From owner-freebsd-security Fri Dec 14 0: 4:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 3D94737B416; Fri, 14 Dec 2001 00:04:14 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fBE840R37042; Fri, 14 Dec 2001 10:04:00 +0200 (EET) (envelope-from ru) Date: Fri, 14 Dec 2001 10:04:00 +0200 From: Ruslan Ermilov To: "Tim J. Robbins" Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011214100400.B35094@sunbay.com> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com> <20011214115755.A9872@raven.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011214115755.A9872@raven.robbins.dropbear.id.au> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Dec 14, 2001 at 11:57:55AM +1100, Tim J. Robbins wrote: > On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote: > > > Unfortunately, removing SUID bit from man(1) is not possible, > > because it is used to create new or update obsolete catpages > > in %manpath%/cat%section% directories which are usually owned > > by the user ``man'', except private user directories. > > I think that making man sgid man instead of suid man would be a good > idea also; I remember Red Hat Linux used this same man utility in version 6.2 > and they had it sgid. If an attacker gained uid man through a flaw in the > utility, they could plant a trojan horse and wait for root to run it. > > I'll check out how it's been done in Redhat and see if I can come up > with a patch. I don't think this would break anything. > Our man(1) uses its SUID bit only to write to catpages. > As for the catman issues, I think it's a flaw in the man utility that > it trusts the user running the command to format the manual pages. > I can't think of a good way to fix it. > Yeah, having in mind the other breakage, that the user is allowed to supply his own ${GROFF_TMAC_PATH}, I think it would be a good idea to disable this feature of man(1) to create catpages, like it's done in OpenBSD and probably NetBSD. Catpages are optional, and if you have enough disk space, you can set MANBUILDCAT=YES in your /etc/make.conf, and have ``make world'' build and install then for you. Also, we have a ${weekly_catman_enable} feature in periodic.conf(5). Removing catpaging feature of man(1) would allow us to drop its SUIDness completely. If there are no serious objections, I'm volunteering to do this job after a 4.5-RELEASE. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message