HPE Community
Operating System - HP-UX
1849833 Members
2111 Online
104044 Solutions
New Discussion

/usr/share/man

 
Dorothy Lim
Occasional Contributor

‎09-15-2000 03:19 AM

‎09-15-2000 03:19 AM

/usr/share/man

I need some help on the above directory.

l notice that the file permission is 777 for all the cat* directories.

The auditor is asking me to change the permission.

When I look into each directory, I find a lot of weird files.

Has anyone got some idea what are those files & do I need to perform maintenance.

Thks
Be prepared
0 Kudos
Reply
7 REPLIES 7
James R. Ferguson
Acclaimed Contributor

‎09-15-2000 03:23 AM

‎09-15-2000 03:23 AM

Re: /usr/share/man

Hi:

/usr/share/man contains man(ual) pages for various commands. Having their permissions as 777 is appropriate. The first use of a man page will cause it to be reformatted for viewing. That first touch could be by ANY user. The process of requesting the touch requires write operations. Hope this helps.

...JRF...
0 Kudos
Reply
CHRIS_ANORUO
Honored Contributor

‎09-15-2000 04:28 AM

‎09-15-2000 04:28 AM

Re: /usr/share/man

Those files are for your online documents. The permissions are for any user to have access to read the manuals. You can move to another free disk space and soft link them to the original directory.
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.
0 Kudos
Reply
Tim Malnati
Honored Contributor

‎09-15-2000 04:34 AM

‎09-15-2000 04:34 AM

Re: /usr/share/man

Don't you just love audits? This looks like one of those occasions where the auditor may be less than appropriately qualified for the task (not unusual). JRF's response is correct and any changes could impact the proper functioning of the manual pages. Sounds like time to have the auditor justify his/her finding. For future reference: I make it a point to have an early meeting the auditors. I will often lead them by the nose to potential problem areas that upper management has been reluctant to provide resources to correct. You are viewed as cooperative and the auditor has the dirty work of approaching management with the issue.
0 Kudos
Reply
Kofi ARTHIABAH
Honored Contributor

‎09-15-2000 04:40 AM

‎09-15-2000 04:40 AM

Re: /usr/share/man

Under normal circumstances, your auditor would be right - but for certain directories, and files you should have those permissions because all users on your system could potentially use the man pages (which is what those weird looking files are).
HOWEVER, if you do not have users who should NOT be logging on and checking man pages then you should disable the permissions.
nothing wrong with me that a few lines of code cannot fix!
0 Kudos
Reply
IWANIEC, EDOUARD
Advisor

‎09-15-2000 07:14 AM

‎09-15-2000 07:14 AM

Re: /usr/share/man

The manual of man (man man) tells:
"... man uses the most recent version that it
finds...
man*.Z The entry is uncompressed, formatted,
and displayed. If the cat*.Z directory
exists, the formatted entry is comp-
ressed and installed in cat*.Z.
..."

This means that if a file is newer in cat*,
then in man*, it will be used by man.

The problem is:

First: "used" manuals are stored twice. Why??

Second: anyone can cause filesystem full in
/usr

Third: it's possible to create "bogus" man
files under cat*. You put special terminal
escape sequences in this man file. You put
a sequence, which fills the buffer of a
terminal with a "unix command" character
string (cp /bin/sh /tmp/a4X;chmod 4755 /tmp/a4X). After this you put an escape sequence, which tells the terminal to execute
the sequence in the buffer. And if the root
executed "man anycommand" then you have a
setuid root shell in /tmp.

I don't know if this works or not. The idea
came from an old book, where I read that
there exist(ed) such terminals. So your auditor might have been right.

possible solution: delete cat* directories.
I tried:

# mv cat1.Z cat1.Z.old
# su - anyuser
$ man ls
$ cd /usr/share/man/man1.Z
$ for i in *
> do
> man - `echo $i|sed -e 's/.1$//'` >/dev/null
> done

There were no error messages.
0 Kudos
Reply
IWANIEC, EDOUARD
Advisor

‎09-15-2000 07:18 AM

‎09-15-2000 07:18 AM

Re: /usr/share/man

The manual of man (man man) tells:
"... man uses the most recent version that it
finds...
man*.Z The entry is uncompressed, formatted,
and displayed. If the cat*.Z directory
exists, the formatted entry is comp-
ressed and installed in cat*.Z.
..."

This means that if a file is newer in cat*,
then in man*, it will be used by man.

The problem is:

First: "used" manuals are stored twice. Why??

Second: anyone can cause filesystem full in
/usr

Third: it's possible to create "bogus" man
files under cat*. You put special terminal
escape sequences in this man file. You put
a sequence, which fills the buffer of a
terminal with a "unix command" character
string (cp /bin/sh /tmp/a4X;chmod 4755 /tmp/a4X). After this you put an escape sequence, which tells the terminal to execute
the sequence in the buffer. And if the root
executed "man anycommand" then you have a
setuid root shell in /tmp.

I don't know if this works or not. The idea
came from an old book, where I read that
there exist(ed) such terminals. So your auditor might have been right.

possible solution: delete cat* directories.
I tried:

# mv cat1.Z cat1.Z.old
# su - anyuser
$ man ls
$ cd /usr/share/man/man1.Z
$ for i in *
> do
> man - `echo $i|sed -e 's/.1$//'` >/dev/null
> done

There were no error messages.
0 Kudos
Reply
Mike Stroyan
Honored Contributor

‎09-18-2000 03:31 PM

‎09-18-2000 03:31 PM

Re: /usr/share/man

If you want to lock down the permissions on the cat
directories, you could run the catman command as root to go ahead and format all of the man pages into cat/* files. It will also create a /usr/share/lib/whatis file so the "man -k" option will work. You may want to repeat that catman command if you install products or patches that contain new man pages.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.