Man(1) makes "cat" files with wrong mode and ownership
Roy Smith
roy at phri.UUCP
Mon Dec 30 13:24:06 AEST 1985
Index: ucb/man.c 4.2BSD
ucb/Makefile 4.2BSD
Description: When you run "man x" and the cat file has to be made, it is
left with mode 0666, and owned by whoever happened to run man. This
was noticed one day when "man sh" produced neither output nor error
message. On investigation, it was found that /usr/man/cat1/sh.1 was
0 length; some curious person must have tried to do something like
"cat > /usr/man/cat1/sh.1"
Repeat-By:
rm /usr/man/cat1/sh.1
man sh
ls -l /usr/man/cat1/sh.1
Fix: Install the following 2-line patch. Also, change the Makefile so
man is installed set-uid. I'll leave it to other, smarter, brains
to figure out if this opens up any security loopholes.
*** /usr/src/ucb/man.c.old Sun Sep 25 21:05:27 1983
--- /usr/src/ucb/man.c Sun Dec 29 21:57:25 1985
***************
*** 256,263
fflush(stdout);
unlink(work2);
sprintf(cmdbuf,
! "%s %s > /tmp/man%d; trap '' 1 15; mv /tmp/man%d %s",
! NROFFCAT, work, getpid(), getpid(), work2);
if (system(cmdbuf)) {
printf(" aborted (sorry)\n");
remove();
--- 256,263 -----
fflush(stdout);
unlink(work2);
sprintf(cmdbuf,
! "%s %s > /tmp/man%d; trap '' 1 15;mv /tmp/man%d %s;chmod o-w %s;chown root %s",
! NROFFCAT, work, getpid(), getpid(), work2, work2, work2);
if (system(cmdbuf)) {
printf(" aborted (sorry)\n");
remove();
--
Roy Smith <allegra!phri!roy>
System Administrator, Public Health Research Institute
455 First Avenue, New York, NY 10016
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list