From owner-freebsd-security  Thu Dec 13 23:57:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP
	id 19C2D37B416; Thu, 13 Dec 2001 23:57:07 -0800 (PST)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fBE7uJt36213;
	Fri, 14 Dec 2001 09:56:19 +0200 (EET)
	(envelope-from ru)
Date: Fri, 14 Dec 2001 09:56:19 +0200
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: "Tim J. Robbins" <tim@robbins.dropbear.id.au>,
	security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Message-ID: <20011214095619.A35094@sunbay.com>
References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com> <20011213160713.GA45527@nagual.pp.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011213160713.GA45527@nagual.pp.ru>
User-Agent: Mutt/1.3.23i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Dec 13, 2001 at 07:07:13PM +0300, Andrey A. Chernov wrote:
> On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote:
> 
> > The below patch doesn't allow man(1) to use its SUID powers
> > when the catpage's directory is accessed via symlink.
> 
> It breaks private cat pages (symlink check must not present for them)
> 
Oops, right, wrongly placed closing brace:

Index: man.c
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
retrieving revision 1.49
diff -u -p -r1.49 man.c
--- man.c	2001/09/06 11:54:28	1.49
+++ man.c	2001/12/14 07:57:03
@@ -23,6 +23,7 @@
 #include <sys/param.h>
 #include <ctype.h>
 #include <errno.h>
+#include <libgen.h>
 #ifdef __FreeBSD__
 #include <locale.h>
 #include <langinfo.h>
@@ -1402,10 +1403,15 @@ format_and_display (path, man_file, cat_
 	    {
 
 #ifdef SETUID
-	      seteuid(euid);
-	      found = make_cat_file (path, man_file, cat_file, 1);
-	      seteuid(ruid);
-
+	      char *cat_dir = dirname(cat_file);
+	      struct stat sb;
+	      if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode))
+		{
+		  seteuid(euid);
+		  found = make_cat_file (path, man_file, cat_file, 1);
+		  seteuid(ruid);
+		}
+    
 	      if (!found)
 	        {
 		  /* Try again as real user - see note below.


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message