Do not install man(1) setuid ``man''.

The catpaging and setuidness features of man(1) combined make
it vulnerable to a number of security attacks.  Specifically,
it was possible to overwrite system catpages with arbitrarily
contents by either setting up a symlink to a directory holding
system catpages, or by writing custom -mdoc or -man groff(1)
macro packages and setting up GROFF_TMAC_PATH in environment
to point to them.  (See PR below for details).

This means man(1) can no longer create system catpages on a
regular user's behalf.  (It is still able to if the user has
write permissions to the directory holding catpages, e.g.,
user's own manpages, or if the running user is ``root''.)

To create and install catpages during ``make world'', please
set MANBUILDCAT=YES in /etc/make.conf.  To rebuild catpages
on a weekly basis, please set weekly_catman_enable="YES" in
/etc/periodic.conf.

PR:		bin/32791

1 files changed, 1 insertions, 3 deletions

diff --git a/etc/mtree/BSD.x11-4.dist b/etc/mtree/BSD.x11-4.dist
index dca7d08..b10b001 100644
--- a/etc/mtree/BSD.x11-4.dist
+++ b/etc/mtree/BSD.x11-4.dist
@@ -314,7 +314,6 @@
     libexec
     ..
     man
-/set uname=man
         cat1
         ..
         cat2
@@ -337,7 +336,7 @@
         ..
         catn
         ..
-        ja              uname=root
+        ja
             cat1
             ..
             cat2
@@ -360,7 +359,6 @@
             ..
             catn
             ..
-/set uname=root
             man1
             ..
             man2