[674] in linux-security and linux-alert archive
[linux-security] Trojan manpages summary and suggestions
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Apr 17 03:44:14 1996
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 17 Apr 1996 00:15:13 +0200
From: Olaf Kirch <okir@monad.swb.de>
Hi all,
Since the discussion is starting to repeat itself, I think it may be
useful to summarize at this point what we have so far (gleaned from the
list and some private email exchange).
* .sy (and .pi, used to pipe stuff into a command) have been around
for a long time, and are documented in the AT&T troff user's
manual. groff adds its own set of potentially dangerous commands:
.open and .opena which let you open a file for writing (documented
in gtroff(1)), and .pso (pipe source, read from a shell command).
These commands do have legitimate uses. The psfig macro package,
for instance, has to run the psbb command to find the bounding box
of a postscript image; .open and .sy are used by GNU mm macros
to produce cross-references.
* There are two problems with man: On one hand, if man fails to
reset euid and/or egid, users may be able to write to files
owned by the man user or group. This may even be true for the man
binary itself if it runs groff under the man uid, or if it runs
groff under the man gid and /usr/bin/man is group-writable. The
solution to this one is to reset uid/gid properly.
The second problem is that manpages may contain evil commands that
compromise the account of whoever happens to format them.
* As far as trojan manpages are concerned, you can remove potentially
dangerous commands by adding the following to
/usr/lib/groff/tmac/tmac.andoc and .../tmac.an:
.rm sy
.rm pi
.rm open
.rm opena
Note that this alone does not plug the hole if you're not fixing
the setgid problem at the same time; users can ask groff to
read its macro packages from an alternative directory by setting
the GROFF_TMAC_PATH environment variable.
Things get a little complicated with gpic. It has a directive
named `sh' that (you guessed it) will run a shell command.
By default, man doesn't run this command, but man_db has one
helpful feature that lets you request the set of preprocessors
by adding a special comment in the first line of the file ('\" ).
The fix is to make man run pic with the -S (`safer') flag.
* man is not the only application that might be affected by troff
trojans. Although they may not be widely used, there are *roff
MIME types; if you have those in your mailcap file(s), remove them.
Disclaimer: this list may be incomplete.
If anyone thinks that this is reminiscent of the ghostscript hole a while
ago, I'll agree instantly:-)
Cheers
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
