[670] in linux-security and linux-alert archive
Re: [linux-security] Security problems in RedHat 3.0.3...
daemon@ATHENA.MIT.EDU (Andries.Brouwer@cwi.nl)
Sun Apr 14 09:25:34 1996
Date: Sat, 13 Apr 1996 22:13:20 +0200
From: Andries.Brouwer@cwi.nl
To: R.E.Wolff@et.tudelft.nl, zblaxell@myrus.com
Cc: linux-security@tarsier.cv.nrao.edu
: > Fix 1: make the man program operate setuid instead of setgid. This
: [Unverified rumor]
: Ehm.... while on the subject of "man" bugs, man and/or groff will run
: arbitrary programs under specification of the man-page-writer.......
: Roger.
What is the use of unverified rumours?
What is `man'?
I know of some seven man programs in use under Linux, two in common use.
I maintain one of these - man-1.4* - and am not aware of security-related
bugs (although it is quite possible that some exist).
If anything is wrong, point it out, and it will be corrected.
Andries
[mod: To clarify things a bit: The man porgram I was referring to in my
previous post was G. Wilford's man_db package; the latest version
(2.3.10) still fails to drop setgid privilege, but works okay for
setuid. Andries' man-1.4f resets both euid and egid. --okir]
