> > I just noticed a problem with the man system (version 2.3.10) on my Linux
> > box: /usr/man contains the .gz'd man pages:
> [...]
> > When I execute man, a temporary file containing the un-zipped manpage is
> > created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
> > e.g. "zman10849aaa". This can be exploited with a simple symlink attack:
>
> Pretty much the same with unformatted 'roff pages on unix (at least with
> my suns around here; I assume others mostly do the same), with variously
> different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc.
> Another reason to use catman, I guess.
>
> What a neat little trick. I never thought man would be a security hole.
It will depend on exactly HOW the temporary names are generated. NetBSD
uses a similar formula for the name (man.XXXX), but it's gaurenteed to be
unique (mkstemp call) - so if you create the sym-links, it'll just name it
something else. The use of mkstemp over mktemp is also supposed to avoide
the race condtion between generating the file name and opening it for
writing.
Rick
=========================================================================
Rick Byers Internet Access Worldwide
rickb@iaw.on.ca System Admin
University of Waterloo, Computer Science (905)714-1400
http://www.iaw.on.ca/rickb/ http://www.iaw.on.ca/