Operating System - HP-UX
1830898 Members
3284 Online
110017 Solutions
New Discussion

Re: World writeable manpages

 
SOLVED
Go to solution
W.C. Epperson
Trusted Contributor

World writeable manpages

Doing a "man" on our 11.0 systems for a command not previously "man"-ed results in a world writeable manpage, e.g. "man man" for the first time results in:
-rw-rw-rw- 1 root root 9287 Jul 25 11:05 ./share/man/cat1.Z/man
.1

This trips audit alarms, but we have not been able to track down the cause yet. Anyone know the culprit? I was guessing a umask for a setuid executable somewhere in the process, but can't find one.
"I have great faith in fools; self-confidence, my friends call it." --Poe
8 REPLIES 8
Pete Randall
Outstanding Contributor

Re: World writeable manpages

Steven E. Protter
Exalted Contributor

Re: World writeable manpages

That is the default permission for man pages.

They are owned by root and are read/write.

This does not really present a huge security hazard because they are not programs that do anything.

I suppose someone could mess with them and lead a sysadmin to do something stupid.

Manually change the permissions and move on.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
James R. Ferguson
Acclaimed Contributor

Re: World writeable manpages

Hi:

I prefer to have (keep) pre-formatted pages anyway. Why not run 'catman -m' to create all pages; change the security as you see fit (auditors are a gross pain) and be done with this?

BTW, in keeping with my preference for pre-formatted pages, after any patch upgrade, Ignite upgrade, etc. I do:

# catman -m

Regards!

...JRF...

W.C. Epperson
Trusted Contributor

Re: World writeable manpages

Thanks, guys. If neither you three nor Clay knows why this happens, it would probably take the source code to figure out.

There are all kinds of workarounds that come to mind, and it's not really a security problem, it just rings bells for auditors (who ought to have something better to do anyway). Of course, my boss might get upset if she found out that the grep manpage was now about "Gratuitously Rectum Ejected Projectiles". ;)
"I have great faith in fools; self-confidence, my friends call it." --Poe
Pete Randall
Outstanding Contributor

Re: World writeable manpages

W.C.,

I thought Clay had a pretty good supposition as to why: "I suspect the reason for the 666 mode setting is so that when a change to a man page is needed, anyone can format and replace it from the manX.Z originals" and I thought James had a pretty good solution "run 'catman -m' to create all pages; change the security as you see fit".

Works for me anyway!


Pete


Pete
W.C. Epperson
Trusted Contributor

Re: World writeable manpages

OK, Pete, I bumped JRFs points. I was asking for explanation, not workaround, but it's viable.

As to having wide-open permissions so anyone can replace a manpage, it's not a very good reason. Everyone can change their passwords, but they don't have write on /etc/passwd. A setgid executable would seem to make more sense to me. As noted, this is not a serious security problem, but it's a gratuitous opportunity for mischief. And I'm paranoid by nature--was ISSO before they made me chief systems engineer.
"I have great faith in fools; self-confidence, my friends call it." --Poe
Pete Randall
Outstanding Contributor

Re: World writeable manpages

W.C.,

I agree - it's a lousy reason and a nagging security issue that *probably* would never come back to bite you, but . . .


Pete "Rampant Paranoia" Randall

Pete
Bill Hassell
Honored Contributor
Solution

Re: World writeable manpages

No culprint here. World writable man page directories are designed for the man page tools (man, catman, fixman). The /usr/share/man directory contains cat* directories that are 777, normally a big security issue. (it is curious that security scanners supposedly Unix-aware will hiccup on these legacy directories). You can certainly lock down the cat directories to 755 and the contents to 644, but then a new man page will not be created when an ordinary user uses man.

So the schools of thought are:

1. remove the cat directories and force *every* man page to be formatted *every* time. No security issues, just a burn of CPU and disk time. On a system with a 50Mhz CPU, this might be a meaningful delay.

2. change permissions on the cat* directories to 755 and contents to 644. root can format (and auto-save) man pages to the cat directories, while ordinary users will either read an pre-existing page or wait for the formatting message to disappear. A possible fix is to run catman in cron to regularly format/update the cat directories.

3. leave the permissions at 777 (666 for formatted man pages) and ask your security specialists to define the potential risk(s).


Bill Hassell, sysadmin