Hi!
Aaron Campbell schrieb am Dienstag den 27. Juli 1999, um 0 Uhr 45:
> On Mon, 26 Jul 1999, Nic Bellamy wrote:
>
> > I've also checked OpenBSD 2.5 and FreeBSD 3.2 - the groff on both systems
> > defaults to the unsafe behaviour.
>
> OpenBSD-current has been fixed to pass the -S (safer mode) option to groff
> from the nroff.sh script. Please see the following URL:
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/groff/nroff/nroff.sh
Thanks for this hint. I�d like to add, that it appears on a SuSE Linux system
(only checked SuSE 6.1) /usr/bin/nroff is a shellscript, which calls groff.
Additionally if you execute less on a manpage, groff is called via
/usr/bin/lesspipe.sh.
Both Scripts default to the unsafe behaviour. Thus viewing manpages with less
(unless you set the Environment variable LESSSECURE [with 3 'S'!] which
actually should be named MORESECURE imho ;-) ) is also dangerous.
Imagine *evaluating* manpages that are packed with sources, and mistakenly doing
it with less... Oops!
Inserting the -S flag into /usr/bin/nroff and /usr/bin/lesspipe.sh calls to
groff fixes the Problem.
This might help on several other systems.
> Since we were on the subject of a fairly *cough* minor *cough* security issue
> I thought I'd bring this up.
---Zitatende---
Minor it might be, and old as well. But nevertheless it annoyed my and several other
People quite a lot (if i look at this thread.) It annoyed me especially since i am
very used to using less instead of more.
Regards
Friedel
--
Friedrich Delgado Friedrichs <[EMAIL PROTECTED]>
