Date: Tue, 15 Jan 2002 06:11:05 -0800 (PST) From: Ruslan Ermilov <ru@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/gnu/usr.bin/man/man Makefile man.c src/etc/mtree BSD.local.dist BSD.usr.dist BSD.x11-4.dist BSD.x11.dist Message-ID: <200201151411.g0FEB6H82165@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
ru 2002/01/15 06:11:05 PST
Modified files:
gnu/usr.bin/man/man Makefile man.c
etc/mtree BSD.local.dist BSD.usr.dist
BSD.x11-4.dist BSD.x11.dist
Log:
Do not install man(1) setuid ``man''.
The catpaging and setuidness features of man(1) combined make
it vulnerable to a number of security attacks. Specifically,
it was possible to overwrite system catpages with arbitrarily
contents by either setting up a symlink to a directory holding
system catpages, or by writing custom -mdoc or -man groff(1)
macro packages and setting up GROFF_TMAC_PATH in environment
to point to them. (See PR below for details).
This means man(1) can no longer create system catpages on a
regular user's behalf. (It is still able to if the user has
write permissions to the directory holding catpages, e.g.,
user's own manpages, or if the running user is ``root''.)
To create and install catpages during ``make world'', please
set MANBUILDCAT=YES in /etc/make.conf. To rebuild catpages
on a weekly basis, please set weekly_catman_enable="YES" in
/etc/periodic.conf.
PR: bin/32791
Revision Changes Path
1.85 +3 -7 src/etc/mtree/BSD.local.dist
1.251 +4 -6 src/etc/mtree/BSD.usr.dist
1.19 +2 -4 src/etc/mtree/BSD.x11-4.dist
1.16 +2 -4 src/etc/mtree/BSD.x11.dist
1.33 +1 -4 src/gnu/usr.bin/man/man/Makefile
1.51 +2 -62 src/gnu/usr.bin/man/man/man.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201151411.g0FEB6H82165>