Re: our broken man package

To: debian-devel@lists.debian.org
Subject: Re: our broken man package
From: Michael Stone <mstone@debian.org>
Date: Fri, 5 Jan 2001 07:37:18 -0500
Message-id: <[🔎] 20010105073718.O686@justice.loyola.edu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010105010916.A1083@debian.org>; from nick@debian.org on Fri, Jan 05, 2001 at 01:09:17AM -0300
References: <[🔎] 20010103152303.A6251@kitenet.net> <[🔎] 20010103223319.N28241@plato.local.lan> <[🔎] 20010105010916.A1083@debian.org>

On Fri, Jan 05, 2001 at 01:09:17AM -0300, Nicolás Lichtmaier wrote:
>  There could be a helper setuid program, man-cache-writer. man would call
> this program and pipe it the catpage. man-cache-writer would just write it's
> stding to the proper place. End of the problems.

No so simple. You don't want the trusted program trusting the output of
a non-trusted program. 

A start to fix the current problems is to:
1. drop privs if reading a man page that's not going to be cached
anyway. (E.g., a page in your private home directory.)
2. and in that case ignore tmpdir. store temporary files in a directory
writable only my user man.

-- 
Mike Stone

Reply to:

Follow-Ups:
- Re: our broken man package
  - From: Nicolás Lichtmaier <nick@debian.org>

References:
- our broken man package
  - From: Joey Hess <joeyh@debian.org>
- Re: our broken man package
  - From: Ethan Benson <erbenson@alaska.net>
- Re: our broken man package
  - From: Nicolás Lichtmaier <nick@debian.org>

Prev by Date: Re: What to do about /etc/debian_version
Next by Date: Re: Important Note On Source-Only Uploads
Previous by thread: Re: our broken man package
Next by thread: Re: our broken man package
Index(es):
- Date
- Thread