Re: man-db cron.daily job

[Colin Watson <cjwatson@debian.org>]

On Sat, Sep 29, 2001 at 02:42:33AM +0100, Carlos Sousa wrote:
> Colin Watson wrote:
>  > (can't have been any vaguely recent version of man-db, as none of them
>  > run with root privileges ...). man-db can certainly work around it,
> 
> my 'man' apparently runs with root privileges:
> 
> $ ll /usr/lib/man-db
> total 220
> drwxr-xr-x    2 root     root         4096 Sep 26 00:55 ./
> drwxr-xr-x  131 root     root        36864 Sep 26 14:33 ../
> -rwxr-xr-x    1 root     root        90684 Sep 19 02:20 man*     <==
> -rwxr-xr-x    1 root     root        70844 Sep 19 02:20 mandb*
> -rwxr-xr-x    1 root     root         4328 Sep 19 02:20 wrapper*

No, the binary's just owned by root, and isn't setuid. No problem there.

Oh, I guess man won't be dropping privileges, then, as it's configured
to when it's setuid ... that could explain this bug. Better fix that
before woody releases.

> However, *.gz files are still not created for ordinary users, only for 
> root. Doesn't keep me awake at night, but it's a symptom for something 
> not right. If man is running as the ordinary user that called it, it 
> seems logical that it can't create files in a directory with write 
> permission only for user 'man'?...

man needs to be setuid to do that, which is now turned off by default
for security reasons. This is not to say it's necessarily an exploit
waiting to happen; I usually run it setuid myself - but there've been
enough security holes that I felt non-setuid was a safer default.
Unfortunately this means disabling cached preformatted pages by default
too.

If you want to change this, run 'dpkg-reconfigure man-db'.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]