On Mon, 16 Dec 1996, Gordon W. Ross wrote:

> > From: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
> > 
> > Hmm.  Anyone for producing a "libcsafe" which doesn't include:
> > 
> > 	strcat
> > 	strcpy
> > 	sprintf
> > 	gets
> > 
> > and other "unsafe", but traditional, interfaces, and then linking all
> > setuid system programs against it instead of libc?
> 
> You could also create a "libcsafe" that DOES include those functions,
> and ONLY those, but where those functions all just call abort.  You

	This feels wrong to me - you either want the program not to link
	at all, or to link and run. Having a program that links, then
	at some random time later aborts due to a little used code
	branch calling sprintf.... especially a daemon...

> might also make them invoke the magic link-time warning stuff.
> 
	This seems better - possibly enabled via an option to gcc?
	The problem is that there are times when strcat, strcpy, & sprintf
	are perfectly safe - while gets is never right.

	snprintf usage is not guaranteed to be bugfree, just less likely
	to have a bug than sprintf.

	The best approach is probably for someome to go through the source
	tree checking all the suid programs for strcat, strcpy & sprintf
	usage. (I believe Theo has done a hell of a lot of this for
	OpenBSD). Non suid programs should ideally be checked as well, but
	it boils down to effective use of resources :)

	Maybe that suggested option to gcc should be enabled in
	the makefiles for suid programs?

		David/abs	david@{mono.org,southern.com,mhm-internet.com}

System Manager: Southern Studios Ltd, PO Box 59, London N22 1AR.
Satisfied User: NetBSD, free Un*x {i386,sparc,mac68k,+more} 'www.netbsd.org'.
  System Admin: MHM Internet, 14 Barley Mow Passage, Chiswick, London W4 4PH.
         SysOP: Monochrome, Largest UK Internet BBS - 'telnet mono.org'.