Red Hat Bugzilla – Bug 8950
Default /etc/man.config creates catman files owned by normal users
Last modified: 2008-05-01 11:37:54 EDT
The default /etc/man.config file with RedHat 6.1 (i386) has the FSSTND
option enabled, which tells man to create formatted versions of man pages
and place them in /var/catman/cat* the first time they're accessed by a
user. These formatted catman files are being created with 0464 permission,
owned by the user who ran the man command and group 'man'. Each subsequent
access of these man pages is then retrieved from the catman directories.
Because these catman files are owned by regular users, it's a simple
matter for them to change the permissions on their catman files, and
replace the contents with whatever they choose. In my opinion, this
constitutes a security problem. Users can present bogus man page
information to others on the system, and can bypass disk quotas by storing
files in the catman tree.
As a workaround, you can disable the FSSTND option in /etc/man.config.
This is required behavior by the FSSTND and FHS standards.
If you don't like preformatted pages, alias man="man -c".