[673] in linux-security and linux-alert archive
Re: [linux-security] Security problems in RedHat 3.0.3...
daemon@ATHENA.MIT.EDU (Zygo Blaxell)
Tue Apr 16 11:00:24 1996
From: Zygo Blaxell <zblaxell@myrus.com>
To: okir@monad.swb.de (Olaf Kirch)
Date: Mon, 15 Apr 1996 16:28:58 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu, G.Wilford@ee.surrey.ac.uk
In-Reply-To: <m0u8A6T-000HRoC@monad.swb.de> from "Olaf Kirch" at Apr 13, 96 08:31:20 pm
Quoted from Olaf Kirch:
> Rogier Wolff wrote:
> > [Unverified rumor]
> > Ehm.... while on the subject of "man" bugs, man and/or groff will run
> > arbitrary programs under specification of the man-page-writer.......
>
> That would be a nasty. groff supports the .sy command to run arbitrary
> programs.
I just checked all of RedHat's man pages; none of them seem to use a .sy
command. This sounds like a feature we can just patch out of groff and
forget about (except possibly to refuse to process man pages with '.sy'
in them after preprocessing). We can also assume that system man pages
in root-configured paths are free of .sy directives or at least contain
only harmless ones.
> In combination with being able to do `man ./foo.1' that's a hole
> regardless of whether it's setuid or setgid.
Since the output of ./foo.1 would not be cached in the system's shared
man page cache, it does not need to be formatted with any special
privileges. The man command would simply drop its privileges and
continue as the invoking user. Indeed, it tries to do this now, but not
very well.
Remember we are trying to protect the integrity of the shared catman
cache. Anything else we don't need or want extra privileges for, and we
can let the users run what they like. However, for the shared catman
cache, the user should have no control over the formatting process other
than to initially invoke it and read its output.
--
Zygo Blaxell. Former Unix/soft/hardware guru, U of Waterloo Computer Science
Club. Current sysadmin for Myrus Design, Inc. 10th place, ACM Intl Collegiate
Programming Contest Finals, 1994. Administer Linux nets for food, clothing,
and anime. "I gave up $1000 to avoid working on windoze... *sigh*" - Amy Fong
