On Wed, Dec 24, 1997 at 03:34:46PM -0800, d wrote: > What a neat little trick. I never thought man would be a security hole. At least on Linux, it has been several times. Some early versions of man (running setgid or setuid man) would never revoke privileges when invoking other programs such as troff. As lately as a couple of months ago, both man_db-2.3 and man-1.4i had problems when invoking gzip to uncompress pages. You could force both of them to invoke a different program, which would run under the gid of 'man'. The funny thing about running with the privilege of man is that some Linux distributions had their man directories and a bunch of manpages group-writable and owned by man.man. This would let you do neat things like inserting .sy commands into those manpages. Anyone displaying one of those trojanized manpages would then cause it to be formatted, with troff executing the .sy command with the credentials of the invoking users. That's a nice way of collecting setuid shells... Andries Brouwer quickly released a fixed version (man-1.4j). man_db never got updated though, AFAIK, even though I contacted the maintainer a couple of times. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! -----------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:51 PDT