From owner-freebsd-security Thu Dec 13 5:41:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 8F58637BDF4; Thu, 13 Dec 2001 05:39:19 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fBDDc5921525; Thu, 13 Dec 2001 15:38:05 +0200 (EET) (envelope-from ru) Date: Thu, 13 Dec 2001 15:38:04 +0200 From: Ruslan Ermilov To: "Tim J. Robbins" Cc: security@FreeBSD.org, bug-followup@FreeBSD.org Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011213153804.A19995@sunbay.com> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 13, 2001 at 06:13:44PM +1100, Tim J. Robbins wrote: > > The catman system of the man(1) utility included with FreeBSD is > vulnerable to a whole bunch of attacks whereby the catpage's > contents can be controlled by an attacker. Discussions of the > problem: > http://security-archive.merton.ox.ac.uk/security-audit-199908/ > ("SGID man", Solar Designer, Sun Aug 01 1999 .. and followups) > http://security-archive.merton.ox.ac.uk/security-audit-200010/0022.html > (more problems) > > >How-To-Repeat: > There are too many ways to repeat the problem.. here's one: > $ ln -s /usr/share/man/cat1 cat1 > $ mkdir man1 > $ cd man1 > $ cat >ls.1 > oops! modified > ^D > $ cd .. > $ man -M . ls > Formatting page, please wait...Done. > oops! modified > > >Fix: > Remove the suid(!) bit from /usr/bin/man. > Unfortunately, removing SUID bit from man(1) is not possible, because it is used to create new or update obsolete catpages in %manpath%/cat%section% directories which are usually owned by the user ``man'', except private user directories. The below patch doesn't allow man(1) to use its SUID powers when the catpage's directory is accessed via symlink. Index: man.c =================================================================== RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v retrieving revision 1.49 diff -u -p -r1.49 man.c --- man.c 2001/09/06 11:54:28 1.49 +++ man.c 2001/12/13 13:28:42 @@ -23,6 +23,7 @@ #include #include #include +#include #ifdef __FreeBSD__ #include #include @@ -1402,19 +1403,24 @@ format_and_display (path, man_file, cat_ { #ifdef SETUID - seteuid(euid); - found = make_cat_file (path, man_file, cat_file, 1); - seteuid(ruid); - - if (!found) - { - /* Try again as real user - see note below. - By running with - effective group (user) ID == real group (user) ID - except for the call above, I believe the problems - of reading private man pages is avoided. */ - found = make_cat_file (path, man_file, cat_file, 0); - } + char *cat_dir = dirname(cat_file); + struct stat sb; + if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode)) + { + seteuid(euid); + found = make_cat_file (path, man_file, cat_file, 1); + seteuid(ruid); + + if (!found) + { + /* Try again as real user - see note below. + By running with + effective group (user) ID == real group (user) ID + except for the call above, I believe the problems + of reading private man pages is avoided. */ + found = make_cat_file (path, man_file, cat_file, 0); + } + } #else found = make_cat_file (path, man_file, cat_file, 0); #endif Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message