Date: Thu, 13 Dec 2001 17:10:01 -0800 (PST) From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <200112140110.fBE1A1B08024@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/32791; it has been noted by GNATS. From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Date: Fri, 14 Dec 2001 11:57:55 +1100 On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote: > Unfortunately, removing SUID bit from man(1) is not possible, > because it is used to create new or update obsolete catpages > in %manpath%/cat%section% directories which are usually owned > by the user ``man'', except private user directories. I think that making man sgid man instead of suid man would be a good idea also; I remember Red Hat Linux used this same man utility in version 6.2 and they had it sgid. If an attacker gained uid man through a flaw in the utility, they could plant a trojan horse and wait for root to run it. I'll check out how it's been done in Redhat and see if I can come up with a patch. I don't think this would break anything. As for the catman issues, I think it's a flaw in the man utility that it trusts the user running the command to format the manual pages. I can't think of a good way to fix it. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112140110.fBE1A1B08024>