> I just noticed a problem with the man system (version 2.3.10) on my Linux > box: /usr/man contains the .gz'd man pages: [...] > When I execute man, a temporary file containing the un-zipped manpage is > created in /tmp. The name of the tmp-file usually is "zman<PID>aaa", > e.g. "zman10849aaa". This can be exploited with a simple symlink attack: Pretty much the same with unformatted 'roff pages on unix (at least with my suns around here; I assume others mostly do the same), with variously different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc. Another reason to use catman, I guess. What a neat little trick. I never thought man would be a security hole. -- d
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:27 PDT