Secure Programming for Linux and Unix by David A. Wheeler
Author:David A. Wheeler
Language: eng
Format: mobi
Publisher: UNKNOWN
Published: 2018-06-17T23:00:00+00:00
7.4.3. Minimize the Time the Privilege is Active
Use setuid(2), seteuid(2), setgroups(2), and related functions to ensure that the program only has these privileges active when necessary, and then temporarily deactivate the privilege when it’s not in use. As noted above, you might want to ensure that these privileges are disabled while parsing user input, but more generally, only turn on privileges when they’re actually needed.
Note that some buffer overflow attacks, if successful, can force a program to run arbitrary code, and that code could re-enable privileges that were temporarily dropped. Thus, there are many attacks that temporarily deactivating a privilege won’t counter - it’s always much better to completely drop privileges as soon as possible. There are many papers that describe how to do this, such as "Designing Shellcode Demystified". Some people even claim that “seteuid() [is] considered harmful” because of the many attacks it doesn’t counter. Still, temporarily deactivating these permissions prevents a whole class of attacks, such as techniques to convince a program to write into a file that perhaps it didn’t intend to write into. Since this technique prevents many attacks, it’s worth doing if permanently dropping the privilege can’t be done at that point in the program.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
The Mikado Method by Ola Ellnestam Daniel Brolund(27094)
Hello! Python by Anthony Briggs(25950)
Secrets of the JavaScript Ninja by John Resig Bear Bibeault(25285)
Kotlin in Action by Dmitry Jemerov(24394)
The Well-Grounded Java Developer by Benjamin J. Evans Martijn Verburg(23591)
Dependency Injection in .NET by Mark Seemann(23313)
OCA Java SE 8 Programmer I Certification Guide by Mala Gupta(21945)
Algorithms of the Intelligent Web by Haralambos Marmanis;Dmitry Babenko(20848)
Grails in Action by Glen Smith Peter Ledbrook(19869)
Adobe Camera Raw For Digital Photographers Only by Rob Sheppard(17073)
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(16833)
Secrets of the JavaScript Ninja by John Resig & Bear Bibeault(14464)
Test-Driven iOS Development with Swift 4 by Dominik Hauser(12584)
Jquery UI in Action : Master the concepts Of Jquery UI: A Step By Step Approach by ANMOL GOYAL(11865)
A Developer's Guide to Building Resilient Cloud Applications with Azure by Hamida Rebai Trabelsi(10650)
Hit Refresh by Satya Nadella(9238)
The Kubernetes Operator Framework Book by Michael Dame(8588)
Exploring Deepfakes by Bryan Lyon and Matt Tora(8446)
Robo-Advisor with Python by Aki Ranin(8387)