Date: Thu, 13 Dec 2001 15:38:04 +0200 From: Ruslan Ermilov <ru@FreeBSD.org> To: "Tim J. Robbins" <tim@robbins.dropbear.id.au> Cc: security@FreeBSD.org, bug-followup@FreeBSD.org Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011213153804.A19995@sunbay.com> In-Reply-To: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 13, 2001 at 06:13:44PM +1100, Tim J. Robbins wrote: > > The catman system of the man(1) utility included with FreeBSD is > vulnerable to a whole bunch of attacks whereby the catpage's > contents can be controlled by an attacker. Discussions of the > problem: > http://security-archive.merton.ox.ac.uk/security-audit-199908/ > ("SGID man", Solar Designer, Sun Aug 01 1999 .. and followups) > http://security-archive.merton.ox.ac.uk/security-audit-200010/0022.html > (more problems) > > >How-To-Repeat: > There are too many ways to repeat the problem.. here's one: > $ ln -s /usr/share/man/cat1 cat1 > $ mkdir man1 > $ cd man1 > $ cat >ls.1 > oops! modified > ^D > $ cd .. > $ man -M . ls > Formatting page, please wait...Done. > oops! modified > > >Fix: > Remove the suid(!) bit from /usr/bin/man. > Unfortunately, removing SUID bit from man(1) is not possible, because it is used to create new or update obsolete catpages in %manpath%/cat%section% directories which are usually owned by the user ``man'', except private user directories. The below patch doesn't allow man(1) to use its SUID powers when the catpage's directory is accessed via symlink. Index: man.c =================================================================== RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v retrieving revision 1.49 diff -u -p -r1.49 man.c --- man.c 2001/09/06 11:54:28 1.49 +++ man.c 2001/12/13 13:28:42 @@ -23,6 +23,7 @@ #include <sys/param.h> #include <ctype.h> #include <errno.h> +#include <libgen.h> #ifdef __FreeBSD__ #include <locale.h> #include <langinfo.h> @@ -1402,19 +1403,24 @@ format_and_display (path, man_file, cat_ { #ifdef SETUID - seteuid(euid); - found = make_cat_file (path, man_file, cat_file, 1); - seteuid(ruid); - - if (!found) - { - /* Try again as real user - see note below. - By running with - effective group (user) ID == real group (user) ID - except for the call above, I believe the problems - of reading private man pages is avoided. */ - found = make_cat_file (path, man_file, cat_file, 0); - } + char *cat_dir = dirname(cat_file); + struct stat sb; + if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode)) + { + seteuid(euid); + found = make_cat_file (path, man_file, cat_file, 1); + seteuid(ruid); + + if (!found) + { + /* Try again as real user - see note below. + By running with + effective group (user) ID == real group (user) ID + except for the call above, I believe the problems + of reading private man pages is avoided. */ + found = make_cat_file (path, man_file, cat_file, 0); + } + } #else found = make_cat_file (path, man_file, cat_file, 0); #endif Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011213153804.A19995>