COMMAND

    man

SYSTEMS AFFECTED

    Linux RedHat 5.2 (others?)

PROBLEM

    Solar Designer posted following.  There's an ancient problem  with
    SGID man  that we  keep seeing  on various  systems.  For example,
    on Red Hat 5.2:

        [ghost@alice ghost]$ ls -l /var/catman/cat1/id.1.gz
        ls: /var/catman/cat1/id.1.gz: No such file or directory
        [ghost@alice ghost]$ man id
        Formatting page, please wait...
        [ghost@alice ghost]$ ls -l /var/catman/cat1/id.1.gz
        -r--rw-r--   1 ghost    man           806 Aug  1 06:14 /var/catman/cat1/id.1.gz
        [ghost@alice ghost]$ chmod u+w /var/catman/cat1/id.1.gz
        [ghost@alice ghost]$ echo haha | gzip > /var/catman/cat1/id.1.gz
        [ghost@alice ghost]$ chmod u-w /var/catman/cat1/id.1.gz

    The next day, another user wants to know how to use "id":

        [luser@alice luser]$ man id

    Guess what they will see.

SOLUTION

    We could change the permissions  on those directories from 775  or
    1777 (that's seen on various systems) to 770, so that group man is
    always required.   However, doing  so would  break things,  as the
    group  is  (and  should  be)  dropped  for  many operations.  Some
    changes to  the way  man works  would be  required to support such
    restricted permissions.   A workaround could  be to preformat  all
    the man  pages as  root.   Finally, we  could move  to a SUID man,
    making the binary  immutable (non-portable, not  backup friendly).
    It is time to  stop storing preformatted pages.   It is no  longer
    worth the risk.  CPUs got faster, man pages are the same.

    On  some  systems  you  can  prevent  this  by  making  the catman
    directories suid to a dummy user.   On those systems all files  or
    directories created in these  directories then gets owned  by this
    dummy user and not the  user running the command.   Patch attached
    for linux ext2 to allow  suid directories.  On systems  where suid
    directories does not help, you  have no option but to  disable the
    feature that  man saves  the preformatted  page when  invoked by a
    user if  you do  not like  users to  be able  to spoof  man pages.
    This can be done by removing any suid/sgid bits from /usr/bin/man,
    and  making  sure  that  the  catman  directories  are  not  world
    writeable.  If you still want to have preformatted pages available
    for your users, make the catman directories owned by a dummy  user
    (for example catman),  and run catman  as this user  to create all
    preformatted man pages in one big batch (or man on individual  man
    pages if  catman is  not available).   You can  also make selected
    trusted users members of the  man group to allow them  to generate
    preformatted man pages when there is need to.

        --- linux/fs/ext2/ialloc.c.orig	Mon Jul 19 00:23:15 1999
        +++ linux/fs/ext2/ialloc.c	Sun Aug  1 10:37:24 1999
        @@ -449,7 +449,12 @@
            inode->i_sb = sb;
            inode->i_nlink = 1;
            inode->i_dev = sb->s_dev;
        -	inode->i_uid = current->fsuid;
        +	if (dir->i_mode & S_ISUID) {
        +		inode->i_uid = dir->i_uid;
        +		if (S_ISDIR(mode))
        +			mode |= S_ISUID;
        +	} else
        +		inode->i_uid = current->fsuid;
            if (test_opt (sb, GRPID))
                inode->i_gid = dir->i_gid;
            else if (dir->i_mode & S_ISGID) {