From owner-cvs-all  Wed Jan 16 12: 6:44 2002
Delivered-To: cvs-all@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id AAF6037B41C; Wed, 16 Jan 2002 12:06:28 -0800 (PST)
Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA10995;
	Wed, 16 Jan 2002 13:06:21 -0700 (MST)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by caddis.yogotech.com (8.11.6/8.11.6) id g0GK6LD12894;
	Wed, 16 Jan 2002 13:06:21 -0700 (MST)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15429.56636.984304.733778@caddis.yogotech.com>
Date: Wed, 16 Jan 2002 13:06:20 -0700
To: Robert Watson <rwatson@FreeBSD.org>
Cc: Ruslan Ermilov <ru@FreeBSD.org>,
	Joerg Wunsch <j@uriah.heep.sax.de>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org, arch@FreeBSD.org
Subject: Re: cvs commit: src/gnu/usr.bin/man/man Makefile man.c src/etc/mtree BSD.local.dist BSD.usr.dist BSD.x11-4.dist BSD.x11.dist
In-Reply-To: <Pine.NEB.3.96L.1020116145639.73036A-100000@fledge.watson.org>
References: <20020116195429.J13904@sunbay.com>
	<Pine.NEB.3.96L.1020116145639.73036A-100000@fledge.watson.org>
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

> 
> > There's still problem exists with following symbolic links (please see
> > the PR for an example exploit).  I tried a quick patch that should solve
> > this, but Robert Watson pointed out that it is subject to a race between
> > lstat(2)'ting a directory holding a catpage and creating a file in that
> > directory.  Unfortunately, O_NOFOLLOW only works for the last component
> > of the pathname passed to open(2).  If we could find a solution to this
> > problem, I would be more than happy to restore this functionality of
> > man(1). 
> 
> Part of the problem here is that man's behavior is very complex, and the
> UNIX inheritence model makes things rather messy.  Simply eliminating
> dynamically cached catpages eliminates the risk associated with the model,
> and is my preferred solution.  It's not hard to imagine tactics to
> escalate privilege from user man to user root in the event that the man
> program or any children running as uid of man are compromised.

My thinking is that it's just as easy to get root from a normal user as
it is to get it from man, so we're really not gaining a whole lot (from
the point of view of root compromises).

Regardless, there are still other concerns with over-writing files and
such that are annoying, if not necessarily security holes in the sense
of getting root access.


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message