Date: Fri, 14 Dec 2001 10:04:00 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: "Tim J. Robbins" <tim@robbins.dropbear.id.au> Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011214100400.B35094@sunbay.com> In-Reply-To: <20011214115755.A9872@raven.robbins.dropbear.id.au> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com> <20011214115755.A9872@raven.robbins.dropbear.id.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 14, 2001 at 11:57:55AM +1100, Tim J. Robbins wrote:
> On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote:
>
> > Unfortunately, removing SUID bit from man(1) is not possible,
> > because it is used to create new or update obsolete catpages
> > in %manpath%/cat%section% directories which are usually owned
> > by the user ``man'', except private user directories.
>
> I think that making man sgid man instead of suid man would be a good
> idea also; I remember Red Hat Linux used this same man utility in version 6.2
> and they had it sgid. If an attacker gained uid man through a flaw in the
> utility, they could plant a trojan horse and wait for root to run it.
>
> I'll check out how it's been done in Redhat and see if I can come up
> with a patch. I don't think this would break anything.
>
Our man(1) uses its SUID bit only to write to catpages.
> As for the catman issues, I think it's a flaw in the man utility that
> it trusts the user running the command to format the manual pages.
> I can't think of a good way to fix it.
>
Yeah, having in mind the other breakage, that the user is allowed
to supply his own ${GROFF_TMAC_PATH}, I think it would be a good
idea to disable this feature of man(1) to create catpages, like
it's done in OpenBSD and probably NetBSD. Catpages are optional,
and if you have enough disk space, you can set MANBUILDCAT=YES
in your /etc/make.conf, and have ``make world'' build and install
then for you. Also, we have a ${weekly_catman_enable} feature in
periodic.conf(5). Removing catpaging feature of man(1) would
allow us to drop its SUIDness completely.
If there are no serious objections, I'm volunteering to do this
job after a 4.5-RELEASE.
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011214100400.B35094>