From masafumi@tky007.tth.expo96.ad.jp  Tue Jul  9 16:00:40 1996
Received: from mail.tky007.tth.expo96.ad.jp (root@tky007.tth.expo96.ad.jp [133.246.32.58])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA15841
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 9 Jul 1996 16:00:34 -0700 (PDT)
Received: (from masafumi@localhost) by mail.tky007.tth.expo96.ad.jp (8.7.5/3.4W4-SMTP) id HAA25766; Wed, 10 Jul 1996 07:59:59 +0900 (JST)
Message-Id: <199607092259.HAA25766@mail.tky007.tth.expo96.ad.jp>
Date: Wed, 10 Jul 1996 07:59:59 +0900 (JST)
From: Masafumi NAKANE <masafumi@tky007.tth.expo96.ad.jp>
Reply-To: max@sfc.wide.ad.jp
To: FreeBSD-gnats-submit@freebsd.org
Subject: Man command problem, when it writes into symlinked dir
X-Send-Pr-Version: 3.2

>Number:         1379
>Category:       gnu
>Synopsis:       Man command problem, when it writes into symlinked dir
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul  9 16:10:01 PDT 1996
>Closed-Date:    Thu Jul 10 23:05:05 PDT 1997
>Last-Modified:  Thu Jul 10 23:05:43 PDT 1997
>Originator:     Masafumi NAKANE
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
>Environment:

	
This problem occurs on FreeBSD-current with CTM deltas up to
src-cur.1973 applied.

>Description:
The man command doesn't check the owner of the symbolic link when it
writes the formatted man page out to symlinked cat? directory.  This
makes it possible for non-super-user to populate /usr/share/man/cat?
directories (or any directories owned by the user man) with junk
and/or replace existing pre-formatted man pages with meangless files.
	

>How-To-Repeat:
% setenv MANPATH $HOME/man
% mkdir $HOME/man
% mkdir $HOME/man/man1
% ln -s /usr/share/man/cat1 $HOME/man/cat1
% touch $HOME/man/man1/whatever.1
% man whatever

	

>Fix:
	
	

>Release-Note:
>Audit-Trail:

From: J Wunsch <j@uriah.heep.sax.de>
To: max@sfc.wide.ad.jp
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: gnu/1379: Man command problem, when it writes into symlinked dir
Date: Wed, 10 Jul 1996 09:37:39 +0200 (MET DST)

 As Masafumi NAKANE wrote:
 
 > The man command doesn't check the owner of the symbolic link when it
 > writes the formatted man page out to symlinked cat? directory.
 
 The man command itself does not need to check anything (except for
 deciding whether it should present the message ``Formatting man
 page.'')
 
 As long as the target directory permissions are sufficient for it to
 write something there (i.e., for the setuid man command, the target
 directory is writable by user `man'), it can write the cat page,
 otherwise it simply can't do it.  It's not running setuid root, and it
 never did.
 
 Btw., symlinks don't have an owner or other attributes.  What you see
 as their owner is the ownership and permission of their parent
 directory, but it's entirely meaningless as long as the *target* of
 the symlink is concerned.
 
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)
State-Changed-From-To: open->feedback 
State-Changed-By: scrappy 
State-Changed-When: Tue Oct 22 21:33:14 PDT 1996 
State-Changed-Why:  

Confirm Status 
State-Changed-From-To: feedback->open 
State-Changed-By: scrappy 
State-Changed-When: Tue Oct 22 21:51:39 PDT 1996 
State-Changed-Why:  

Yes, this problem still exists.  However, it may be problem with 
strategy to organize symbolic links or filesystem rather than the man 
command itself.  (I don't really know, I read some response to my PR 
saying this kind of thing.)  But, anyway, at least farther 
investigation is required, I believe. 

Thanks. 

----------------------------------------------------------------------- 
Masafumi NAKANE, Keio Univ., Dept. of Environmental Information 
E-Mail : max@wide.ad.jp / max@FreeBSD.ORG 

State-Changed-From-To: open->closed 
State-Changed-By: max 
State-Changed-When: Thu Jul 10 23:05:05 PDT 1997 
State-Changed-Why:  
The recent changes regarding symlinks fixed this problem. 
>Unformatted:
