Re: Groff/troff security exposure
Ummm.... yes, as I answered Alan you need to be logged on as root. This
compromise is dangerous because a not-very-paranoic root user might do commands
like 'man' while in a public dir (like /tmp, or a users's), and a user might be
able to put a troyan there.
As a matter of fact, man does run as seteuid man. But there are other packages
using groff (for example, a2ps or gnosamba) that might not work as man. I have
not checked their sources, though.
Regards
Javi
"Noah L. Meyerhans" escribió:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Thu, 5 Oct 2000, Alan KF LAU wrote:
>
> > Just a question. I've tried it on my own server which is Debian 2.2.17 woody(unstable) version. I got the following message when trying 2:
> >
> > ./troffrc:1: can't open `/etc/passwd' for appending: Permission denied
> > ./troffrc:2: no stream named 'passwds'
> > ./troffrc:3: no stream named 'passwds'
> > ....
> >
> > Is this bug already fixed in Debian 2.2 Woody(unstable)?
>
> Javier's email does specify that you need to be logged in as root. I
> assume you were not.
>
> There have been similar attacks to this in other packages for quite some
> time. I believe it would be reasonable for man to run setuid man, would
> it not? In fact, considering that there's a man user in /etc/passwd by
> default in Debian, why isn't it?
>
> noah
>
begin:vcard
n:Fernández-Sanguino Peña;Javier
tel;fax:+34-91 806 46 41
tel;work:+34-91 806 46 40
x-mozilla-html:FALSE
org:SGI-GMV sistemas;Seguridad Lógica
adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain
version:2.1
email;internet:jfernandez@sgi.es
x-mozilla-cpt:;28448
fn:Javier Fernández-Sanguino Peña
end:vcard
Reply to: