From owner-freebsd-security  Thu Dec 13 17: 9:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from raven.robbins.dropbear.id.au (066.d.001.mel.iprimus.net.au [203.134.132.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1EBC737B41A; Thu, 13 Dec 2001 17:09:34 -0800 (PST)
Received: (from tim@localhost)
	by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id fBE0vux09946;
	Fri, 14 Dec 2001 11:57:56 +1100 (EST)
	(envelope-from tim)
Date: Fri, 14 Dec 2001 11:57:55 +1100
From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Message-ID: <20011214115755.A9872@raven.robbins.dropbear.id.au>
References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011213153804.A19995@sunbay.com>; from ru@FreeBSD.ORG on Thu, Dec 13, 2001 at 03:38:04PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote:

> Unfortunately, removing SUID bit from man(1) is not possible,
> because it is used to create new or update obsolete catpages
> in %manpath%/cat%section% directories which are usually owned
> by the user ``man'', except private user directories.

I think that making man sgid man instead of suid man would be a good
idea also; I remember Red Hat Linux used this same man utility in version 6.2
and they had it sgid. If an attacker gained uid man through a flaw in the
utility, they could plant a trojan horse and wait for root to run it.

I'll check out how it's been done in Redhat and see if I can come up
with a patch. I don't think this would break anything.

As for the catman issues, I think it's a flaw in the man utility that
it trusts the user running the command to format the manual pages.
I can't think of a good way to fix it.


Tim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message