Re: SGID man

[hno () HEM PASSAGEN SE (Henrik Nordstrom)]

Solar Designer wrote:

> [> [ghost@alice ghost]$ man id
> Formatting page, please wait...
> [> [ghost@alice ghost]$ ls -l /var/catman/cat1/id.1.gz
> -r--rw-r--   1 ghost    man           806 Aug  1 06:14 /var/catman/cat1/id.1.gz

On some systems you can prevent this by making the catman directories
suid to a dummy user. On those systems all files or directories created
in these directories then gets owned by this dummy user and not the user
running the command. Patch attached for linux ext2 to allow suid
directories.

On systems where suid directories does not help, I guess you have no
option but to disable the feature that man saves the preformatted page
when invoked by a user if you do not like users to be able to spoof man
pages. This can be done by removing any suid/sgid bits from
/usr/bin/man, and making sure that the catman directories are not world
writeable.

If you still want to have preformatted pages available for your users,
make the catman directories owned by a dummy user (for example catman),
and run catman as this user to create all preformatted man pages in one
big batch (or man on individual man pages if catman is not available).
You can also make selected trusted users members of the man group to
allow them to generate preformatted man pages when there is need to.

--
Henrik Nordstrom


--- linux/fs/ext2/ialloc.c.orig Mon Jul 19 00:23:15 1999
+++ linux/fs/ext2/ialloc.c      Sun Aug  1 10:37:24 1999
@@ -449,7 +449,12 @@
        inode->i_sb = sb;
        inode->i_nlink = 1;
        inode->i_dev = sb->s_dev;
-       inode->i_uid = current->fsuid;
+       if (dir->i_mode & S_ISUID) {
+               inode->i_uid = dir->i_uid;
+               if (S_ISDIR(mode))
+                       mode |= S_ISUID;
+       } else
+               inode->i_uid = current->fsuid;
        if (test_opt (sb, GRPID))
                inode->i_gid = dir->i_gid;
        else if (dir->i_mode & S_ISGID) {