From owner-freebsd-bugs Wed Jul 10 13:41:41 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA11700 for bugs-outgoing; Wed, 10 Jul 1996 13:41:41 -0700 (PDT) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA11694 for ; Wed, 10 Jul 1996 13:41:36 -0700 (PDT) Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.12/8.6.9) id GAA25744; Thu, 11 Jul 1996 06:40:03 +1000 Date: Thu, 11 Jul 1996 06:40:03 +1000 From: Bruce Evans Message-Id: <199607102040.GAA25744@godzilla.zeta.org.au> To: freebsd-bugs@freefall.freebsd.org, j@uriah.heep.sax.de Subject: Re: gnu/1379: Man command problem, when it writes into symlinked dir Sender: owner-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > As Masafumi NAKANE wrote: > > > The man command doesn't check the owner of the symbolic link when it > > writes the formatted man page out to symlinked cat? directory. > > The man command itself does not need to check anything (except for > deciding whether it should present the message ``Formatting man > page.'') Yes it does. It's setuid man and needs to check for security holes such as the one given in detail in the PR. It assumes that writing in the system cat directories is OK because the source file must be in a system man directory, but the PR shows how to have the source in a user directory. > otherwise it simply can't do it. It's not running setuid root, and it > never did. It runs as setuid man, and usually did, except last month in -current, when setuid'ness was turned off. > Btw., symlinks don't have an owner or other attributes. What you see > as their owner is the ownership and permission of their parent > directory, but it's entirely meaningless as long as the *target* of > the symlink is concerned. Yes, the cause of problem is different from the one reported. `man' probably needs to switch to the user's id unless both the source and the target directories are in trusted places. This may involve eliminating symlinks. Bruce