Guidelines for using trusted facilities
Follow these guidelines when you use trusted facilities:
Consult your security administrator before running programs that
write sensitive system files, need super-user privilege, or manipulate
kernel data structures.
Be careful to use appropriate environment variables and data files.
Set up a program's environment and signal handling
dispositions to ensure that a user cannot make the program
do something unintended;
the program should catch SIGINT,
SIGQUIT, and so on.
This is essential for programs that execute other
programs using the
SUID programs should always set up the
IFS, PATH, and SHELL environment variables.
Use a restricted umask, such as 077,
for programs that create private files.
Use full (absolute) pathnames when executing program files from the shell.
Protect programs from general readership.
Setuid programs that run other programs are vulnerable;
some can be penetrated easily.
When passing control to a sub-program, use
to restore the original permissions.
Make sure that all files needed by only the parent process
are closed before invoking the child program.
In general, use these privileges
for the shortest amount of time possible.
For example, if you need privilege to open a file, use:
get enhanced priv
drop enhanced priv
Recall that the
system call and the
system call are different. Use the appropriate one.
In most cases, use
which checks against effective
UID and GID. Use
which checks against the real
UID and GID, when you are running
Catch and handle all expected signals.
It is important to undo any partially done actions that might leave
sensitive files in an inconsistent state.
Leave things in a sensible state, in all error cases.
Ensure that relevant exception conditions are handled
If two users are likely to run a program concurrently,
make sure that any files to be modified
are locked during the modification.
Handle errors in file and user input formats.
It is possible for any file to be corrupted,
and errors that cause your program to fail
or leave files or permissions in an inconsistent state
invite penetrators. To make sure your system security is
not compromised, check your return codes, and
investigate and fix errors or inconsistencies.
Be particularly conscious of overflowing buffers
when reading input, which can cause unpredictable
and potentially harmful behavior.
Using protected subsystems
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003