Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site hadron.UUCP
Path: utzoo!linus!decvax!genrad!panda!talcott!harvard!seismo!rlgvax!hadron!jsdy
From: jsdy@hadron.UUCP (Joseph S. D. Yao)
Newsgroups: net.bugs.4bsd
Subject: Re: Man(1) makes "cat" files with wrong mode and ownership
Message-ID: <161@hadron.UUCP>
Date: Thu, 2-Jan-86 21:36:59 EST
Article-I.D.: hadron.161
Posted: Thu Jan  2 21:36:59 1986
Date-Received: Sat, 4-Jan-86 07:03:50 EST
References: <2093@phri.UUCP> <503@scgvaxd.UUCP>
Reply-To: jsdy@hadron.UUCP (Joseph S. D. Yao)
Distribution: net
Organization: Hadron, Inc., Fairfax, VA
Lines: 29
Keywords: man secuity hole
Summary: Never let uid==root when another will do.

In article <503@scgvaxd.UUCP> brian@scgvaxd.UUCP (Brian Zill) writes:
>In article <2093@phri.UUCP> roy@phri.UUCP (Roy Smith) writes:
>>Index:	ucb/man.c 4.2BSD
>>	ucb/Makefile 4.2BSD
>>Description:  When you run "man x" and the cat file has to be made, it is
>>	left with mode 0666, and owned by whoever happened to run man.
>>Fix:  Install the following 2-line patch.  Also, change the Makefile so
>>	man is installed set-uid.  I'll leave it to other, smarter, brains
>>	to figure out if this opens up any security loopholes.
>
>Yes, this is a major security problem.  man calls more to page the longer
>manual entries, and more has a shell escape...  Ta Da!  you're superuser!

This is  n o t  to re-open the discussion, but merely to note that
I still feel that the best thing to do is to have as few things as
possible owned by root and setuid to root.  Best is to have these
things owned by user 'man' (well, 'bin' if you have to, but I don't
like it!).  That way the worst a user can do is to munge the man
pages (or everything owned by 'bin' which is why I don't like the
latter).  Better, of course, to  a l s o  set back to real uid if
you can for every shell escape:
>What we did at Harvey Mudd College where I go to school is to put some
>code in to set the effective uid and gid back to their real values after
>the fork that provides the shell escape in more.
Also better to try to write code that checks permissions for each
step along the way (and, yes, sometimes re-invent the wheel).
-- 

	Joe Yao		hadron!jsdy@seismo.{CSS.GOV,ARPA,UUCP}