[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

mandb wrapper scripts


There are a couple things about the new wrapper scripts for man and
mandb that I am wondering about...

these scripts now check to see if the invoking user is root and if so
changes to nobody before executing the real setuid man/mandb, first
why user nobody? the uid will just end up as man anyway so why use
nobody?  the problem with using nobody is some admins prefer to not
give nobody a valid shell, (see a past thread on that) so if they have
changed nobody's shell to say /bin/false mandb and man no longer work
at all as root.

the second thing i find odd in these script is the way they check the
user's uid, they test writablity of /root..  while /root shouldn't be
writable by anyone else I really don't think its a good idea to depend
on that. for example what if the admin made /root writable by his
user's account?  (probably not a good idea but I have seen people who
wanted to do similer things with /root) now man is unusable by that
user account since they will be prompted for nobody's password..

checking filesystem permissions just seems awfully fragile to me.

I am wondering if there is any disadvantage to using the following
script instead:

#!/bin/sh -e
pgm=`basename $0`
cmd="${edir}/${pgm} ${1+$@}"
[ `id -u` = 0 ] && exec su man -c ${1+"$cmd"}
exec ${cmd}

this unambiguously tests for uid 0 status and allows for user nobody
to not have a valid shell, user man already exists, has a shell and
the man programs are setuid man already so I cannot see any
disadvantage to this arrangement...


Ethan Benson

Reply to: