Date: Wed, 16 Jan 2002 13:29:17 +1030 From: Greg Lehey <grog@FreeBSD.org> To: Ruslan Ermilov <ru@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/gnu/usr.bin/man/man Makefile man.c src/etc/mtree BSD.local.dist BSD.usr.dist BSD.x11-4.dist BSD.x11.dist Message-ID: <20020116132917.K78030@wantadilla.lemis.com> In-Reply-To: <200201151411.g0FEB6H82165@freefall.freebsd.org> References: <200201151411.g0FEB6H82165@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday, 15 January 2002 at 6:11:05 -0800, Ruslan Ermilov wrote: > ru 2002/01/15 06:11:05 PST > > Modified files: > gnu/usr.bin/man/man Makefile man.c > etc/mtree BSD.local.dist BSD.usr.dist > BSD.x11-4.dist BSD.x11.dist > Log: > Do not install man(1) setuid ``man''. > > The catpaging and setuidness features of man(1) combined make > it vulnerable to a number of security attacks. ... > > This means man(1) can no longer create system catpages on a > regular user's behalf. (It is still able to if the user has > write permissions to the directory holding catpages, e.g., > user's own manpages, or if the running user is ``root''.) Hmm. I can see the security implications, but you'd need to compromise the system in the first place in order to break it, so it's not the most likely thing on earth. On the other hand, many people don't have such extreme security requirements, and they might get a little upset by the change. > To create and install catpages during ``make world'', please set > MANBUILDCAT=YES in /etc/make.conf. This won't help people installing from CD-ROM. It also takes up a lot of space. It would be nice to think of an alternative, like maybe a private catman directory for non-root users. Greg -- See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020116132917.K78030>