Date: Fri, 14 Dec 2001 00:00:10 -0800 (PST) From: Ruslan Ermilov <ru@FreeBSD.ORG> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <200112140800.fBE80AR83309@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/32791; it has been noted by GNATS.
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: "Tim J. Robbins" <tim@robbins.dropbear.id.au>,
security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Date: Fri, 14 Dec 2001 09:56:19 +0200
On Thu, Dec 13, 2001 at 07:07:13PM +0300, Andrey A. Chernov wrote:
> On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote:
>
> > The below patch doesn't allow man(1) to use its SUID powers
> > when the catpage's directory is accessed via symlink.
>
> It breaks private cat pages (symlink check must not present for them)
>
Oops, right, wrongly placed closing brace:
Index: man.c
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
retrieving revision 1.49
diff -u -p -r1.49 man.c
--- man.c 2001/09/06 11:54:28 1.49
+++ man.c 2001/12/14 07:57:03
@@ -23,6 +23,7 @@
#include <sys/param.h>
#include <ctype.h>
#include <errno.h>
+#include <libgen.h>
#ifdef __FreeBSD__
#include <locale.h>
#include <langinfo.h>
@@ -1402,10 +1403,15 @@ format_and_display (path, man_file, cat_
{
#ifdef SETUID
- seteuid(euid);
- found = make_cat_file (path, man_file, cat_file, 1);
- seteuid(ruid);
-
+ char *cat_dir = dirname(cat_file);
+ struct stat sb;
+ if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode))
+ {
+ seteuid(euid);
+ found = make_cat_file (path, man_file, cat_file, 1);
+ seteuid(ruid);
+ }
+
if (!found)
{
/* Try again as real user - see note below.
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112140800.fBE80AR83309>