[11230] in bugtraq
Re: SGID man
daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Tue Aug 3 06:02:56 1999
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------576B684814F1520A7CD46CA"
Message-Id: <37A408AF.58B3DCE4@hem.passagen.se>
Date: Sun, 1 Aug 1999 10:43:27 +0200
Reply-To: hno@HEM.PASSAGEN.SE
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
X-To: Solar Designer <solar@false.com>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------576B684814F1520A7CD46CA
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Solar Designer wrote:
> [ghost@alice ghost]$ man id
> Formatting page, please wait...
> [ghost@alice ghost]$ ls -l /var/catman/cat1/id.1.gz
> -r--rw-r-- 1 ghost man 806 Aug 1 06:14 /var/catman/cat1/id.1.gz
On some systems you can prevent this by making the catman directories
suid to a dummy user. On those systems all files or directories created
in these directories then gets owned by this dummy user and not the user
running the command. Patch attached for linux ext2 to allow suid
directories.
On systems where suid directories does not help, I guess you have no
option but to disable the feature that man saves the preformatted page
when invoked by a user if you do not like users to be able to spoof man
pages. This can be done by removing any suid/sgid bits from
/usr/bin/man, and making sure that the catman directories are not world
writeable.
If you still want to have preformatted pages available for your users,
make the catman directories owned by a dummy user (for example catman),
and run catman as this user to create all preformatted man pages in one
big batch (or man on individual man pages if catman is not available).
You can also make selected trusted users members of the man group to
allow them to generate preformatted man pages when there is need to.
--
Henrik Nordstrom
--------------576B684814F1520A7CD46CA
Content-Type: text/plain; charset=us-ascii; name="ext2_suid_dir.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="ext2_suid_dir.patch"
--- linux/fs/ext2/ialloc.c.orig Mon Jul 19 00:23:15 1999
+++ linux/fs/ext2/ialloc.c Sun Aug 1 10:37:24 1999
@@ -449,7 +449,12 @@
inode->i_sb = sb;
inode->i_nlink = 1;
inode->i_dev = sb->s_dev;
- inode->i_uid = current->fsuid;
+ if (dir->i_mode & S_ISUID) {
+ inode->i_uid = dir->i_uid;
+ if (S_ISDIR(mode))
+ mode |= S_ISUID;
+ } else
+ inode->i_uid = current->fsuid;
if (test_opt (sb, GRPID))
inode->i_gid = dir->i_gid;
else if (dir->i_mode & S_ISGID) {
--------------576B684814F1520A7CD46CA--
