Re: Groff/troff security exposure
Ummm.... yes, as I answered Alan you need to be logged on as root. This
compromise is dangerous because a not-very-paranoic root user might do commands
like 'man' while in a public dir (like /tmp, or a users's), and a user might be
able to put a troyan there.
As a matter of fact, man does run as seteuid man. But there are other packages
using groff (for example, a2ps or gnosamba) that might not work as man. I have
not checked their sources, though.
"Noah L. Meyerhans" escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> On Thu, 5 Oct 2000, Alan KF LAU wrote:
> > Just a question. I've tried it on my own server which is Debian 2.2.17 woody(unstable) version. I got the following message when trying 2:
> > ./troffrc:1: can't open `/etc/passwd' for appending: Permission denied
> > ./troffrc:2: no stream named 'passwds'
> > ./troffrc:3: no stream named 'passwds'
> > ....
> > Is this bug already fixed in Debian 2.2 Woody(unstable)?
> Javier's email does specify that you need to be logged in as root. I
> assume you were not.
> There have been similar attacks to this in other packages for quite some
> time. I believe it would be reasonable for man to run setuid man, would
> it not? In fact, considering that there's a man user in /etc/passwd by
> default in Debian, why isn't it?
tel;fax:+34-91 806 46 41
tel;work:+34-91 806 46 40
org:SGI-GMV sistemas;Seguridad Lógica
adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain
fn:Javier Fernández-Sanguino Peña