man/mandb problem -- exploit?

To: debian-user@lists.debian.org
Subject: man/mandb problem -- exploit?
From: Ronald Hale-Evans <rwhe@ludism.org>
Date: Sat, 11 Aug 2001 12:01:40 -0700
Message-id: <[🔎] 20010811120140.B407@ludism.org>

Hi--

My system was recently cracked (my impression was that it happened via
the recent Apache exploit).  Shortly before I reinstalled my system
(with better security), I lost all ability to view man pages.  Typing,
say, 'man man' would bring up a brief message about how it was
reformatting the page, then nothing.

I reinstalled, then installed an improved firewall before
bringing the system back up on the net and doing 'apt-get update;
apt-get dist-upgrade'.  During the dist-upgrade process, I received a
message on the root terminal saying something like 'su session opened
for user man'. I didn't know whether this was relevant, but noted it
in case it had something to do with the man-db exploit, for which
there was a fix released on 12 June.  I also ran the following commands,
as recommended on the man-db exploit page:

  suidregister /usr/lib/man-db/man root root 0755
  suidregister /usr/lib/man-db/mandb root root 0755
  
After the dist-upgrade, I can again no longer view man pages.  As an
ordinary user, a simple man command brings up something like the
following:

Reformatting mpage(1), please wait...
man: can't create /var/cache/man/fsstnd/cat1/393: Permission denied
zsoelim: /tmp/zmanp6L0Cn: No such file or directory
man: can't unlink /var/cache/man/fsstnd/cat1/393: No such file or directory
man: can't remove /tmp/zmanp6L0Cn: No such file or directory

After typing 'man man', a file called man.1.gz appears in
/var/cache/man/cat1, but all it contains is the following text:

------> man.1.gz <------

I purged and reinstalled the packages mandb, manpages, and
manpages-dev, with no luck.  I found a file in /tmp named zmanXXXXX,
where 'XXXXX' was a random string.  When I tried to delete or view
this file, I couldn't, because its name would change as I was trying
to do so, to zmanYYYYY, where 'YYYYY' was another random string.
Rebooting seems to have taken care of this; there are presently no
files in /tmp, but was this normal behaviour, or part of an exploit?

Any recommendations on getting man working on my system again are
welcome.  Be very explicit, however, as I can't use man pages to
clarify any help that is cryptic.  Moreover, does it seem that my
man-db has been cracked?

Thanks...

Ron H-E

p.s. What's with the Debian list archives?  I can neither search nor
browse them.

-- 
    Ron's Info Closet: Center for Ludic Synergy, Kennexions Glass Bead Game,
     Positive Revolution FAQ, Hexagram-8 I Ching Mailing List, and links...
             Ron Hale-Evans ... <http://www.apocalypse.org/~rwhe/>
  rwhe@ludism.org ... Further up and further in! fnord ... rwhe@apocalypse.org

Reply to:

Follow-Ups:
- Re: man/mandb problem -- exploit?
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: sqrt C function(clarification)
Next by Date: Re: hostname with dhcp-client
Previous by thread: Re: Vmac and Basilisk II
Next by thread: Re: man/mandb problem -- exploit?
Index(es):
- Date
- Thread