Re: our broken man package

To: debian-devel@lists.debian.org, man-db@packages.debian.org
Subject: Re: our broken man package
From: Joey Hess <joeyh@debian.org>
Date: Wed, 3 Jan 2001 23:53:37 -0800
Message-id: <[🔎] 20010103235337.C24974@kitenet.net>
Mail-followup-to: debian-devel@lists.debian.org, man-db@packages.debian.org
In-reply-to: <[🔎] 20010103223319.N28241@plato.local.lan>; from erbenson@alaska.net on Wed, Jan 03, 2001 at 10:33:19PM -0900
References: <[🔎] 20010103152303.A6251@kitenet.net> <[🔎] 20010103223319.N28241@plato.local.lan>

Ethan Benson wrote:
> the problem with this is you end up with the catman files owned by
> whatever user reads whatever man page.  personally as a sysadmin i
> don't want users gaining write permission to files in any more places
> under /var then there already is (ahem texmf).  i am not certain if
> there is potential security threats to users being able to write bogus
> catman files, perhaps via groff tricks there is.  

I'll bet (have not verified) that you can already trick it into writing
bogus file by sticking trojan pages elsewhere in your manpath.

> IMO a setgid man with a group writable /var/catman is not any better
> then a mode 1777 /var/catman.  (which is what slackware does btw)
> OpenBSD took another tack on this problem and just did away with
> cached man pages altogether.  (no suid or sgid man) 

-- 
see shy jo

Reply to:

Follow-Ups:
- Re: our broken man package
  - From: Ethan Benson <erbenson@alaska.net>

References:
- our broken man package
  - From: Joey Hess <joeyh@debian.org>
- Re: our broken man package
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Re: bugs + rant + constructive criticism (long)
Next by Date: Re: bugs + rant + constructive criticism (long)
Previous by thread: Re: our broken man package
Next by thread: Re: our broken man package
Index(es):
- Date
- Thread