 | | 7. | | Catch or ignore all signals. As mentioned in the previous rule, an attacker can use some signals (stop and continue, in that case) to confuse your program. She can let your program check that everything is “right” before doing something, stop the program, change things around so they are no longer “right,” and then let the program continue. Set-user-id and set-group-id programs should catch or ignore all signals possible. At the very minimum, the following signals should be caught or ignored: SIGHUP, SIGINT, SIGQUIT, SIGILL, SIGTRAP, SIGABRT (SIGIOT), SIGEMT, SIGFPE, SIGBUS, SIGSEGV, SIGSYS, SIGPIPE, SIGALRM, SIGTERM, SIGUSR1, SIGUSR2, SIGPOLL, SIGTSTP, SIGTTIN, SIGTTOU, SIGVTALRM, SIGPROF, SIGXCPU, SIGXFSZ. | |
|