Hello,
I'm using the Fedora distro for my desktop since a while. But now I want to setup a web server. For me it doesn’t make much sense to setup Fedora as a productive server system because this would need too much attention for all the updates (that’s a point I really love for the desktop!). Another thing that is very cool (or the main reason why I’ve chosen Fedora as my primary system) is it’s great focus on security (let’s think of the implementation of SELinux). Now my question is: How is the Debian security compared to the security of Fedora? They don’t have SELinux, ok.
The reason why I want to use Debian is, because a RHEL subscription is too expensive for a home server and the CentOS project… Well sometimes (not in general) they are a bit slow in providing security updates.
So is Debian as secure as Fedora?
Thanks for all upcoming replies!
Max
----------------------------------------------------------------
Mit einer kostenlosen E-Mail-Adresse @t-online.de werden Ihre Daten verschlüsselt übertragen und in Deutschland gespeichert.
www.t-online.de/email-kostenlos
Hi,
noticed https://fedoraproject.org/wiki/SecurityBasics which is 2 clicks
from the landing page and could use some updates.
Do we have an kind of security announcements list which could be
recommended there?
Richard
---
Name and OpenPGP keys available from pgp key servers
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 0c1d3d46838c1427d17cadabf4000444bb614046
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Mon Oct 13 09:51:42 2014 +0200
Shell: Use a snippet for the input validation example
Add self-tests to the snippet code. Mention that this construct is
bash-specific.
Fixes the broken regular expression spotted by Eric Blake.
>---------------------------------------------------------------
defensive-coding/en-US/Shell.xml | 27 ++++++-------
...ons-snprintf.xml => Shell-Input_Validation.xml} | 10 +++-
defensive-coding/src/Shell-Input_Validation.sh | 41 ++++++++++++++++++++
3 files changed, 61 insertions(+), 17 deletions(-)
diff --git a/defensive-coding/en-US/Shell.xml b/defensive-coding/en-US/Shell.xml
index f889dc1..d6a9465 100644
--- a/defensive-coding/en-US/Shell.xml
+++ b/defensive-coding/en-US/Shell.xml
@@ -398,23 +398,22 @@ trap cleanup 0
linkend="sect-Defensive_Coding-Shell-Arithmetic"/>.
</para>
<para>
- The following construct can be used to check if a string
- “<literal>$value</literal>” is an integer.
+ <xref linkend="ex-Defensive_Coding-Shell-Input_Validation"/>
+ shows a construct which can be used to check if a string
+ “<literal>$value</literal>” is an integer. This construct is
+ specific to <application>bash</application> and not portable to
+ POSIX shells.
</para>
- <informalexample>
- <programlisting language="Bash">
-if [[ $value =~ ^-?[0-9]$ ]] ; then
- echo value is an integer
-else
- echo "value is not an integer" 1>&2
- exit 1
-fi
- </programlisting>
- </informalexample>
+ <example id="ex-Defensive_Coding-Shell-Input_Validation">
+ <title>Input validation in <application>bash</application></title>
+ <xi:include href="snippets/Shell-Input_Validation.xml"
+ xmlns:xi="http://www.w3.org/2001/XInclude" />
+ </example>
<para>
Using <literal>case</literal> statements for input validation is
- also possible, but the pattern language is more restrictive, and
- it can be difficult to write suitable patterns.
+ also possible and supported by other (POSIX) shells, but the
+ pattern language is more restrictive, and it can be difficult to
+ write suitable patterns.
</para>
<para>
The <literal>expr</literal> external command can give misleading
diff --git a/defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml b/defensive-coding/en-US/snippets/Shell-Input_Validation.xml
similarity index 60%
copy from defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml
copy to defensive-coding/en-US/snippets/Shell-Input_Validation.xml
index dc790d8..61cb7d1 100644
--- a/defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml
+++ b/defensive-coding/en-US/snippets/Shell-Input_Validation.xml
@@ -2,7 +2,11 @@
<!DOCTYPE programlisting PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
<!-- Automatically generated file. Do not edit. -->
-<programlisting language="C">
-char fraction[30];
-snprintf(fraction, sizeof(fraction), "%d/%d", numerator, denominator);
+<programlisting language="Bash">
+if [[ $value =~ ^-?[0-9]+$ ]] ; then
+ echo value is an integer
+else
+ echo "value is not an integer" 1>&2
+ exit 1
+fi
</programlisting>
diff --git a/defensive-coding/src/Shell-Input_Validation.sh b/defensive-coding/src/Shell-Input_Validation.sh
new file mode 100644
index 0000000..2b86a49
--- /dev/null
+++ b/defensive-coding/src/Shell-Input_Validation.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+validate () {
+ local value="$1"
+ #+ Shell Input_Validation
+ if [[ $value =~ ^-?[0-9]+$ ]] ; then
+ echo value is an integer
+ else
+ echo "value is not an integer" 1>&2
+ exit 1
+ fi
+ #-
+}
+
+check_validate () {
+ local value="$1"
+ local expected="$2"
+ (
+ validate "$value"
+ ) >/dev/null 2>/dev/null
+ result="$?"
+ if ! test "$result" -eq "$expected" ; then
+ echo "failure: validate \"$value\" $expected -> got $result"
+ fi
+}
+
+check_validate "" 1
+check_validate "0" 0
+check_validate "9" 0
+check_validate "-0" 0
+check_validate "-9" 0
+check_validate "10" 0
+check_validate "19" 0
+check_validate "-10" 0
+check_validate "-19" 0
+check_validate " 0" 1
+check_validate "--1" 1
+check_validate "1-" 1
+check_validate "1 || 0" 1
+check_validate '1$(kill -9 $PPID)' 1
+check_validate '2$(id)' 1
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit b7ec6fc7882d999c57ce47fc0b667c2c96647c7c
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Mon Oct 13 09:34:16 2014 +0200
Shell: Fix internal reference
Spotted by Kamil Dudka.
Also use "double expansion" consistently.
>---------------------------------------------------------------
defensive-coding/en-US/Shell.xml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/defensive-coding/en-US/Shell.xml b/defensive-coding/en-US/Shell.xml
index 042ac61..f889dc1 100644
--- a/defensive-coding/en-US/Shell.xml
+++ b/defensive-coding/en-US/Shell.xml
@@ -93,7 +93,7 @@ external-program "$arg1" "$arg2"
shell scripts difficult.
</para>
<para>
- Double evaluation can be requested explicitly with the
+ Double expansion can be requested explicitly with the
<literal>eval</literal> built-in command, or by invoking a
subshell with “<literal>bash -c</literal>”. These constructs
should not be used.
@@ -108,8 +108,8 @@ external-program "$arg1" "$arg2"
<emphasis>Arithmetic evaluation</emphasis> is a process by which
the shell computes the integer value of an expression specified
as a string. It is highly problematic for two reasons: It
- triggers double evaluation (see <xref
- linkend="sect-Defensive_Coding-Shell-Arithmetic"/>), and the
+ triggers double expansion (see <xref
+ linkend="sect-Defensive_Coding-Shell-Double_Expansion"/>), and the
language of arithmetic expressions is not self-contained. Some
constructs in arithmetic expressions (notably array subscripts)
provide a trapdoor from the restricted language of arithmetic
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit e23c38377538e4c9f0311347b6fc15b8c1dddd37
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Fri Oct 10 16:44:53 2014 +0200
Shell: Update section on input validation
Also mention safety of [[ $var =~ regexp ]].
>---------------------------------------------------------------
defensive-coding/en-US/Shell.xml | 36 +++++++++++++++++++++---------------
1 files changed, 21 insertions(+), 15 deletions(-)
diff --git a/defensive-coding/en-US/Shell.xml b/defensive-coding/en-US/Shell.xml
index 24554b1..042ac61 100644
--- a/defensive-coding/en-US/Shell.xml
+++ b/defensive-coding/en-US/Shell.xml
@@ -162,6 +162,14 @@ external-program "$arg1" "$arg2"
evaluation, even with integer operators such as
<literal>-eq</literal>.)
</para>
+ <para>
+ The conditional expression
+ “<literal>[[ $</literal><emphasis>variable</emphasis><literal> =~ </literal><emphasis>regexp</emphasis><literal> ]]</literal>”
+ can be used for input validation, assuming that
+ <emphasis>regexp</emphasis> is a constant regular
+ expression.
+ See <xref linkend="sect-Defensive_Coding-Shell-Input_Validation"/>.
+ </para>
</listitem>
<listitem>
<para>
@@ -391,29 +399,27 @@ trap cleanup 0
</para>
<para>
The following construct can be used to check if a string
- “<literal>$value</literal>” is not a non-negative integer.
+ “<literal>$value</literal>” is an integer.
</para>
<informalexample>
<programlisting language="Bash">
-case "$value" in
- *[!0-9]*)
- echo "invalid input value" 1>&2
- exit 1
- ;;
-esac
+if [[ $value =~ ^-?[0-9]$ ]] ; then
+ echo value is an integer
+else
+ echo "value is not an integer" 1>&2
+ exit 1
+fi
</programlisting>
</informalexample>
<para>
- The pattern “<literal>*[!0-9]*</literal>” is not special shell
- syntax—it matches any string which contains arbitrary characters,
- followed by a non-digit, followed by arbitrary characters.
+ Using <literal>case</literal> statements for input validation is
+ also possible, but the pattern language is more restrictive, and
+ it can be difficult to write suitable patterns.
</para>
<para>
- Using <literal>case</literal> statements is the most reliable way
- for performing input validation, although constructing proper
- patterns is difficult. The <literal>expr</literal> external
- command and the built-in operator <literal>=~</literal> can give
- misleading results.
+ The <literal>expr</literal> external command can give misleading
+ results (e.g., if the value being checked contains operators
+ itself) and should not be used.
</para>
</section>
<section id="sect-Defensive_Coding-Shell-Edit_Guard">