203 lines
5.1 KiB
HTML
203 lines
5.1 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Configure Safely and Use Safe Defaults</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Secure Programming for Linux and Unix HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Structure Program Internals and Approach"
|
|
HREF="internals.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Avoid Creating Setuid/Setgid Scripts"
|
|
HREF="avoid-setuid.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Load Initialization Values Safely"
|
|
HREF="init-safe.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Secure Programming for Linux and Unix HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="avoid-setuid.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 7. Structure Program Internals and Approach</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="init-safe.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="SAFE-CONFIGURE"
|
|
></A
|
|
>7.7. Configure Safely and Use Safe Defaults</H1
|
|
><P
|
|
>Configuration is considered to currently be the number one security problem.
|
|
Therefore, you should spend some effort to (1) make the initial installation
|
|
secure, and (2) make it easy to reconfigure the system while keeping it secure.</P
|
|
><P
|
|
>Never have the installation routines install a working ``default'' password.
|
|
If you need to install new ``users'', that's fine - just set them up with
|
|
an impossible password, leaving time for administrators to set the password
|
|
(and leaving the system secure before the password is set).
|
|
Administrators will probably install hundreds of packages and almost
|
|
certainly forget to set the password - it's likely they won't even know
|
|
to set it, if you create a default password.</P
|
|
><P
|
|
>A program should have the most restrictive access policy
|
|
until the administrator has a chance to configure it.
|
|
Please don't create ``sample'' working users or
|
|
``allow access to all'' configurations as the starting configuration;
|
|
many users just ``install everything'' (installing all available services)
|
|
and never get around to configuring many services.
|
|
In some cases the program may be able to determine that a more generous
|
|
policy is reasonable by depending on the existing authentication system,
|
|
for example, an ftp server could legitimately determine that a user who
|
|
can log into a user's directory should be allowed to access that user's files.
|
|
Be careful with such assumptions, however.</P
|
|
><P
|
|
>Have installation scripts install a program as safely as possible.
|
|
By default, install all files as owned by root or some other
|
|
system user and make them unwriteable by others;
|
|
this prevents non-root users from installing viruses.
|
|
Indeed, it's best to make them unreadable by all but the trusted user.
|
|
Allow non-root installation where possible as well, so that users without
|
|
root privileges and administrators who do not fully trust the
|
|
installer can still use the program.</P
|
|
><P
|
|
>When installing, check to make sure that any assumptions necessary for
|
|
security are true.
|
|
Some library routines are not safe on some platforms; see the discussion of
|
|
this in <A
|
|
HREF="call-only-safe.html"
|
|
>Section 8.1</A
|
|
>.
|
|
If you know which platforms your application will run on, you need not
|
|
check their specific attributes, but in that case you should
|
|
check to make sure that the program is being installed on only one of
|
|
those platforms.
|
|
Otherwise, you should require a manual override to install the program,
|
|
because you don't know if the result will be secure.</P
|
|
><P
|
|
>Try to make configuration as easy and clear as possible, including
|
|
post-installation configuration.
|
|
Make using the ``secure'' approach as easy as possible, or many users
|
|
will use an insecure approach without understanding the risks.
|
|
On Linux,
|
|
take advantage of tools like linuxconf, so that users can easily configure
|
|
their system using an existing infrastructure.</P
|
|
><P
|
|
>If there's a configuration language, the default should be to deny access
|
|
until the user specifically grants it.
|
|
Include many clear comments in the sample configuration file, if there is one,
|
|
so the administrator understands what the configuration does.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="avoid-setuid.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="init-safe.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Avoid Creating Setuid/Setgid Scripts</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="internals.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Load Initialization Values Safely</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |