Re: man problem

Olaf Kirch (okir@CALDERA.DE)
Tue, 30 Dec 1997 11:42:10 +0100

On Wed, Dec 24, 1997 at 03:34:46PM -0800, d wrote:
> What a neat little trick. I never thought man would be a security hole.

At least on Linux, it has been several times. Some early versions of
man (running setgid or setuid man) would never revoke privileges when
invoking other programs such as troff.

As lately as a couple of months ago, both man_db-2.3 and man-1.4i had
problems when invoking gzip to uncompress pages. You could force both
of them to invoke a different program, which would run under the gid of
'man'.

The funny thing about running with the privilege of man is that
some Linux distributions had their man directories and a bunch of manpages
group-writable and owned by man.man. This would let you do neat things
like inserting .sy commands into those manpages. Anyone displaying one
of those trojanized manpages would then cause it to be formatted, with
troff executing the .sy command with the credentials of the invoking
users. That's a nice way of collecting setuid shells...

Andries Brouwer quickly released a fixed version (man-1.4j). man_db
never got updated though, AFAIK, even though I contacted the maintainer
a couple of times.

Olaf

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de    +-------------------- Why Not?! -----------------------