[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

security hole in man

Any comment from this list?
Can this approch be a solution to the attack scenario?

----- Forwarded message from Fabrizio Polacco <fab@prosa.it> -----

Date: Wed, 26 Jan 2000 11:38:35 +0200
From: Fabrizio Polacco <fab@prosa.it>
To: Greg Stark <gsstark@mit.edu>
Subject: Re: security hole in man

On Mon, Jan 24, 2000 at 04:36:14AM -0500, Greg Stark wrote:
> > Debian's /usr/bin/man is setuid "man", not setuid "root".
> This should not be viewed as a cure-all. 
> In fact it doesn't really offer much added security over being setuid root.

Well, it surely offers _more_ security.

> An attacker that gained access as user
> "man" could then modify the man binary itself and wait until root runs it.

Good point.
Maybe not for the "man" program itself, but for the companion mandb,
which is run also by cron.

> setgid is generally safer since a file can be unwritable by its group. 
> Whereas the owner of a file can always chmod it writable. 
> I'm not sure what the details are of why our man is setuid.

It has to deal with removing and adding dirs and files in the cache,
running as different users.
It has been created setuid and not setgid by its author, and I see a
_lot_ of changes to be made in the sources to make it setgid instead.

A different approach would be to wrap ths calls to man and mandb around
a script like this:

#!/bin/sh -e
pgm=`basename $0`
cmd=exec ${edir}/${pgm} ${1+"$@"}
test -w /root && su man -c "${cmd}"

man-db could install this script as /usr/bin/man and /usr/bin/mandb
(as hard links)
-rwxr-xr-x    2 root     root          144 Jan 26 11:28 man*
-rwxr-xr-x    2 root     root          144 Jan 26 11:28 mandb*

and put the real binaries in /usr/lib/man-db setuid, but never executed
by root (untill someone does it on purpose :-)

-rwsr-xr-x    1 man      root        82780 Oct 28 19:21 /usr/lib/man-db/man*
-rwsr-xr-x    1 man      root        65760 Oct 28 19:21 /usr/lib/man-db/mandb*

man-db already ships private executables in /usr/lib/man-db.

What do you think?
Could this be an inprovement on security?
As I see, root will never execute the setuid binaries.

This approach has the advantage that I can easily set it up and let it
go into frozen.

| fab@pukki.ntc.nokia.com     fpolacco@prosa.it    fpolacco@debian.org
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
| fabrizio.polacco@nokia.com                  gsm: +358 (0)40 707 2468

----- End forwarded message -----

Reply to: