Re: man problem

Rick Byers (rickb@IAW.ON.CA)
Fri, 26 Dec 1997 13:55:41 -0500

On Wed, 24 Dec 1997, d wrote:

> > I just noticed a problem with the man system (version 2.3.10) on my Linux
> > box: /usr/man contains the .gz'd man pages:
> [...]
> > When I execute man, a temporary file containing the un-zipped manpage is
> > created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
> > e.g. "zman10849aaa". This can be exploited with a simple symlink attack:
> Pretty much the same with unformatted 'roff pages on unix (at least with
> my suns around here; I assume others mostly do the same), with variously
> different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc.
> Another reason to use catman, I guess.
> What a neat little trick. I never thought man would be a security hole.

It will depend on exactly HOW the temporary names are generated. NetBSD
uses a similar formula for the name (man.XXXX), but it's gaurenteed to be
unique (mkstemp call) - so if you create the sym-links, it'll just name it
something else. The use of mkstemp over mktemp is also supposed to avoide
the race condtion between generating the file name and opening it for


Rick Byers Internet Access Worldwide System Admin
University of Waterloo, Computer Science (905)714-1400