Re: How to view man pages with restricted ksh?
Hi Craig, Craig Skinner wrote on Tue, Mar 03, 2015 at 06:00:55PM +: > Unless there's a work around for 5.6, it's not long until 5.7 Well, if you want to, you can update just mandoc(1) and man(1) to -current on OpenBSD 5.6, it is compatible. Don't try mixing versions in general, but in this particular case, it works. Here is what i just did on the mdocml.bsd.lv server to try it out: $ cd /usr/src/usr.bin/mandoc/ $ make cleandir # just in case sb. did "make" w/o "make obj" $ cvs up -dP -rHEAD $ make obj $ make cleandir $ rm -f obj/* # because arch.o lib.o vol.o existed in 5.6, not in 5.7 $ make depend $ make $ sudo make install $ sudo makewhatis Yours, Ingo
Re: How to view man pages with restricted ksh?
On 2015-03-03 Tue 18:21 PM |, Ingo Schwarze wrote: > > So I fixed your problem some months before you reported it. :-) > Ace one Ingo. Unless there's a work around for 5.6, it's not long until 5.7 Cheers. -- Great Lover, n.: A man who can breathe through his ears.
Re: How to view man pages with restricted ksh?
Hi Craig,
Craig Skinner wrote on Tue, Mar 03, 2015 at 04:23:59PM +:
> On 2015-03-03 Tue 16:46 PM |, Ingo Schwarze wrote:
>> That looks like the "man" you are executing is a shell script starting
>> with "#!/bin/sh". In particular, it does not look like the mandoc
>> implementation of man(1) because that doesn't create temporary files.
Wrong guess on my part. :)
Thanks for the additional info. Now i understand:
schwarze@isnote $ /bin/rksh
$ echo $SHELL
/bin/ksh
$ oman man | wc
18510669857
$ ^D
schwarze@isnote $ export SHELL=/bin/rksh
schwarze@isnote $ /bin/rksh
$ echo $SHELL
/bin/rksh
$ oman man
sh: /tmp/man.Y6LfRbb1ys: restricted
sh: /usr/bin/less: restricted
Here, "oman" is the OpenBSD 5.6 man binary running on -current.
So, what happens is this: the traditional BSD man(1) used in OpenBSD
5.6 uses system(3), see build_page() and main() in the file
/usr/src/usr.bin/man/man.c. Looking at the file
/usr/src/lib/libc/stdlib/system.c, you see that system(3) runs
_PATH_BSHELL, which is "/bin/sh" according to /usr/include/paths.h.
When you have SHELL set to /bin/ksh, the shell executed by system(3)
is unrestricted, so it *can* write to the temp file, and it can
start the pager with an absolute path. That's why tedu@ failed to
reproduce your issue, i think.
On the other hand, when you have SHELL set to /bin/rksh, the shell
executed by system(3) is restricted and stuff fails - what you saw.
Now, the old BSD man(1) isn't very secure (system(3) - yikes!),
and as you see, the whole concept of restricted shells isn't
very secure either, more like some Swiss cheese: At least it's
easy to inadvertently set up in a way that the restrictions don't
actually take effect or can be circumvented. Here is another
"exploit" of a technology that is weak in the first place:
schwarze@isnote $ echo $SHELL
/bin/rksh
schwarze@isnote $ /bin/rksh
$ cd /
/bin/rksh: cd: restricted shell - can't cd
$ csh
isnote:schwarze {1} cd /
isnote: {2} pwd
/
isnote: {3}
The good news is that:
* OpenBSD 5.7 no longer uses the old BSD man(1).
* man(1) no longer writes temp files but uses pipe(2).
* man(1) no longer uses system(3).
* With the new mandoc implementation of man(1) in OpenBSD 5.7,
man(1) works no matter what, even in a restricted shell
with SHELL set to /bin/rksh.
So i fixed your problem some months before you reported it. :-)
Yours,
Ingo
Re: How to view man pages with restricted ksh?
On 2015-03-03 Tue 16:23 PM |, Craig Skinner wrote: > $ stat -r /usr/bin/man > 10 47697 0100555 2 0 7 194256 18768 1407477498 1407477498 1421926227 16384 40 > 0 /usr/bin/man > $ ldd /usr/bin/man /usr/bin/man: StartEnd Type Open Ref GrpRef Name 19f51000 39f55000 exe 10 0 /usr/bin/man 06e0a000 26e3a000 rlib 01 0 /usr/lib/libc.so.77.0 0616a000 0616a000 rtld 01 0 /usr/libexec/ld.so -- Justice, n.: A decision in your favor.
Re: How to view man pages with restricted ksh?
On 2015-03-03 Tue 16:46 PM |, Ingo Schwarze wrote: > > That looks like the "man" you are executing is a shell script starting > with "#!/bin/sh". In particular, it does not look like the mandoc > implementation of man(1) because that doesn't create temporary files. > What does > > $ which man > $ file `which man` > > tell you? Hi Ingo: $ man man sh: /tmp/man.qOsGeBPxS8: restricted sh: /usr/bin/more: restricted $ type man man is /usr/bin/man $ whence man /usr/bin/man $ which man /usr/bin/man $ whereis man /usr/bin/man $ file $(which man) /usr/bin/man: ELF 32-bit LSB shared object, Intel 80386, version 1, for OpenBSD, dynamically linked (uses shared libs), stripped $ stat /usr/bin/man 10 47697 -r-xr-xr-x 2 root bin 194256 18768 "Aug 8 06:58:18 2014" "Aug 8 06:58:18 2014" "Jan 22 11:30:27 2015" 16384 40 0 /usr/bin/man $ stat -r /usr/bin/man 10 47697 0100555 2 0 7 194256 18768 1407477498 1407477498 1421926227 16384 40 0 /usr/bin/man Have I fucked something up? > > Indeed, both the old BSD man(1) that was in OpenBSD 5.6 and the new > mandoc man(1) that will be in OpenBSD 5.7 work onb -current. > $ uname -srvm OpenBSD 5.6 GENERIC#274 i386 -- BE ALERT (The world needs more lerts ...)
Re: How to view man pages with restricted ksh?
Hi Craig, Ted Unangst wrote on Tue, Mar 03, 2015 at 10:09:08AM -0500: > Craig Skinner wrote: >> $ man rksh >> sh: /tmp/man.v3NbpQf33a: restricted >> sh: /usr/bin/more: restricted That looks like the "man" you are executing is a shell script starting with "#!/bin/sh". In particular, it does not look like the mandoc implementation of man(1) because that doesn't create temporary files. What does $ which man $ file `which man` tell you? > I don't know. Works for me. > > carbolite:~> rksh > carbolite:~> man rksh | wc > 2971 20398 166126 > carbolite:~> cd / > rksh: cd: restricted shell - can't cd Indeed, both the old BSD man(1) that was in OpenBSD 5.6 and the new mandoc man(1) that will be in OpenBSD 5.7 work onb -current. Yours, Ingo
Re: How to view man pages with restricted ksh?
Craig Skinner wrote: > Hi folks, > > > $ man rksh > sh: /tmp/man.v3NbpQf33a: restricted > sh: /usr/bin/more: restricted I don't know. Works for me. carbolite:~> rksh carbolite:~> man rksh | wc 2971 20398 166126 carbolite:~> cd / rksh: cd: restricted shell - can't cd
How to view man pages with restricted ksh?
Hi folks, $ man rksh sh: /tmp/man.v3NbpQf33a: restricted sh: /usr/bin/more: restricted $ export MANPAGER=less $ man rksh sh: /tmp/man.MwpZa2hlUo: restricted $ man -c rksh sh: /tmp/man.U7FO8rM3Pc: restricted $ printenv | sort HOME=/home/jason LOGNAME=jason MAIL=/var/mail/jason PATH=/usr/bin:/bin:/usr/local/bin:/home/jason/bin SHELL=/bin/rksh SSH_CLIENT=192.168.1.10 51139 22 SSH_CONNECTION=192.168.1.10 51139 192.168.1.1 22 SSH_TTY=/dev/ttypb TERM=xterm USER=jason _=/usr/bin/printenv $ stat /etc/profile /etc/ksh.kshrc ~/.profile ~/.kshrc stat: /etc/profile: No such file or directory stat: /etc/ksh.kshrc: No such file or directory stat: /home/jason/.profile: No such file or directory stat: /home/jason/.kshrc: No such file or directory $ uname -srvm OpenBSD 5.6 GENERIC#274 i386 Any ideas on what to try? -- People who have what they want are very fond of telling people who haven't what they want that they don't want it. -- Ogden Nash
