Man(1) makes "cat" files with wrong mode and ownership
Joseph S. D. Yao
jsdy at hadron.UUCP
Fri Jan 3 12:36:59 AEST 1986
In article <503 at scgvaxd.UUCP> brian at scgvaxd.UUCP (Brian Zill) writes:
>In article <2093 at phri.UUCP> roy at phri.UUCP (Roy Smith) writes:
>>Index: ucb/man.c 4.2BSD
>> ucb/Makefile 4.2BSD
>>Description: When you run "man x" and the cat file has to be made, it is
>> left with mode 0666, and owned by whoever happened to run man.
>>Fix: Install the following 2-line patch. Also, change the Makefile so
>> man is installed set-uid. I'll leave it to other, smarter, brains
>> to figure out if this opens up any security loopholes.
>
>Yes, this is a major security problem. man calls more to page the longer
>manual entries, and more has a shell escape... Ta Da! you're superuser!
This is n o t to re-open the discussion, but merely to note that
I still feel that the best thing to do is to have as few things as
possible owned by root and setuid to root. Best is to have these
things owned by user 'man' (well, 'bin' if you have to, but I don't
like it!). That way the worst a user can do is to munge the man
pages (or everything owned by 'bin' which is why I don't like the
latter). Better, of course, to a l s o set back to real uid if
you can for every shell escape:
>What we did at Harvey Mudd College where I go to school is to put some
>code in to set the effective uid and gid back to their real values after
>the fork that provides the shell escape in more.
Also better to try to write code that checks permissions for each
step along the way (and, yes, sometimes re-invent the wheel).
--
Joe Yao hadron!jsdy at seismo.{CSS.GOV,ARPA,UUCP}
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list