Linux repositories inspector

secprog(3)

Thomas Biege <thomas@suse.de>
22 Apr 2004

libsecprog-devel

Secure Replacements for Problematic C Functions

NAME

s_strncpy - secure strncpy, s_strncat - secure strncat, s_execv - secure execv, s_tmpfile - secure buffered tmp file, s_popen - secure popen, safe_tmpfile - secure unbuffered tmp file, safe_reopen - secure reopen of files, sigprotection - blocking signals, close_stdfds - close standard file descriptors, setlimits - set limits, setupsbitproc - setup at beginning of setuid code

SYNOPSIS

#include <secprog.h>
char *s_strncpy(char *dest, char *src, size_t n);
char *s_strncat(char *dest, char *src, size_t n);
int s_execv(const char *filename, char *const argv[]);
FILE *s_tmpfile(void);
FILE *s_popen(char *cmd, const char *type);
int safe_tmpfile(char *filename);
int safe_reopen(char *file, int mode);
int sigprotection(u_int toggle, sigset_t *sp_blockmask);
int close_stdfds(void);
int setlimits(sl_limit slim);
int setupsbitproc(void);

DESCRIPTION

s_strncpy copys string src to buffer dest up to size n . The dest string is zero terminated.
s_strncat concatenate string src with dest up to size n . The dest string is zero terminated.
s_execv executes filename with arguments argv . The function cleans up the environment, checks the login, checks the current directory, sets the close_on_exec flag for all filedescriptors expect stdin, stdout, stderr.
s_tmpfile creates a temp file more securely and returns a FILE * .
s_popen is a secure popen(3) that avoids using the shell.
safe_tempfile works like s_tempfile expect that it returns an integer as filedescriptor.
safe_reopen reopens a file securely even in world-writeable directories like /tmp .
sigprotection should be called before and after a critical code part. The toggle variable should be SP_ON for activating the signals set in mask sp_blockmask or SP_OFF for switching signal blocking off.
close_stdfds just closes all standard filedescriptors. (Note: Just needed on systems with old glibc, or old OpenBSD kernel)
setlimits uses the structure slim to set process limites like: RLIMIT_MEMLOCK, RLIMIT_NPROC, RLIMIT_NOFILE, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE
  typedef struct
  {
    int fsize;          /* max file size */
    int data;           /* max data size */
    int stack;          /* max stack size */
    int core;           /* max core file size */
    int rss;            /* max resident set size */
    int nproc;          /* max number of processes */
    int nofile;         /* max number of open files */
    int memlock;        /* max locked-in-memory address space */
  } sl_limit;
setupsbitproc should be called at the beginning of every setuid application to close the standard filedescriptors and to set some process limits. (Note: It does not drop setuid privileges.)

RETURN VALUE

The function s_strncat and s_strncpy return a pointer to the resulting string..
The function s_popen returns a buffered filedescriptor on success, NULL otherwise.
The function s_execv does not return on success, returns -1 otherwise.
The function s_tmpfile returns a buffered filedescriptor on success, NULL otherwise.
The function safe_tmpfile returns a filedescriptor on success, -1 otherwise.
The function safe_reopen returns a filedescriptor on success, -1 otherwise.
The function sigprotection returns zero on success, -1 otherwise.
The function close_stdfds returns zero on success, -1 otherwise.
The function setlimits returns zero on success, -1 otherwise.
The function setupsbitproc returns zero on success, -1 otherwise.
⇧ Top