- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- World writeable manpages
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 07:14 AM
07-25-2003 07:14 AM
-rw-rw-rw- 1 root root 9287 Jul 25 11:05 ./share/man/cat1.Z/man
.1
This trips audit alarms, but we have not been able to track down the cause yet. Anyone know the culprit? I was guessing a umask for a setuid executable somewhere in the process, but can't find one.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 07:18 AM
07-25-2003 07:18 AM
			
				
					
						
							Re: World writeable manpages
						
					
					
				
			
		
	
			
	
	
	
	
	
Check Clay's final answer in this thread:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x3cc2506d69a7d711abdc0090277a778c,00.html
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 07:19 AM
07-25-2003 07:19 AM
			
				
					
						
							Re: World writeable manpages
						
					
					
				
			
		
	
			
	
	
	
	
	
They are owned by root and are read/write.
This does not really present a huge security hazard because they are not programs that do anything.
I suppose someone could mess with them and lead a sysadmin to do something stupid.
Manually change the permissions and move on.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 07:20 AM
07-25-2003 07:20 AM
			
				
					
						
							Re: World writeable manpages
						
					
					
				
			
		
	
			
	
	
	
	
	
I prefer to have (keep) pre-formatted pages anyway. Why not run 'catman -m' to create all pages; change the security as you see fit (auditors are a gross pain) and be done with this?
BTW, in keeping with my preference for pre-formatted pages, after any patch upgrade, Ignite upgrade, etc. I do:
# catman -m
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 08:57 AM
07-25-2003 08:57 AM
			
				
					
						
							Re: World writeable manpages
						
					
					
				
			
		
	
			
	
	
	
	
	
There are all kinds of workarounds that come to mind, and it's not really a security problem, it just rings bells for auditors (who ought to have something better to do anyway). Of course, my boss might get upset if she found out that the grep manpage was now about "Gratuitously Rectum Ejected Projectiles". ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 09:02 AM
07-25-2003 09:02 AM
			
				
					
						
							Re: World writeable manpages
						
					
					
				
			
		
	
			
	
	
	
	
	
I thought Clay had a pretty good supposition as to why: "I suspect the reason for the 666 mode setting is so that when a change to a man page is needed, anyone can format and replace it from the manX.Z originals" and I thought James had a pretty good solution "run 'catman -m' to create all pages; change the security as you see fit".
Works for me anyway!
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 09:31 AM
07-25-2003 09:31 AM
			
				
					
						
							Re: World writeable manpages
						
					
					
				
			
		
	
			
	
	
	
	
	
As to having wide-open permissions so anyone can replace a manpage, it's not a very good reason. Everyone can change their passwords, but they don't have write on /etc/passwd. A setgid executable would seem to make more sense to me. As noted, this is not a serious security problem, but it's a gratuitous opportunity for mischief. And I'm paranoid by nature--was ISSO before they made me chief systems engineer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 09:37 AM
07-25-2003 09:37 AM
			
				
					
						
							Re: World writeable manpages
						
					
					
				
			
		
	
			
	
	
	
	
	
I agree - it's a lousy reason and a nagging security issue that *probably* would never come back to bite you, but . . .
Pete "Rampant Paranoia" Randall
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 05:16 PM
07-25-2003 05:16 PM
SolutionSo the schools of thought are:
1. remove the cat directories and force *every* man page to be formatted *every* time. No security issues, just a burn of CPU and disk time. On a system with a 50Mhz CPU, this might be a meaningful delay.
2. change permissions on the cat* directories to 755 and contents to 644. root can format (and auto-save) man pages to the cat directories, while ordinary users will either read an pre-existing page or wait for the formatting message to disappear. A possible fix is to run catman in cron to regularly format/update the cat directories.
3. leave the permissions at 777 (666 for formatted man pages) and ask your security specialists to define the potential risk(s).
Bill Hassell, sysadmin
