Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Dec 2001 09:56:19 +0200
From:      Ruslan Ermilov <ru@FreeBSD.ORG>
To:        "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc:        "Tim J. Robbins" <tim@robbins.dropbear.id.au>, security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject:   Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Message-ID:  <20011214095619.A35094@sunbay.com>
In-Reply-To: <20011213160713.GA45527@nagual.pp.ru>
References:  <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com> <20011213160713.GA45527@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Dec 13, 2001 at 07:07:13PM +0300, Andrey A. Chernov wrote:
> On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote:
> 
> > The below patch doesn't allow man(1) to use its SUID powers
> > when the catpage's directory is accessed via symlink.
> 
> It breaks private cat pages (symlink check must not present for them)
> 
Oops, right, wrongly placed closing brace:

Index: man.c
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
retrieving revision 1.49
diff -u -p -r1.49 man.c
--- man.c	2001/09/06 11:54:28	1.49
+++ man.c	2001/12/14 07:57:03
@@ -23,6 +23,7 @@
 #include <sys/param.h>
 #include <ctype.h>
 #include <errno.h>
+#include <libgen.h>
 #ifdef __FreeBSD__
 #include <locale.h>
 #include <langinfo.h>
@@ -1402,10 +1403,15 @@ format_and_display (path, man_file, cat_
 	    {
 
 #ifdef SETUID
-	      seteuid(euid);
-	      found = make_cat_file (path, man_file, cat_file, 1);
-	      seteuid(ruid);
-
+	      char *cat_dir = dirname(cat_file);
+	      struct stat sb;
+	      if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode))
+		{
+		  seteuid(euid);
+		  found = make_cat_file (path, man_file, cat_file, 1);
+		  seteuid(ruid);
+		}
+    
 	      if (!found)
 	        {
 		  /* Try again as real user - see note below.


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011214095619.A35094>