[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mandb wrapper scripts

Fabrizio Polacco wrote:
> Like most of the security stuff, it's paranoia level is quite high:

I think that random paranioa fixes tend to cause more harm than they
prevent, by providing a false sense of security.

> 	> Debian's /usr/bin/man is setuid "man", not setuid "root".
> 	This should not be viewed as a cure-all. In fact it doesn't
> 	really offer much added security over being setuid root. An
> 	attacker that gained access as user "man" could then modify the
> 	man binary itself and wait until root runs it.

So instead, I gain access to man, edit the binary, and wait for the user
that the admin uses when they arn't root to run it. Once they do, and I have
cracked their user account, my exploit then installs a trojan, and waits for
them to su to root, capturing the password in the process.

So all you've done is put a rather insiginificant block in the path of an
attacker. You'd do much better to just audit man some more, to prevent real
security holes.

> Now think that this is not only concerning "man" binary, but also 
> "mandb" binary, which is weekly run by cron as root. 
> Also the "usage" for it says that it must be run by root.

If mandb should run only as root, what is it (well, the wrapper) doing in

If mandb is only run as root, there is no reason it should be suid man. It
can have no suid bits at all, and simply setuid() to man when it runs. This
also ensures only root is going to be able to run it anyway.

However, I see nothing about only being run as root on the mandb man page,

see shy jo

Reply to: