[11250] in bugtraq
Re: SGID man
daemon@ATHENA.MIT.EDU (Isaac To)
Wed Aug 4 23:03:51 1999
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: multipart/signed; protocol="application/pgp-signature";
boundary="pgp-sign-Multipart_Tue_Aug__3_15:30:42_1999-1";
micalg=pgp-md5
Content-Transfer-Encoding: 7bit
Message-Id: <7iso61iamx.fsf@ast16.csis.hku.hk>
Date: Tue, 3 Aug 1999 15:30:46 +0800
Reply-To: Isaac To <kkto@CSIS.HKU.HK>
From: Isaac To <kkto@CSIS.HKU.HK>
X-To: Solar Designer <solar@false.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Solar Designer's message of "Sun, 1 Aug 1999 06:37:28 +0400"
--pgp-sign-Multipart_Tue_Aug__3_15:30:42_1999-1
Content-Type: text/plain; charset=US-ASCII
>>>>> "Solar" == Solar Designer <solar@false.com> writes:
Solar> I wouldn't normally post this, but while we're on the topic...
Solar> There's an ancient problem with SGID man that I keep seeing on
Solar> various systems. For example, on Red Hat 5.2:
This seems to be a very general problem for programs that want to cache
things but don't want to acquire a new userid. TeX (i.e. MetaFont) comes
close, I think.
Solar> Solutions? We could change the permissions on those directories
Solar> from 775 or 1777 (that's what I've seen on various systems) to
Solar> 770, so that group man is always required. However, doing so
Solar> would break things, as the group is (and should be) dropped for
Solar> many operations. Some changes to the way man works would be
Solar> required to support such restricted permissions.
It seems to be a strange solution to me. I am disallowed to read a
directory since I own files in it. Owning such files is
horrible anyway, especially when quota is enabled.
Solar> A workaround could be to preformat all the man pages as root.
Solar> Finally, we could move to a SUID man, making the binary immutable
Solar> (non-portable, not backup friendly). I don't like any of these.
If your policy is to make every SUID program immutable, being non-portable
is not a problem (whenever you restore a backup, you just make sure every
SUID program becomes immutable before restarting service). Otherwise, it is
not absolutely necessary for the binary to be immutable.
But yes, it is ugly. It might be better if any SGID program is also SUID
nobody, and re-acquire real user privilege only when required. But still,
it is ugly.
Solar> In my opinion, it is time to stop storing preformatted pages. It
Solar> is no longer worth the risk. CPUs got faster, man pages are the
Solar> same.
But stop storing preprocessed fonts is not an option at all. My Chinese
fonts needs hours to get completely processed, and even a regular Chinese
LaTeX source require half an hour. Preprocessing all fonts in advance is
feasible only to those who want to spare 1G for that purpose.
Isaac.
--pgp-sign-Multipart_Tue_Aug__3_15:30:42_1999-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP MESSAGE-----
Version: 2.6.3ia
Comment: Processed by Mailcrypt 3.5b7, an Emacs/PGP interface
iQCVAwUBN6aapYAyyGjmR0YxAQFu0QP/bwXUvEVtVcqqHgw009UGc67tSHhnoB5/
6+lAI6gev6BLzdWxQgqmKpZQ5ZrYIvv82jG3ugEe5wOgalWA/mbr5souxIA7o/SE
R9cwCGx9dfKInyvFpBerkJ1HlSk2kc7ynzzjBn1d3LA/H/7SJj4sS/8eg2rleq1f
2U9QU5LoJI4=
=mGVt
-----END PGP MESSAGE-----
--pgp-sign-Multipart_Tue_Aug__3_15:30:42_1999-1--
