Date: Wed, 16 Jan 2002 19:54:29 +0200 From: Ruslan Ermilov <ru@FreeBSD.org> To: Joerg Wunsch <j@uriah.heep.sax.de>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, arch@FreeBSD.org Subject: Re: cvs commit: src/gnu/usr.bin/man/man Makefile man.c src/etc/mtree BSD.local.dist BSD.usr.dist BSD.x11-4.dist BSD.x11.dist Message-ID: <20020116195429.J13904@sunbay.com> In-Reply-To: <20020116181625.B757@uriah.heep.sax.de> References: <20020116132917.K78030@wantadilla.lemis.com> <Pine.NEB.3.96L.1020115224951.59548D-100000@fledge.watson.org> <20020116154210.A74132@uriah.heep.sax.de> <20020116174352.C13904@sunbay.com> <20020116171144.C18043@uriah.heep.sax.de> <20020116183712.G13904@sunbay.com> <20020116181625.B757@uriah.heep.sax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 16, 2002 at 06:16:25PM +0100, Joerg Wunsch wrote: > As Ruslan Ermilov wrote: > > > > ...until the next "make installworld". That's why i'm asking for > > > a knob in /etc/make.conf. setuidperl can get its suid bit `sticky' > > > by the same way. > > > > > Hmm, can't you live with a custom gnu/usr.bin/man/man/Makefile? :-) > > Not really. (OK, i see the smiley. ;-) > > > Not user "man", but the contents of the system manpages. Try this: > > > > ln -s /usr/bin/true /tmp/troff > > rm /usr/share/man/cat1/cat.1* > > /usr/bin/env GROFF_BIN_PATH=/tmp man 1 cat > > OK, someone can cause garbage to go into my cat page. He could > pretend that the options "-r" and "-f" to rm(1) would be something > harmless :). > > Well, i'd like to see two things: > > . Variables like FOO_BIN_PATH need to be ignored when running > with raised prvileges, no question asked. We used to ignore > LD_LIBRARY_PATH for the same reason. I hope this is something > that is fixable. > Hmm. In this case, the actual problem is with groff(1). man(1) executes groff(1) in secure (-S) mode (actually it is now the default mode), and the latter should not respect these environment variables while running in this mode. I will see tomorrow if this is easily fixable -- it should be. OK, one big problem shot. > . Then turn off the setuid bit, but offer the option to re-enable > it for those who value the feature more than the risk, much in > the same sense as we do for suidperl (which i still think is a > lot less risky than someone (like me :) writing a buggy setuid > wrapper in C). > There's still problem exists with following symbolic links (please see the PR for an example exploit). I tried a quick patch that should solve this, but Robert Watson pointed out that it is subject to a race between lstat(2)'ting a directory holding a catpage and creating a file in that directory. Unfortunately, O_NOFOLLOW only works for the last component of the pathname passed to open(2). If we could find a solution to this problem, I would be more than happy to restore this functionality of man(1). Cheers, Ruslan (who now thinks that the only reliable way to get useful feedback is to commit something). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020116195429.J13904>