Re: How to view man pages with restricted ksh?
Craig Skinner wrote: Hi folks, $ man rksh sh: /tmp/man.v3NbpQf33a: restricted sh: /usr/bin/more: restricted I don't know. Works for me. carbolite:~ rksh carbolite:~ man rksh | wc 2971 20398 166126 carbolite:~ cd / rksh: cd: restricted shell - can't cd
Re: How to view man pages with restricted ksh?
Hi Craig, Ted Unangst wrote on Tue, Mar 03, 2015 at 10:09:08AM -0500: Craig Skinner wrote: $ man rksh sh: /tmp/man.v3NbpQf33a: restricted sh: /usr/bin/more: restricted That looks like the man you are executing is a shell script starting with #!/bin/sh. In particular, it does not look like the mandoc implementation of man(1) because that doesn't create temporary files. What does $ which man $ file `which man` tell you? I don't know. Works for me. carbolite:~ rksh carbolite:~ man rksh | wc 2971 20398 166126 carbolite:~ cd / rksh: cd: restricted shell - can't cd Indeed, both the old BSD man(1) that was in OpenBSD 5.6 and the new mandoc man(1) that will be in OpenBSD 5.7 work onb -current. Yours, Ingo
Re: How to view man pages with restricted ksh?
On 2015-03-03 Tue 16:46 PM |, Ingo Schwarze wrote: That looks like the man you are executing is a shell script starting with #!/bin/sh. In particular, it does not look like the mandoc implementation of man(1) because that doesn't create temporary files. What does $ which man $ file `which man` tell you? Hi Ingo: $ man man sh: /tmp/man.qOsGeBPxS8: restricted sh: /usr/bin/more: restricted $ type man man is /usr/bin/man $ whence man /usr/bin/man $ which man /usr/bin/man $ whereis man /usr/bin/man $ file $(which man) /usr/bin/man: ELF 32-bit LSB shared object, Intel 80386, version 1, for OpenBSD, dynamically linked (uses shared libs), stripped $ stat /usr/bin/man 10 47697 -r-xr-xr-x 2 root bin 194256 18768 Aug 8 06:58:18 2014 Aug 8 06:58:18 2014 Jan 22 11:30:27 2015 16384 40 0 /usr/bin/man $ stat -r /usr/bin/man 10 47697 0100555 2 0 7 194256 18768 1407477498 1407477498 1421926227 16384 40 0 /usr/bin/man Have I fucked something up? Indeed, both the old BSD man(1) that was in OpenBSD 5.6 and the new mandoc man(1) that will be in OpenBSD 5.7 work onb -current. $ uname -srvm OpenBSD 5.6 GENERIC#274 i386 -- BE ALERT (The world needs more lerts ...)
Re: How to view man pages with restricted ksh?
On 2015-03-03 Tue 16:23 PM |, Craig Skinner wrote: $ stat -r /usr/bin/man 10 47697 0100555 2 0 7 194256 18768 1407477498 1407477498 1421926227 16384 40 0 /usr/bin/man $ ldd /usr/bin/man /usr/bin/man: StartEnd Type Open Ref GrpRef Name 19f51000 39f55000 exe 10 0 /usr/bin/man 06e0a000 26e3a000 rlib 01 0 /usr/lib/libc.so.77.0 0616a000 0616a000 rtld 01 0 /usr/libexec/ld.so -- Justice, n.: A decision in your favor.
Re: How to view man pages with restricted ksh?
Hi Craig,
Craig Skinner wrote on Tue, Mar 03, 2015 at 04:23:59PM +:
On 2015-03-03 Tue 16:46 PM |, Ingo Schwarze wrote:
That looks like the man you are executing is a shell script starting
with #!/bin/sh. In particular, it does not look like the mandoc
implementation of man(1) because that doesn't create temporary files.
Wrong guess on my part. :)
Thanks for the additional info. Now i understand:
schwarze@isnote $ /bin/rksh
$ echo $SHELL
/bin/ksh
$ oman man | wc
18510669857
$ ^D
schwarze@isnote $ export SHELL=/bin/rksh
schwarze@isnote $ /bin/rksh
$ echo $SHELL
/bin/rksh
$ oman man
sh: /tmp/man.Y6LfRbb1ys: restricted
sh: /usr/bin/less: restricted
Here, oman is the OpenBSD 5.6 man binary running on -current.
So, what happens is this: the traditional BSD man(1) used in OpenBSD
5.6 uses system(3), see build_page() and main() in the file
/usr/src/usr.bin/man/man.c. Looking at the file
/usr/src/lib/libc/stdlib/system.c, you see that system(3) runs
_PATH_BSHELL, which is /bin/sh according to /usr/include/paths.h.
When you have SHELL set to /bin/ksh, the shell executed by system(3)
is unrestricted, so it *can* write to the temp file, and it can
start the pager with an absolute path. That's why tedu@ failed to
reproduce your issue, i think.
On the other hand, when you have SHELL set to /bin/rksh, the shell
executed by system(3) is restricted and stuff fails - what you saw.
Now, the old BSD man(1) isn't very secure (system(3) - yikes!),
and as you see, the whole concept of restricted shells isn't
very secure either, more like some Swiss cheese: At least it's
easy to inadvertently set up in a way that the restrictions don't
actually take effect or can be circumvented. Here is another
exploit of a technology that is weak in the first place:
schwarze@isnote $ echo $SHELL
/bin/rksh
schwarze@isnote $ /bin/rksh
$ cd /
/bin/rksh: cd: restricted shell - can't cd
$ csh
isnote:schwarze {1} cd /
isnote: {2} pwd
/
isnote: {3}
The good news is that:
* OpenBSD 5.7 no longer uses the old BSD man(1).
* man(1) no longer writes temp files but uses pipe(2).
* man(1) no longer uses system(3).
* With the new mandoc implementation of man(1) in OpenBSD 5.7,
man(1) works no matter what, even in a restricted shell
with SHELL set to /bin/rksh.
So i fixed your problem some months before you reported it. :-)
Yours,
Ingo
Re: How to view man pages with restricted ksh?
Hi Craig, Craig Skinner wrote on Tue, Mar 03, 2015 at 06:00:55PM +: Unless there's a work around for 5.6, it's not long until 5.7 Well, if you want to, you can update just mandoc(1) and man(1) to -current on OpenBSD 5.6, it is compatible. Don't try mixing versions in general, but in this particular case, it works. Here is what i just did on the mdocml.bsd.lv server to try it out: $ cd /usr/src/usr.bin/mandoc/ $ make cleandir # just in case sb. did make w/o make obj $ cvs up -dP -rHEAD $ make obj $ make cleandir $ rm -f obj/* # because arch.o lib.o vol.o existed in 5.6, not in 5.7 $ make depend $ make $ sudo make install $ sudo makewhatis Yours, Ingo
Re: How to view man pages with restricted ksh?
On 2015-03-03 Tue 18:21 PM |, Ingo Schwarze wrote: So I fixed your problem some months before you reported it. :-) Ace one Ingo. Unless there's a work around for 5.6, it's not long until 5.7 Cheers. -- Great Lover, n.: A man who can breathe through his ears.
