From owner-freebsd-bugs  Thu Dec 13 17:10:12 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id A940F37B417
	for <freebsd-bugs@hub.freebsd.org>; Thu, 13 Dec 2001 17:10:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id fBE1A1B08024;
	Thu, 13 Dec 2001 17:10:01 -0800 (PST)
	(envelope-from gnats)
Date: Thu, 13 Dec 2001 17:10:01 -0800 (PST)
Message-Id: <200112140110.fBE1A1B08024@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Reply-To: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR bin/32791; it has been noted by GNATS.

From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Date: Fri, 14 Dec 2001 11:57:55 +1100

 On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote:
 
 > Unfortunately, removing SUID bit from man(1) is not possible,
 > because it is used to create new or update obsolete catpages
 > in %manpath%/cat%section% directories which are usually owned
 > by the user ``man'', except private user directories.
 
 I think that making man sgid man instead of suid man would be a good
 idea also; I remember Red Hat Linux used this same man utility in version 6.2
 and they had it sgid. If an attacker gained uid man through a flaw in the
 utility, they could plant a trojan horse and wait for root to run it.
 
 I'll check out how it's been done in Redhat and see if I can come up
 with a patch. I don't think this would break anything.
 
 As for the catman issues, I think it's a flaw in the man utility that
 it trusts the user running the command to format the manual pages.
 I can't think of a good way to fix it.
 
 
 Tim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message