[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: our broken man package



On Wed, Jan 03, 2001 at 03:23:03PM -0800, Joey Hess wrote:
> I'm concerned with some breakage in the man program. Here is an example:
> 
[snip examples]
> 
> This is because man runs via a wrapper that makes it run as user man
> (and makes root's pager run as user man too for some reason).
> 
> Related bugs: #74790, #60084, #58112, #42128.
> 
> I have never seen an explination of why this wrapper program makes man
> run as user man. If it just ran it as group man, everything would be ok.
> As bug #42128 suggests, /var/catman/ could be writable by group man,
> rather than user man.

the problem with this is you end up with the catman files owned by
whatever user reads whatever man page.  personally as a sysadmin i
don't want users gaining write permission to files in any more places
under /var then there already is (ahem texmf).  i am not certain if
there is potential security threats to users being able to write bogus
catman files, perhaps via groff tricks there is.  

IMO a setgid man with a group writable /var/catman is not any better
then a mode 1777 /var/catman.  (which is what slackware does btw)
OpenBSD took another tack on this problem and just did away with
cached man pages altogether.  (no suid or sgid man) 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp21i6eLc7Gu.pgp
Description: PGP signature


Reply to: