SETUID (7) NetBSD Miscellaneous Information Manual SETUID (7) • Although non-keyboard signals cannot be sent by ordinary users in V7, they may perhaps be sent by the system authorities (e.g. to indicate that the system is about to shut down), so the possibility cannot be ignored. • On some systems there may be an alarm(3) signal pending on startup. • The program may have children it did not create. This is normal when the process is part of a pipeline. • In some non-V7 systems, users can change the ownerships of their files. Setuid programs should avoid trusting the owner identification of a file. • User-supplied arguments and input data must be checked meticulously. Overly-long input stored in an array without proper bound checking can easily breach security. When software depends on a file being in a specific format, user-supplied data should never beinserted into the file without being checked first. Meticulous checking includes allowing for the possibility of non-ASCII characters. • Temporary files left in public directories like /tmp might vanish at inconvenient times. The following are resource-exhaustion possibilities that the program should respond properly to. • The user might have used up all of his allowed processes, so any attempt to create a new one (via fork(2) or popen(3)) will fail. • There might be many files open, exhausting the supply of descriptors. • There might be many arguments. • The arguments and the environment together might occupy agreat deal of space. Systems which impose other resource limitations can open setuid programs to similar resource-exhaustion attacks. Setuid programs which execute ordinary programs without reducing authority pass all the above problems on to such unprepared children. Standardizing the execution environment is only a partial solution. HISTORY Written by Henry Spencer, and based on additional outside contributions. AUTHORS Henry Spencer 〈〉 BUGS The list really is rather long... and probably incomplete. NetBSD 3.0 February 10, 2003 3

SIGNAL (7) NetBSD Miscellaneous Information Manual SIGNAL (7) NAME signal —signal facilities DESCRIPTION The 〈signal.h〉 header file defines the following signals: Value Name Default ActionDescription 1 SIGHUP terminate process terminal line hangup 2 SIGINT terminate process interrupt program 3 SIGQUIT create core image quit program 4 SIGILL create core image illegal instruction 5 SIGTRAP create core image trace trap 6 SIGABRT create core image abort(3) call (formerly SIGIOT) 7 SIGEMT create core image emulate instruction executed 8 SIGFPE create core image floating-point exception 9 SIGKILL terminate process kill program (cannot be caught or ignored) 10 SIGBUS create core image bus error 11 SIGSEGV create core image segmentation violation 12 SIGSYS create core image invalid system call argument 13 SIGPIPE terminate process write to a pipe with no reader 14 SIGALRM terminate process real-time timer expired 15 SIGTERM terminate process software termination signal 16 SIGURG discard signal urgent condition present on socket 17 SIGSTOP stop process stop (cannot be caught or ignored) 18 SIGTSTP stop process stop signal generated from keyboard 19 SIGCONT discard signal continue after stop 20 SIGCHLD discard signal child status has changed 21 SIGTTIN stop process background read attempted from control terminal 22 SIGTTOU stop process background write attempted to control terminal 23 SIGIO discard signal I/O is possible on a descriptor (see fcntl(2)) 24 SIGXCPU terminate process CPU time limit exceeded (see setrlimit(2)) 25 SIGXFSZ terminate process file size limit exceeded (see setrlimit(2)) 26 SIGVTALRM terminate process virtual time alarm (see setitimer(2)) 27 SIGPROF terminate process profiling timer alarm (see setitimer(2)) 28 SIGWINCH discard signal window size change 29 SIGINFO discard signal status request from keyboard 30 SIGUSR1 terminate process user-defined signal 1 31 SIGUSR2 terminate process user-defined signal 2 32 SIGPWR discard signal power failure/restart Afunction that is async-signal-safe is either reentrant or non-interruptible by signals. This means that they can be used in signal handlers and in the child of threaded programs after doing fork(2). The following functions are async-signal-safe. Any function not listed below isunsafe to use in signal handlers. _Exit(2), _exit(2), abort(3), accept(2), access(2), alarm(3), bind(2), cfgetispeed(3), cfgetospeed(3), cfsetispeed(3), cfsetospeed(3), chdir(2), chmod(2), chown(2), clock_gettime(2), close(2), connect(2), creat(3), dup(2), dup2(2), execle(3), execve(2), fchmod(2), fchown(2), fcntl(2), fdatasync(2), fork(2), fpathconf(2), fstat(2), fsync(2), ftruncate(2), getegid(2), geteuid(2), getgid(2), getgroups(2), getpeername(2), getpgrp(2), getpid(2), getppid(2), getsockname(2), getsockopt(2), getuid(2), kill(2), link(2), listen(2), lseek(2), lstat(2), mkdir(2), mkfifo(2), open(2), pathconf(2), pause(3), pipe(2), poll(2), raise(3), read(2), readlink(2), recv(2), recvfrom(2), recvmsg(2), NetBSD 3.0 March 28, 2006 1

