Bugtraq mailing list archives
Re: man problem
From: rickb () IAW ON CA (Rick Byers)
Date: Fri, 26 Dec 1997 13:55:41 -0500
On Wed, 24 Dec 1997, d wrote:
I just noticed a problem with the man system (version 2.3.10) on my Linux box: /usr/man contains the .gz'd man pages:[...]When I execute man, a temporary file containing the un-zipped manpage is created in /tmp. The name of the tmp-file usually is "zman<PID>aaa", e.g. "zman10849aaa". This can be exploited with a simple symlink attack:Pretty much the same with unformatted 'roff pages on unix (at least with my suns around here; I assume others mostly do the same), with variously different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc. Another reason to use catman, I guess. What a neat little trick. I never thought man would be a security hole.
It will depend on exactly HOW the temporary names are generated. NetBSD uses a similar formula for the name (man.XXXX), but it's gaurenteed to be unique (mkstemp call) - so if you create the sym-links, it'll just name it something else. The use of mkstemp over mktemp is also supposed to avoide the race condtion between generating the file name and opening it for writing. Rick ========================================================================= Rick Byers Internet Access Worldwide rickb () iaw on ca System Admin University of Waterloo, Computer Science (905)714-1400 http://www.iaw.on.ca/rickb/ http://www.iaw.on.ca/
Current thread:
- Re: man problem d (Dec 24)
- Re: man problem Rick Byers (Dec 26)
- q1/q2 remote crash attacks Ambrose Feinstein (Dec 26)
- More details about gzip... Micha? Zalewski (Dec 27)
- A security-related bug in RPM Savochkin Andrey Vladimirovich (Dec 27)
- Re: man problem Olaf Kirch (Dec 30)