Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 8950 - Default /etc/man.config creates catman files owned by normal users
Default /etc/man.config creates catman files owned by normal users
Product: Red Hat Linux
Classification: Retired
Component: man (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-01-28 16:10 EST by mcl8
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-01-28 16:10:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description mcl8 2000-01-28 16:10:42 EST
The default /etc/man.config file with RedHat 6.1 (i386) has the FSSTND
option enabled, which tells man to create formatted versions of man pages
and place them in /var/catman/cat* the first time they're accessed by a
user.  These formatted catman files are being created with 0464 permission,
owned by the user who ran the man command and group 'man'.  Each subsequent
access of these man pages is then retrieved from the catman directories.

   Because these catman files are owned by regular users, it's a simple
matter for them to change the permissions on their catman files, and
replace the contents with whatever they choose.  In my opinion, this
constitutes a security problem.  Users can present bogus man page
information to others on the system, and can bypass disk quotas by storing
files in the catman tree.

   As a workaround, you can disable the FSSTND option in /etc/man.config.
Comment 1 Bernhard Rosenkraenzer 2000-08-31 06:12:07 EDT
This is required behavior by the FSSTND and FHS standards.
If you don't like preformatted pages, alias man="man -c".

Note You need to log in before you can comment on or make changes to this bug.