On Sat, 26 Feb 1994, Michal Zalewski wrote: > With most of Linux distributions, /usr/bin/man is shipped as setgid man. > This setgid bit is required to build formatted manpages in /var/catman for > faster access. Unfortunately, man does almost everything via system() > calls, where parameters are user-dependent, and almost always it's > sprintf'ed before to fixed size buffers. It's kinda trivial to gain man > privledges, using buffer overflows in enviromental variables. For example, > by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get > SEGV: This might be a side effect of the fix for another security hole. IIRC, /var/catman/ was world writable allowing for all kinds of symlink games which would allow ordinary users to do some things as root (like clobbering files) by laying a trap in /var/catman/ and waiting for root to run man. Exploiting this buffer overflow bug to gain man priveledges would then allow you to exploit the previous bugs as well if root runs "man" (or possibly the priveledges of any user who runs man). If you need to run man as root, consider: su nobody -c "man ls" # assumes shell is /bin/bash Or just switch to another console or window. The man program was never designed to be secure but having a shared manpage cache requires man to be secure. If you disable man page caching, you should be able to run man without setgid. --------------------------------------------------------------------------- --- Mark Whitis <whitisat_private> WWW: http://www.dbd.com/~whitis/ --- ---------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:51 PDT