Do not install man(1) setuid ``man''.

The catpaging and setuidness features of man(1) combined make it vulnerable to a number of security attacks. Specifically, it was possible to overwrite system catpages with arbitrarily contents by either setting up a symlink to a directory holding system catpages, or by writing custom -mdoc or -man groff(1) macro packages and setting up GROFF_TMAC_PATH in environment to point to them. (See PR below for details). This means man(1) can no longer create system catpages on a regular user's behalf. (It is still able to if the user has write permissions to the directory holding catpages, e.g., user's own manpages, or if the running user is ``root''.) To create and install catpages during ``make world'', please set MANBUILDCAT=YES in /etc/make.conf. To rebuild catpages on a weekly basis, please set weekly_catman_enable="YES" in /etc/periodic.conf. PR: bin/32791
author: ru <ru@FreeBSD.org> 2002-01-15 14:11:05 +0000
committer: ru <ru@FreeBSD.org> 2002-01-15 14:11:05 +0000
commit: 2aa7f13a7d0162ad396a95251dceae601862f622 (patch)
tree: d8f87c866c4947f8938b35454d7ce942d7c4658e /gnu
parent: 99ceec2679852c284a07d9db09b0831db7c86abb (diff)
download: FreeBSD-src-2aa7f13a7d0162ad396a95251dceae601862f622.zip
FreeBSD-src-2aa7f13a7d0162ad396a95251dceae601862f622.tar.gz
2 files changed, 3 insertions, 66 deletions
diff --git a/gnu/usr.bin/man/man/Makefile b/gnu/usr.bin/man/man/Makefile
index 0998b96..905d4db 100644
--- a/gnu/usr.bin/man/man/Makefile
+++ b/gnu/usr.bin/man/man/Makefile
@@ -5,9 +5,6 @@ MAN_LIBZ=YES
 
 PROG=	man
 SRCS=	man.c manpath.c glob.c
-BINOWN= man
-BINMODE=4555
-INSTALLFLAGS=	-fschg
 
 CFLAGS+= -I${LIBDESTDIR}
 DPADD=	${LIBMAN}
@@ -20,7 +17,7 @@ CFLAGS+=-DHAVE_LIBZ=1
 .endif
 
 CFLAGS+= -I${.CURDIR}/../lib -DSTDC_HEADERS -DPOSIX -DHAS_TROFF
-CFLAGS+= -DDO_COMPRESS -DSETUID -DCATMODE=0644
+CFLAGS+= -DDO_COMPRESS -DCATMODE=0644
 CLEANFILES+=	man.1
 
 .PATH:	${.CURDIR}/../manpath
diff --git a/gnu/usr.bin/man/man/man.c b/gnu/usr.bin/man/man/man.c
index 2f8849b..921295a 100644
--- a/gnu/usr.bin/man/man/man.c
+++ b/gnu/usr.bin/man/man/man.c
@@ -121,11 +121,6 @@ static char args[] = "M:P:S:adfhkm:p:w?";
 #endif
 #endif
 
-#ifdef SETUID
-uid_t ruid;
-uid_t euid;
-#endif
-
 int
 main (argc, argv)
      int argc;
@@ -163,12 +158,6 @@ main (argc, argv)
 	gripe_no_name (tmp);
     }
 
-#ifdef SETUID
-  ruid = getuid();
-  euid = geteuid();
-  seteuid(ruid);
-#endif
-
   while (optind < argc)
     {
       nextarg = argv[optind++];
@@ -1118,7 +1107,7 @@ restore_sigs()
  * 1 for success and 0 for failure.
  */
 int
-make_cat_file (path, man_file, cat_file, manid)
+make_cat_file (path, man_file, cat_file)
      register char *path;
      register char *man_file;
      register char *cat_file;
@@ -1159,29 +1148,16 @@ make_cat_file (path, man_file, cat_file, manid)
       if (debug)
 	fprintf (stderr, "\ntrying command: %s\n", command);
       else {
-
-#ifdef SETUID
-	if (manid)
-	  seteuid(ruid);
-#endif
 	if ((pp = popen(command, "r")) == NULL) {
 	  s = errno;
 	  fprintf(stderr, "Failed.\n");
 	  errno = s;
 	  perror("popen");
-#ifdef SETUID
-	  if (manid)
-	    seteuid(euid);
-#endif
 	  unlink(temp);
 	  restore_sigs();
 	  fclose(fp);
 	  return 0;
 	}
-#ifdef SETUID
-	if (manid)
-	  seteuid(euid);
-#endif
 
 	f = 0;
 	while ((s = getc(pp)) != EOF) {
@@ -1317,43 +1293,7 @@ format_and_display (path, man_file, cat_file)
 	    }
 	  else
 	    {
-
-#ifdef SETUID
-	      seteuid(euid);
-	      found = make_cat_file (path, man_file, cat_file, 1);
-	      seteuid(ruid);
-
-	      if (!found)
-	        {
-		  /* Try again as real user - see note below.
-		     By running with
-		       effective group (user) ID == real group (user) ID
-		     except for the call above, I believe the problems
-		     of reading private man pages is avoided.  */
-		  found = make_cat_file (path, man_file, cat_file, 0);
-	        }
-#else
-	      found = make_cat_file (path, man_file, cat_file, 0);
-#endif
-#ifdef SECURE_MAN_UID
-	      if (!found)
-		{
-		  /*
-		   * Try again as real user.  Note that for private
-		   * man pages, we won't even get this far unless the
-		   * effective user can read the real user's man page
-		   * source.  Also, if we are trying to find all the
-		   * man pages, this will probably make it impossible
-		   * to make cat files in the system directories if
-		   * the real user's man directories are searched
-		   * first, because there's no way to undo this (is
-		   * there?).  Yikes, am I missing something obvious?
-		   */
-		  setuid (getuid ());
-
-		  found = make_cat_file (path, man_file, cat_file, 0);
-		}
-#endif
+	      found = make_cat_file (path, man_file, cat_file);
 	      if (found)
 		{
 		  /*
author	ru <ru@FreeBSD.org>	2002-01-15 14:11:05 +0000
committer	ru <ru@FreeBSD.org>	2002-01-15 14:11:05 +0000
commit	2aa7f13a7d0162ad396a95251dceae601862f622 (patch)
tree	d8f87c866c4947f8938b35454d7ce942d7c4658e /gnu
parent	99ceec2679852c284a07d9db09b0831db7c86abb (diff)
download	FreeBSD-src-2aa7f13a7d0162ad396a95251dceae601862f622.zip FreeBSD-src-2aa7f13a7d0162ad396a95251dceae601862f622.tar.gz