topic Re: World writeable manpages in Operating System - HP-UX

World writeable manpages

W.C. Epperson — Fri, 25 Jul 2003 14:14:36 GMT

Doing a "man" on our 11.0 systems for a command not previously "man"-ed results in a world writeable manpage, e.g. "man man" for the first time results in:
-rw-rw-rw- 1 root root 9287 Jul 25 11:05 ./share/man/cat1.Z/man
.1

This trips audit alarms, but we have not been able to track down the cause yet. Anyone know the culprit? I was guessing a umask for a setuid executable somewhere in the process, but can't find one.

Re: World writeable manpages

Pete Randall — Fri, 25 Jul 2003 14:18:58 GMT

W.C.,

Check Clay's final answer in this thread:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x3cc2506d69a7d711abdc0090277a778c,00.html

Pete

Re: World writeable manpages

Steven E. Protter — Fri, 25 Jul 2003 14:19:30 GMT

That is the default permission for man pages.

They are owned by root and are read/write.

This does not really present a huge security hazard because they are not programs that do anything.

I suppose someone could mess with them and lead a sysadmin to do something stupid.

Manually change the permissions and move on.

SEP

Re: World writeable manpages

James R. Ferguson — Fri, 25 Jul 2003 14:20:26 GMT

Hi:

I prefer to have (keep) pre-formatted pages anyway. Why not run 'catman -m' to create all pages; change the security as you see fit (auditors are a gross pain) and be done with this?

BTW, in keeping with my preference for pre-formatted pages, after any patch upgrade, Ignite upgrade, etc. I do:

# catman -m

Regards!

...JRF...

Re: World writeable manpages

W.C. Epperson — Fri, 25 Jul 2003 15:57:21 GMT

Thanks, guys. If neither you three nor Clay knows why this happens, it would probably take the source code to figure out.

There are all kinds of workarounds that come to mind, and it's not really a security problem, it just rings bells for auditors (who ought to have something better to do anyway). Of course, my boss might get upset if she found out that the grep manpage was now about "Gratuitously Rectum Ejected Projectiles". ;)

Re: World writeable manpages

Pete Randall — Fri, 25 Jul 2003 16:02:15 GMT

W.C.,

I thought Clay had a pretty good supposition as to why: "I suspect the reason for the 666 mode setting is so that when a change to a man page is needed, anyone can format and replace it from the manX.Z originals" and I thought James had a pretty good solution "run 'catman -m' to create all pages; change the security as you see fit".

Works for me anyway!

Pete

Re: World writeable manpages

W.C. Epperson — Fri, 25 Jul 2003 16:31:52 GMT

OK, Pete, I bumped JRFs points. I was asking for explanation, not workaround, but it's viable.

As to having wide-open permissions so anyone can replace a manpage, it's not a very good reason. Everyone can change their passwords, but they don't have write on /etc/passwd. A setgid executable would seem to make more sense to me. As noted, this is not a serious security problem, but it's a gratuitous opportunity for mischief. And I'm paranoid by nature--was ISSO before they made me chief systems engineer.

Re: World writeable manpages

Pete Randall — Fri, 25 Jul 2003 16:37:19 GMT

W.C.,

I agree - it's a lousy reason and a nagging security issue that *probably* would never come back to bite you, but . . .

Pete "Rampant Paranoia" Randall

Re: World writeable manpages

Bill Hassell — Sat, 26 Jul 2003 00:16:16 GMT

No culprint here. World writable man page directories are designed for the man page tools (man, catman, fixman). The /usr/share/man directory contains cat* directories that are 777, normally a big security issue. (it is curious that security scanners supposedly Unix-aware will hiccup on these legacy directories). You can certainly lock down the cat directories to 755 and the contents to 644, but then a new man page will not be created when an ordinary user uses man.

So the schools of thought are:

1. remove the cat directories and force *every* man page to be formatted *every* time. No security issues, just a burn of CPU and disk time. On a system with a 50Mhz CPU, this might be a meaningful delay.

2. change permissions on the cat* directories to 755 and contents to 644. root can format (and auto-save) man pages to the cat directories, while ordinary users will either read an pre-existing page or wait for the formatting message to disappear. A possible fix is to run catman in cron to regularly format/update the cat directories.

3. leave the permissions at 777 (666 for formatted man pages) and ask your security specialists to define the potential risk(s).