[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: our broken man package

On Wed, Jan 03, 2001 at 11:53:37PM -0800, Joey Hess wrote:
> Ethan Benson wrote:
> > the problem with this is you end up with the catman files owned by
> > whatever user reads whatever man page.  personally as a sysadmin i
> > don't want users gaining write permission to files in any more places
> > under /var then there already is (ahem texmf).  i am not certain if
> > there is potential security threats to users being able to write bogus
> > catman files, perhaps via groff tricks there is.  
> I'll bet (have not verified) that you can already trick it into writing
> bogus file by sticking trojan pages elsewhere in your manpath.

i just tried it, did not end up with a cached file.  

[eb@socrates eb]$ export MANPATH=/home/eb/test
[eb@socrates eb]$ find /var/cache/man -name 'bogus*'
[eb@socrates eb]$ ls -l /home/eb/test/man8/
total 8
-rw-r--r--    1 eb       eb           5193 Jan  3 23:03 bogus.8
[eb@socrates eb]$ man bogus 
Reformatting bogus(8), please wait...
[eb@socrates eb]$ find /var/cache/man -name 'bogus*'

it also doesn't cache anything when pointing man directly at a
specific man page:

[eb@socrates eb]$ find /var/cache/man -name 'yaboot*'
[eb@socrates eb]$ man devel/ybin/man/yaboot.8 
Reformatting yaboot.8, please wait...
[eb@socrates eb]$ find /var/cache/man -name 'yaboot*'
[eb@socrates eb]$

and yes my caching does work as you can see for a normal man page:

[eb@socrates eb]$ man yaboot
Reformatting yaboot(8), please wait...
[eb@socrates eb]$ find /var/cache/man -name 'yaboot*'

Ethan Benson

Attachment: pgp4TYGJhxSGR.pgp
Description: PGP signature

Reply to: