things straight. The master file is "program.dia", which is editable with the open source (GPL'ed) program "Dia" available at http://www.lysator.liu.se/~alla/dia (and in many distributions). It's not beautiful (I'm no artist), but hopefully it helps explain the idea. * Switched to distributing a tarball, so the figure is included. * Modified the random number section, after Jordan Dimov rightly complained that my phrase 'truly random numbers' was somewhat misleading. Fair enough, I was glossing over the details (which I knew) - hopefully this version gives the bigger picture. I ended up basically rewriting the section. * Added section about "Open Source" and security. 2001-1-1 David A. Wheeler * Released the book as version 2.70. Seriously extended and modified the book, adding lengthy discussions about cross-site malicious content, verifying HTML and URIs, and creating temporary files. Did a number of clean-ups and various additions, too. 2000-12-4 David A. Wheeler * Added a section, "prevent-include-access". I was reminded of this issue by the Bugtraq posting of 1 Dec 2000 by Mads Bach (bach@INDER.NET), with the subject line "Web based apps and include files". * Added a section about not including comments in returned data. 2000-11-10 David A. Wheeler * Added information about Java not enforcing "private" etc. from null/trusted Classloaders, my thanks to John Steven who noted this! * Added reference to sci.crypt and their FAQ. * Modified the definition of "Availability" due to a comment by Alan Santos. * Fixed discussion about sprintf().. you _can_ use sprintf() to avoid buffer overflows, but its use is tricky. 2000-10-30 David A. Wheeler * Added a reference to the GLB Act (a new U.S. law) 2000-10-26 David A. Wheeler * Added a note that you should only call to programs intended for calling by another program. 2000-10-26 David A. Wheeler * Michael Kerrisk mentioned that #defining _SVID_SOURCE or _BSD_SOURCE, then #include , will cause __USE_MISC to be defined (and allow clearenv). 2000-10-24 David A. Wheeler * Added a discussion about vfork. John Levon pointed me to the issue, which was written up by Solar Designer. 2000-10-03 David A. Wheeler * Company name change; RST became "Cigital". 2000-09-05 David A. Wheeler * Added a note about web bugs. 2000-09-03 David A. Wheeler * Added a number of internal cross-references (29 currently). Now that I've given all sections an "id", I can use the "xref" tag effectively. This should really help readers follow the text in some places... now you can easily jump to related material in the text. * Added "Free Software" to some titles as well as "Open Source Software", and pointed to the FSF for more such information. Also fixed a typo. 2000-09-01 David A. Wheeler * Modified Conclusions and "atomic" section to emphasize the problems with /tmp and /var/tmp directories (especially how attackers create symbolic links in them to cause trouble). * Modified the SGML so that all (as well as all chapters) have a reasonable "id" attached. Now all HTML filenames have meaningful filenames, as well as the sections inside. This will make it easier for people to externally link to specific sections of the document. * Added note that glibc _does_ filter the LANG setting for setuid/setgid, but that it's been buggy (Red Hat released a fix on September 1, 2000). 2000-08-28 David A. Wheeler * Added the note that MD5 is rumored to be broken (& referenced the 22 August 2000 posting in Bugtraq that raised this). I don't want to be a rumormonger, but since MD5 has already been shown to be partly broken, this seems quite plausible; besides, a better algorithm is available, so this is yet another reason to switch. 2000-08-21 David A. Wheeler * Added information that strlcpy/strlcat are being added to glib (I'm the one that implemented & recommended the patch, based on the original BSD work). * Added "id" entries for chapters - it improves HTML filenames and begins to add usable internal links. 2000-07-31 David A. Wheeler * Moved filtering locale information into the "input" section, since that's where it logically went. Expanded it, since many may not know about i18n. * Released version 2.31. 2000-07-27 David A. Wheeler * Added more information about formatting strings and internationalization (i18n). * Released version 2.30. 2000-07-23 David A. Wheeler * Added in some information (and an example) from the GNOME Programming guidelines. * Added a note and reference to Byte, April 1986, which discusses some of the issues with terminal escape codes. 2000-07-18 David A. Wheeler * Added warnings about formatting characters to printf() and family, including %n, as well as other formatting systems like syslog(). My thanks to John Levon for reminding me to do this, and for reviewing my early drafts. * The bugtraq message about safely using sprintf with the width modifier didn't sound right to me, so I double-checked it. I found that in fact it is completely unsafe! Not all bugtraq posters check their claims, that's for sure! So, modified the text to note that this is UNsafe. * Modified BFBTester reference, noting that it's GPLed. I also worked with the BFBTester author to get it ported to Linux; turns out a subtlety with threads made waitpid() not work the way he expected (because threads are Linux processes, and an "uncle" cannot wait on its "nephew"). * Moved tools to be under "Miscellaneous", instead of C-centric; many tools aren't C/C++-centric, and even those that are might change later, so may as well put them in a place that they'll stay. It's easier to compare tools if similar kinds are all in one place. * Added warnings about protecting the output of syslog(). 2000-07-03 David A. Wheeler * Added example of "safe" use of sprintf (length option) from bugtraq posting. [but see 2000-07-18] 2000-06-29 David A. Wheeler * Added reference to BFBTester. 2000-06-28 David A. Wheeler * Added warning about signed char. 2000-06-22 David A. Wheeler * Expanded the section on race conditions. 2000-06-07 David A. Wheeler * Added text about ITS4 and LClint. Mentioned Shmoo and made sure that I had everything they did. * Added info from Martin Douda on other problematic shell characters. * Added a few nuggets on Java and C from http://java.sun.com/security/seccodeguide.html * Added many more references to related security information. * Explained more about shell scripting languages & why they're a problem. 2000-06-02 David A. Wheeler * Added reference to the Python Restricted Environment stuff. Added my own warning about only copying in references (I didn't see such a warning in any material I have). 2000-05-24 David A. Wheeler * Switched to GNU Free Documentation License (FDL), which is designed for documents (the GPL really wasn't). 2000-05-22 David A. Wheeler * Began adding more language-specific information, such as Perl info from perlsec(1) and perlopentut(1), moving C compiler flags into its own section, etc. * Significantly extended the Java-specific section, based on the two leading Java security books. 2000-05-18 David A. Wheeler * Received several suggestions from Doug Kilpatrick: extend UTF-8 description, mention that the Linux kernel writers use the term "task" not "process", talk more about not depending on stdin/stdout/stderr being open (I mentioned it before though), add "-O2" to the recommended gcc flag list (some dataflow checks require this). 2000-04-25 David A. Wheeler * Minor grammar fixes. * Marc Welz pointed out that in Linux 2.2 you can determine the pid, uid and gid using: getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &cl) 2000-04-22 David A. Wheeler * Added discussion on Lucent's libsafe. While writing this discussion, I sent Lucent several notes on issues in libsafe. In particular, they failed to discuss in their documentation the fact that depending on LD_PRELOAD to enable libsafe makes it possible for evil local users to disable libsafe on programs they run! Also, I sent them a list of other "dangerous" functions that they didn't cover. * Added more comments of "things I want to cover". Okay, that's not the same as actually discussing them, but it's a start. 2000-04-21 David A. Wheeler * Version 2.00 released, dated 21 April 2000. This version is identical to version 1.60 in content, but switches format from the Linuxdoc DTD to the DocBook DTD. Thanks to Jorge Godoy for helping me perform the transition. There are a few rough spots; DocBook experts are welcome to give me a hand. I now generate RTF. The ASCII text file format is quite poor; I can't help that, the tools aren't ready yet. 2000-04-04 David A. Wheeler * Version 1.60 released. * Changed so that it now covers BOTH Linux and Unix. Since most of the guidelines covered both, and many/most app developers want their apps to run on both, it made sense to cover both. Much of the detail still only discusses Linux, which I intend to fix over time; suggestions on what to add would be great! * This meant adding some history about Unix (as well as Linux), discussing in a few places variations (more discussion needed), etc. 2000-03-08 David A. Wheeler * It's too long, so I changed the type from "article" to "book". That meant that sect became chapt, sect1 became sect, etc. * Added Biblical quotations to head every chapter, for the enjoyment of the reader. 2000-03-06 David A. Wheeler * Added more information on using strlcpy and strlcat. * Expanded conclusions so it actually summarizes the key points. * Various minor improvements. Well, I _hope_ they're improvements! 2000-03-05 David A. Wheeler * Added a brief discussion of confidentiality, integrity, and availability. Anybody who knows about security should know about this, but since it's assumed elsewhere in the text I thought it's worth mentioning. * Added more information about signals, locking, etc. I don't want this to be a general-purpose programming primer, but some things seem worth summarizing. 2000-03-03 David A. Wheeler * Added reference to "Applied Cryptography" and the "Linux Encryption HOWTO". * Added a note about ext2's reserved space for root (as a preventative for denial-of-service attacks), with a reference to mke2fs(8). * Added a new "Credits" section in the document itself to give people credit. See the ChangeLog file (this one) for the details. And, responded to many suggestions, as noted below. * Eric S. Raymond said "Nice work, in general.. but I believe you have "fail open" and "fail closed" reversed." Fair enough. I decided that I really meant "fail safe" instead of either term, and I added a discussion about that. * Paul Millar found I'd used /var/log/ where I meant /var/lock/; corrected, I added reference to the FHS for more information, and added some material from the FHS in the hopes that people will use standard conventions when they apply! * John Levon suggested noting that you should drop privs while parsing input, describe digest passwords, mention "safer" users (like "nobody"), and mention rate-limiting audit trails. I knew about these, but I didn't call them out. So, I wrote text to cover those points. * A (user who prefers to be anonymous) asked how to set the global environment to NULL, noting that # unset environ; set or # environ='' set don't work. As far as I know, you need to put a small "wrapper" program around sh scripts to do this, so I've added that note to the document. * Ryan McCabe gave a really GOOD note that fixed-length strings have a built-in weakness; you can exploit them by providing information around their length and cause some routines to silently fail to append data. * Chuck Phillips noted a more efficient way to use strncpy, which I added. He also couldn't believe that strncpy NIL-filled, and sent me a long note explaining why it shouldn't. I agree that it shouldn't, but in spite of all rational reasons for why it shouldn't, it DOES! So, I added references to K&R 2nd edition (page 249), and the man pages for Solaris, Linux, and FreeBSD, to show that this horrible thing is actually true, logic to the contrary. * Scott Ingram mentioned that configuration is the number one problem. I agreed, and in fact I already noted that in the text, but that got me thinking that I should specifically recommend making things easy to configure (as well as using safe defaults). If more programs did that, we'd have a lot fewer cracked machines. * Martin Pool suggested noting that sometimes scripting languages can do a setenv() and affect its caller. He also suggested mentioning dynamically linked libraries, but I'd already planned to do that. He also suggested mentioning the ideas on breaking out of chroot in http://www.suid.edu/source/breakchroot.c; I actually summarized it in the text, it's just yet another example of why having root privileges is enough to break out of chroot jails. * Chuck Phillips , Neil Brown , and Eric Werme USG discussed NFS issues with me which yielded the insight that, although NFS version 2 is "broken as described," version 3 _does_ support exclusive file creation. Sadly, there are still many NFS version 2 users, so we can't depend on this, but the discussion did suggest to me some enhancements to the text on creating locks using files. 2000-02-09 David A. Wheeler * Noted that the document is now part of the Linux Documentation Project (LDP). * Added more references, such as [Mudge 1995], [McClure 1999], [Bellovin 1989], and Nathan P. Smith's "Stack Smashing Security Vulnerabilities" website. 2000-01-06 David A. Wheeler * Grammo: in section "Library Solutions", s/requires/require/ 2000-01-05 David A. Wheeler * Released version 1.24; announced to http://lwn.net and http://www.securityportal.com. 2000-01-05 David A. Wheeler * Added information on "why did you write your own document"? * Added information on more per-process attributes, in particular limits and the filesystem root. * Noted that filesystem quotas can be per-group as well as per-user. * Fixed a ~, which in this DTD must be written as ˜. * Fixed a few typos, thanks to review by Clyde Roby 1999-12-30 David A. Wheeler * Added some information on POSIX capabilities & the bounding set. * Added information explaining rwx permissions on directories. 1999-12-23 David A. Wheeler * Now at version 1.20. * Added major new section, section 2, that describes the Linux programming model for security (e.g., file attributes, etc.). I determined that there really isn't a single good place that has this kind of information, and where better than to include it in information on how to write secure programs? * Moved the "buffer overflow" section out into its own section, since it's so important. Added more information about StackGuard, etc. * Mentions glib in the buffer overflow section; if anyone wishes to analyze the implementation to determine which glib functions protect against buffer overflow I'd like to know about them. * Added some references to PAM. * Various other fixes. 1999-12-03 David A. Wheeler * Fixed minor grammar error in CGI section, added PDF format. * Added "favicon.ico" so Internet Explorer users, should they bookmark this site, will get Tux as a logo. Seems fair :-). 1999-11-30 David A. Wheeler * Added GPL license, reference to http://www.dwheeler.com. 1999-11-29 David A. Wheeler * Initial version (1.0) completed.