Bug 18668 - users may control contents of catman pages
Summary: users may control contents of catman pages
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: man   
(Show other bugs)
Version: 6.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: Aaron Brown
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-10-09 02:59 UTC by Tim
Modified: 2007-04-18 16:29 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-10-09 02:59:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Tim 2000-10-09 02:59:14 UTC
1) GROFF_TMAC_PATH is a colon-separated list of directories to search for 
the macro files in, and man does nothing to stop this getting passed to 
groff. By creating their own macros, groff can be made to write arbitrary 
data to the catman page. 

2) GZIP environment variable can contain options to gzip, which is used to 
compress the catpages. This can be used to write garbage to the catpage or 
to cause other strange results. 

3) The directory it uses to place catfiles follows symlinks. For example: 
+ cat1 -> /var/catman/cat1 
+ man1 
|- ls.1 

man -M . -c 1 ls 

Will read the ls.1 manpage from ./man1/ls.1 and write it to 

4) Race conditions on the cat file. I'm not going to give examples of 
where this occurs because it occurs just about everywhere.

Comment 1 Bernhard Rosenkraenzer 2000-10-09 09:50:05 UTC
This is impossible to fix.Since the file is generated as user, it is always
writeable by that user.
The only possibility to fix this would be making man setuid root, which would
enable much much bigger security issues.
If you want to be sure nobody plays with the catman pages, use man -c or disable
catman pages in /etc/man.conf.

Comment 2 Bernhard Rosenkraenzer 2000-10-09 09:50:31 UTC

Note You need to log in before you can comment on or make changes to this bug.