| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man-db has created its cache directories as setgid root for nearly 20
years. This seems to have originated in https://bugs.debian.org/26002.
However, this has some dangerous consequences, such as:
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
It seems best to arrange for cache files and directories to be man:man
rather than man:root. To do this reliably, as well as adjusting various
chown and chmod calls, we make man and mandb be setgid man as well as
setuid man (except in the --disable-setuid case). This is a much
simpler and safer solution to the original problem, and doesn't
introduce any interesting new privilege since the man group's only real
purpose is to be the man user's primary group and nothing in cache
directories is group-writeable.
* configure.ac (AC_CHECK_FUNCS): Add lchown.
* lib/security.c (init_security): Record initial real and effective
group IDs as well as user IDs.
(drop_effective_privs, regain_effective_privs): Update gid.
* lib/xchown.c (xlchown) [HAVE_LCHOWN]: New function.
* lib/xchown.c (xlchown) [HAVE_LCHOWN]: Add prototype.
* m4/man-arg-setuid.m4: Set man_mode to 6755 rather than 4755 in the
--enable-setuid case.
* src/Makefile.am (install-exec-hook): Check for man_mode being 6755
rather than 4755. Set the group of man and mandb as well as their
owner.
* src/check_mandirs.c (chown_if_possible): New function. This is
somewhat more careful than previous implementations, changes the group
as well as the user if possible, and prefers lchown if it is available.
(mkcatdirs): Drop S_ISGID from cat directories. Use chown_if_possible.
(fix_permissions, fix_permissions_tree): New functions to remove setgid
bit from existing cat directories.
(testmandirs): Call fix_permissions_tree.
* src/check_mandirs.h (chown_if_possible): Add prototype.
* src/man.c (commit_tmp_cat): Set cat file group as well as owner.
* src/mandb.c (check_chown): Remove.
(do_chown): Stop taking a uid parameter. Use chown_if_possible.
(mandb): Use chown_if_possible for CACHEDIR.TAG. Set ownership and
permissions of CACHEDIR.TAG even if it already exists.
(process_manpath): Set ownership of database files even if they have not
been changed.
|
|
|
|
|
| |
* m4/man-arg-setuid.m4: Set man_mode="755" if --disable-cache-owner was
given and neither --enable-setuid nor --disable-setuid was given.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's useful to have a notion of the cache owner even when man is not
installed setuid. --enable-setuid no longer takes an argument, and the
owner is now set by the --enable-cache-owner option instead.
* m4/man-arg-cache-owner.m4: New file.
* m4/man-arg-setuid.m4: Stop accepting an argument. Only set man_mode,
not man_owner.
* configure.ac: Call MAN_ARG_CACHE_OWNER.
* src/Makefile.am (install-exec-hook): Only chown man and mandb if
man_mode is 4755 (as well as the existing test for man_owner being
non-empty).
|
|
* m4/man-arg-automatic-create.m4, m4/man-arg-automatic-update.m4,
m4/man-arg-cats.m4, m4/man-arg-config-file.m4, m4/man-arg-db.m4,
m4/man-arg-device.m4, m4/man-arg-mandirs.m4,
m4/man-arg-override-dir.m4, m4/man-arg-sections.m4,
m4/man-arg-setuid.m4, m4/man-arg-systemdtmpfilesdir.m4,
m4/man-arg-undoc.m4: New files.
* configure.ac: Call new macros rather than inlining argument
handling.
|