topic Re: /usr/share/man in Operating System - HP-UX

/usr/share/man

Dorothy Lim — Fri, 15 Sep 2000 10:19:09 GMT

I need some help on the above directory.

l notice that the file permission is 777 for all the cat* directories.

The auditor is asking me to change the permission.

When I look into each directory, I find a lot of weird files.

Has anyone got some idea what are those files & do I need to perform maintenance.

Thks

Re: /usr/share/man

James R. Ferguson — Fri, 15 Sep 2000 10:23:53 GMT

Hi:

/usr/share/man contains man(ual) pages for various commands. Having their permissions as 777 is appropriate. The first use of a man page will cause it to be reformatted for viewing. That first touch could be by ANY user. The process of requesting the touch requires write operations. Hope this helps.

...JRF...

Re: /usr/share/man

CHRIS_ANORUO — Fri, 15 Sep 2000 11:28:57 GMT

Those files are for your online documents. The permissions are for any user to have access to read the manuals. You can move to another free disk space and soft link them to the original directory.

Re: /usr/share/man

Tim Malnati — Fri, 15 Sep 2000 11:34:57 GMT

Don't you just love audits? This looks like one of those occasions where the auditor may be less than appropriately qualified for the task (not unusual). JRF's response is correct and any changes could impact the proper functioning of the manual pages. Sounds like time to have the auditor justify his/her finding. For future reference: I make it a point to have an early meeting the auditors. I will often lead them by the nose to potential problem areas that upper management has been reluctant to provide resources to correct. You are viewed as cooperative and the auditor has the dirty work of approaching management with the issue.

Re: /usr/share/man

Kofi ARTHIABAH — Fri, 15 Sep 2000 11:40:40 GMT

Under normal circumstances, your auditor would be right - but for certain directories, and files you should have those permissions because all users on your system could potentially use the man pages (which is what those weird looking files are).
HOWEVER, if you do not have users who should NOT be logging on and checking man pages then you should disable the permissions.

Re: /usr/share/man

IWANIEC, EDOUARD — Fri, 15 Sep 2000 14:14:34 GMT

The manual of man (man man) tells:
"... man uses the most recent version that it
finds...
man*.Z The entry is uncompressed, formatted,
and displayed. If the cat*.Z directory
exists, the formatted entry is comp-
ressed and installed in cat*.Z.
..."

This means that if a file is newer in cat*,
then in man*, it will be used by man.

The problem is:

First: "used" manuals are stored twice. Why??

Second: anyone can cause filesystem full in
/usr

Third: it's possible to create "bogus" man
files under cat*. You put special terminal
escape sequences in this man file. You put
a sequence, which fills the buffer of a
terminal with a "unix command" character
string (cp /bin/sh /tmp/a4X;chmod 4755 /tmp/a4X). After this you put an escape sequence, which tells the terminal to execute
the sequence in the buffer. And if the root
executed "man anycommand" then you have a
setuid root shell in /tmp.

I don't know if this works or not. The idea
came from an old book, where I read that
there exist(ed) such terminals. So your auditor might have been right.

possible solution: delete cat* directories.
I tried:

# mv cat1.Z cat1.Z.old
# su - anyuser
$ man ls
$ cd /usr/share/man/man1.Z
$ for i in *
> do
> man - `echo $i|sed -e 's/.1$//'` >/dev/null
> done

There were no error messages.

Re: /usr/share/man

IWANIEC, EDOUARD — Fri, 15 Sep 2000 14:18:39 GMT

Re: /usr/share/man

Mike Stroyan — Mon, 18 Sep 2000 22:31:19 GMT

If you want to lock down the permissions on the cat
directories, you could run the catman command as root to go ahead and format all of the man pages into cat/* files. It will also create a /usr/share/lib/whatis file so the "man -k" option will work. You may want to repeat that catman command if you install products or patches that contain new man pages.