[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: our broken man package

Ethan Benson wrote:
> the problem with this is you end up with the catman files owned by
> whatever user reads whatever man page.  personally as a sysadmin i
> don't want users gaining write permission to files in any more places
> under /var then there already is (ahem texmf).  i am not certain if
> there is potential security threats to users being able to write bogus
> catman files, perhaps via groff tricks there is.  

I'll bet (have not verified) that you can already trick it into writing
bogus file by sticking trojan pages elsewhere in your manpath.

> IMO a setgid man with a group writable /var/catman is not any better
> then a mode 1777 /var/catman.  (which is what slackware does btw)
> OpenBSD took another tack on this problem and just did away with
> cached man pages altogether.  (no suid or sgid man) 

see shy jo

Reply to: