From zblaxell@myrus.com Sat May 25 02:54:45 1996 Received: from minitrue.ultratech.net (root@minitrue.ultratech.net [204.101.209.1]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id CAA20940 for ; Sat, 25 May 1996 02:53:14 +1000 Received: from myrus.com (root@localhost [127.0.0.1]) by minitrue.ultratech.net (8.7.3/8.7.3) with ESMTP id MAA24694 for ; Fri, 24 May 1996 12:52:19 -0400 Received: (from zblaxell@localhost) by myrus.com (8.7.5/8.7.3) id MAA11095 for best-of-security@suburbia.net; Fri, 24 May 1996 12:52:21 -0400 From: Zygo Blaxell Message-Id: <199605241652.MAA11095@myrus.com> Subject: Unix Interface Considered Harmful To: best-of-security@suburbia.net Date: Fri, 24 May 1996 12:52:21 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit (Thought the BOS crowd might like this. It's an edited reply to one of the dozens of replies to my earlier 'don't put "find /tmp -exec rm -f..." in root's crontab' posting. It's available at: http://www.ultratech.net/~zblaxell/unix-interface-considered-harmful.txt Permission granted for unlimited distribution of this document without modification and with attribution.) * Unix Interfaces Considered Harmful Things would be a lot easier if Unix and C had been a bit better designed. Once you've removed a few bits of brain-damage from the standard C/Unix library, people have to think for themselves, and that can result in better code. Not always, but it helps. Compare an interface that requires a buffer address and maximum length of the buffer (like fgets) with an interface that only requires a buffer address and leaves the user responsible for ensuring that the maximum length of input will be less than the size of the buffer (like gets). Which is more likely to suffer from buffer-overrun bugs? Documentation is the first step in combatting the problem. The GNU gets() man page contains this disclaimer: Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead. I'm beginning to get the impression we should have some sort of 'security-lint' program that just looks for stuff like 'gets' and screams about it. Unfortunately every third program, even the bloody *shells*, do stupid things like this: strace -f sh -c 'cat <