Re: man problem

[rickb () IAW ON CA (Rick Byers)]

On Wed, 24 Dec 1997, d wrote:

> > I just noticed a problem with the man system (version 2.3.10) on my Linux
> > box: /usr/man contains the .gz'd man pages:
> [...]
> > When I execute man, a temporary file containing the un-zipped manpage is
> > created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
> > e.g. "zman10849aaa". This can be exploited with a simple symlink attack:
>
> Pretty much the same with unformatted 'roff pages on unix (at least with
> my suns around here; I assume others mostly do the same), with variously
> different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc.
> Another reason to use catman, I guess.
>
> What a neat little trick.  I never thought man would be a security hole.

It will depend on exactly HOW the temporary names are generated.  NetBSD
uses a similar formula for the name (man.XXXX), but it's gaurenteed to be
unique (mkstemp call) - so if you create the sym-links, it'll just name it
something else.  The use of mkstemp over mktemp is also supposed to avoide
the race condtion between generating the file name and opening it for
writing.

Rick

=========================================================================
Rick Byers                                      Internet Access Worldwide
rickb () iaw on ca                                              System Admin
University of Waterloo, Computer Science                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/