1) GROFF_TMAC_PATH is a colon-separated list of directories to search for the macro files in, and man does nothing to stop this getting passed to groff. By creating their own macros, groff can be made to write arbitrary data to the catman page. 2) GZIP environment variable can contain options to gzip, which is used to compress the catpages. This can be used to write garbage to the catpage or to cause other strange results. 3) The directory it uses to place catfiles follows symlinks. For example: + cat1 -> /var/catman/cat1 + man1 |- ls.1 man -M . -c 1 ls Will read the ls.1 manpage from ./man1/ls.1 and write it to /var/catman/cat1/ls.1.gz 4) Race conditions on the cat file. I'm not going to give examples of where this occurs because it occurs just about everywhere.
This is impossible to fix.Since the file is generated as user, it is always writeable by that user. The only possibility to fix this would be making man setuid root, which would enable much much bigger security issues. If you want to be sure nobody plays with the catman pages, use man -c or disable catman pages in /etc/man.conf.
s/man.conf/man.config/