Bug 8950 - Default /etc/man.config creates catman files owned by normal users
Summary: Default /etc/man.config creates catman files owned by normal users
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: man
Version: 6.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-01-28 21:10 UTC by mcl8
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-01-28 21:10:42 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description mcl8 2000-01-28 21:10:42 UTC 
The default /etc/man.config file with RedHat 6.1 (i386) has the FSSTND
option enabled, which tells man to create formatted versions of man pages
and place them in /var/catman/cat* the first time they're accessed by a
user.  These formatted catman files are being created with 0464 permission,
owned by the user who ran the man command and group 'man'.  Each subsequent
access of these man pages is then retrieved from the catman directories.

   Because these catman files are owned by regular users, it's a simple
matter for them to change the permissions on their catman files, and
replace the contents with whatever they choose.  In my opinion, this
constitutes a security problem.  Users can present bogus man page
information to others on the system, and can bypass disk quotas by storing
files in the catman tree.

   As a workaround, you can disable the FSSTND option in /etc/man.config.
Comment 1 Bernhard Rosenkraenzer 2000-08-31 10:12:07 UTC 
This is required behavior by the FSSTND and FHS standards.
If you don't like preformatted pages, alias man="man -c".
Note You need to log in before you can comment on or make changes to this bug.