[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Groff/troff security exposure

	Ummm.... yes, as I answered Alan you need to be logged on as root. This
compromise is dangerous because a not-very-paranoic root user might do commands
like 'man' while in a public dir (like /tmp, or a users's), and a user might be
able to put a troyan there.
	As a matter of fact, man does run as seteuid man. But there are other packages
using groff (for example, a2ps or gnosamba) that might not work as man. I have
not checked their sources, though.



"Noah L. Meyerhans" escribió:
> On Thu, 5 Oct 2000, Alan KF LAU wrote:
> > Just a question. I've tried it on my own server which is Debian 2.2.17 woody(unstable) version. I got the following message when trying 2:
> >
> > ./troffrc:1: can't open `/etc/passwd' for appending: Permission denied
> > ./troffrc:2: no stream named 'passwds'
> > ./troffrc:3: no stream named 'passwds'
> > ....
> >
> > Is this bug already fixed in Debian 2.2 Woody(unstable)?
> Javier's email does specify that you need to be logged in as root.  I
> assume you were not.
> There have been similar attacks to this in other packages for quite some
> time.  I believe it would be reasonable for man to run setuid man, would
> it not?  In fact, considering that there's a man user in /etc/passwd by
> default in Debian, why isn't it?
> noah
n:Fernández-Sanguino Peña;Javier
tel;fax:+34-91 806 46 41
tel;work:+34-91 806 46 40
org:SGI-GMV sistemas;Seguridad Lógica
adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain
fn:Javier Fernández-Sanguino Peña

Reply to: