Subject: Error in default /etc/man.config
From: Rich Lafferty (rich@alcor.concordia.ca)
Date: Wed Mar 15 2000 - 09:21:37 MST
Hullo, all.
I noticed a problem with the default /etc/man.config in
CS-1.2. There's no entry for $CAT in man.config; this means that any
uncompressed manpages on your system will be executed. man -d shows
that man executes:
(cd /usr/man ; (echo -e ".pl 1100i"; $CAT /path/to/uncompressed/manpage.n;
echo ".pl \n(nlu+10") | $TBL | $NROFF | $COMPRESS > /var/catman/catn/manpage.n.gz)
leaving $CAT blank as in the default configuration gives
(cd /usr/man ; (echo -e ".pl 1100i"; /path/to/uncompressed/manpage.n;
echo ".pl \n(nlu+10") | $TBL | $NROFF | $COMPRESS > /var/catman/catn/manpage.n.gz)
which, obviously, is trying to run /path/to/uncompressed/manpage.
Small annoyance: Any uncompressed manpages won't be viewable.
Larger annoyance: Programs ending up in manual directories will be
executed. Luckily, man drops privileges by this point; but even still,
if a user has "." in their path, then man will happily check ./man/*
for manual pages.
Chance of being exploited is rare, but the obvious one seems to be
making /tmp/man/* for things that don't have manual pages, or common
misspellings -- i.e., values of foo where you expect people to type
'man foo' and there is no manpage for foo -- where each "manual page"
is a shell script that makes a setuid-that-user shell somewhere.
-Rich
-- ------------------------------ Rich Lafferty --------------------------- Sysadmin/Programmer, Instructional and Information Technology Services Concordia University, Montreal, QC (514) 848-7625 ------------------------- rich@alcor.concordia.ca ----------------------
This archive was generated by hypermail 2a24 : Sun Apr 02 2000 - 21:05:02 MDT