Bug 560362

Summary: Dangerous "rm -fr" and poorly tested makewhatis
Product: [Fedora] Fedora Reporter: JW <ohtmvyyn>
Component: manAssignee: Ivana Varekova <varekova>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: varekova
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.6f-25.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-02 20:42:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description JW 2010-01-31 08:58:31 UTC 
Description of problem:
makewhatis contains this gem:
>
> trap "rm -rf $TMPFILEDIR; exit 255" 1 2 3 15
>
But nowhere is the variable TMPFILEDIR defined.

That means that should somebody for some reason has a TMPFILEDIR=/ defined in their environment then they might lose their entire filesystem!  Or if for some unrelated purpose they have a TMPFILEDIR=/tmp in their environment then they might lose all of /tmp!

And makewhatis runs as root! How does this sort of sloppy coding make its way into "production" code?

Version-Release number of selected component (if applicable):
man-1.6f-22

How reproducible:
Always

Steps to Reproduce:
1. vi /usr/sbin/makewhatis
2. 82G
  
Actual results:
See above

Expected results:
That line should be deleted.

Additional info:
But wait ... there is more.

It is pointless doing a "rm -fr" on $TMPFILE because it is a file not a directory.  It isn't safe practice to go around using "rm -fr" everywhere when a simple "rm -f" is correct.

Also, makewhatis should be re-written in perl because of that horrible, and not very accurate, awk coding (I have already re-written it if you want a copy).
Comment 1 Fedora Update System 2010-02-01 10:51:29 UTC 
man-1.6f-25.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/man-1.6f-25.fc12
Comment 2 Ivana Varekova 2010-02-01 10:53:12 UTC 
Thanks for the report.
The makewhatis script really deserves rewriting so will be done soon.
Your version is welcomed.
Comment 3 Fedora Update System 2010-02-02 01:13:37 UTC 
man-1.6f-25.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update man'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1329
Comment 4 Fedora Update System 2010-02-02 20:42:16 UTC 
man-1.6f-25.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.