

D. J. Bernsteinのソフトウェア哲学 Securityに関しての DJB 語録

Return-Path: References: <> Date: Fri, 7 Jul 2000 17:42:48 -0000 From: "D. J. Bernstein" Subject: Re: ftpd and setproctitle() To: BUGTRAQ@SECURITYFOCUS.COM

Often an interface encourages bugs. The right way to use the interface isn't the easiest way to use the interface. This interface turns every new programmer into an enemy, creating bugs faster than we can fix them.

The solution is to eliminate the interface. Design a new interface that doesn't encourage bugs. Then make sure that everyone switches to the new interface. Advertise the new interface. Make the old interface more and more difficult to use. Move gets() to /usr/lib/libbugpronestandards.a.

Is this easier than documenting the right way to use the old interface? Of course not. But it can actually succeed. Documentation never will.

For several years I've been systematically identifying and redesigning bug-prone interfaces. I don't have any more memory leaks, for example, because I'm now using memory-allocation interfaces where leaks are more difficult to write than correct code.

In 1996, when I identified the flaw under discussion in setproctitle() et al., I worked out several solutions. Simplest was to make sure that typical strings fail miserably as format strings. Replace setproctitle() with a setproctitlex() that

and you'll never have to worry about this bug again. I'm actually using a different solution, but setproctitlex() has lower transition cost.

Theo de Raadt writes:

> Well, while everyone is talking about setproctitle affecting wuftpd, > I should probably note that it even affects the OpenBSD ftpd. In fact, > looking around, it looks like it might affect everyone's ftpd.

It doesn't affect publicfile's ftpd.

---Dan 2000-11-21 前野年紀 安全性と利便性は両立させられます。 rsync DJB tools

MoinQ: DJB/security/ftp (last edited 2021-05-01 01:32:12 by ToshinoriMaeno)