Re: SuSe / Debian man package format string vulnerability

Ethan Benson Sun, 04 Feb 2001 22:35:41 -0800

On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote:
> Hi,
> 
> Quoting StyX ([EMAIL PROTECTED]):
> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
> I don't know about Suse/Redhat/others.

This is not correct, on debian man is suid man and /var/cache/man
(cached preformatted man pages) is owned by user man.  It is suid
rather then setgid so users do not end up owning more files in /var.  

on debian /usr/bin/man is really a wrapper program which when run as
root does a setuid man before execing /usr/lib/man-db/man.  The idea
is to prevent a user man compromise from turning into a root
compromise.  (compromise user man, replace man binaries, wait for root
or cron to run man/mandb)

$ ls -l /usr/lib/man-db/man*
-rwsr-xr-x    1 man      root        94676 Apr  6  2000 /usr/lib/man-db/man
-rwsr-xr-x    1 man      root        74168 Apr  6  2000 /usr/lib/man-db/mandb
$

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

PGP signature

Re: SuSe / Debian man package format string vulnerability

Reply via email to