The code will be fixed for all known security vulnerabilities,
and a make.conf(5) knob (ENABLE_SUID_MAN) will be provided for
those who still want it installed setuid for whatever reasons.
The catpaging and setuidness features of man(1) combined make
it vulnerable to a number of security attacks. Specifically,
it was possible to overwrite system catpages with arbitrarily
contents by either setting up a symlink to a directory holding
system catpages, or by writing custom -mdoc or -man groff(1)
macro packages and setting up GROFF_TMAC_PATH in environment
to point to them. (See PR below for details).
This means man(1) can no longer create system catpages on a
regular user's behalf. (It is still able to if the user has
write permissions to the directory holding catpages, e.g.,
user's own manpages, or if the running user is ``root''.)
To create and install catpages during ``make world'', please
set MANBUILDCAT=YES in /etc/make.conf. To rebuild catpages
on a weekly basis, please set weekly_catman_enable="YES" in
/etc/periodic.conf.
PR: bin/32791
back (as of man.c,v 1.45), change the meaning of the -m option
from poorly documented and badly coded "alternate system" to a
much more useful "different architecture for the same system".
PR: docs/31261
: As some manual pages are intended only for specific architectures,
: man searches any subdirectories, with the same name as the current
: architecture, in every directory which it searches. Machine specific
: areas are checked before general areas. The current machine type may
: be overridden by setting the environment variable MACHINE to the name
: of a specific architecture.
groff(1) devices for localized and non-localized pages.
Currently, for *.ISO_8859-1 locales the device in both
cases is "latin1", and for KOI8-R locale it is "koi8-r"
for localized and "ascii" for non-localized pages.
Discussed with: des
executing apropos or whatis. This prevents `man -k ';echo foo'` from
executing `echo foo` and causes apropos to print an error message instead.
Add $FreeBSD$ while I am here.
Noticed by: chris
- Sort xrefs
- Be consistent with section names as outlined in mdoc(7).
- Other misc mdoc cleanup.
PR: doc/13144
Submitted by: Alexey M. Zelkin <phantom@cris.net>
libraries so that `ld -f' in can create correct dependencies for
yet-to-be-built libraries.
Get the default BINDIR correctly (by including ../Makefile.inc recursively.
plain 0 should be used. This happens to work because we #define
NULL to 0, but is stylistically wrong and can cause problems
for people trying to port bits of code to other environments.
PR: 2752
Submitted by: Arne Henrik Juul <arnej@imf.unit.no>
Change CATMODE to 0644, because group man not used
Add immutable sbit to man binary, so if user even got man uid,
he can't replace man binary with fake one
Should go to 2.2
Submitted by: Marc Slemko <marcs@znep.com> with small editing by me
