30843b9337
The catpaging and setuidness features of man(1) combined make it vulnerable to a number of security attacks. Specifically, it was possible to overwrite system catpages with arbitrarily contents by either setting up a symlink to a directory holding system catpages, or by writing custom -mdoc or -man groff(1) macro packages and setting up GROFF_TMAC_PATH in environment to point to them. (See PR below for details). This means man(1) can no longer create system catpages on a regular user's behalf. (It is still able to if the user has write permissions to the directory holding catpages, e.g., user's own manpages, or if the running user is ``root''.) To create and install catpages during ``make world'', please set MANBUILDCAT=YES in /etc/make.conf. To rebuild catpages on a weekly basis, please set weekly_catman_enable="YES" in /etc/periodic.conf. PR: bin/32791 |
||
|---|---|---|
| .. | ||
| include | ||
| lib | ||
| usr.bin | ||
| usr.sbin | ||
| COPYING | ||
| COPYING.LIB | ||
| Makefile | ||