On 2016/02/05 10:19, [email protected] wrote: > >Synopsis: escape rksh when user has access to man(1) > >Category: system > >Environment: > System : OpenBSD 5.8 > Details : OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT 2015 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > user can escape rksh shell when he has access to man(1) using custom > MANPAGER env variable
I don't think this is a bug. You are expecting more of rksh than it offers. You don't even need a custom MANPAGER, the default pager will allow 'v' to run $EDITOR which will also usually allow dropping to a shell. > # ll /home/whoo/bin/ > total 872 > drwxr-xr-x 2 root whoo 512 Feb 5 10:10 . > drwxr-xr-x 4 whoo whoo 512 Feb 5 00:06 .. > -r-xr-xr-x 1 root bin 422520 Aug 16 10:19 man > # > > man copied from /usr/bin/ .. > >Fix: Don't allow access to programs which allow the user to escape to an unrestricted shell? If you need man, maybe run it from a wrapper that enforces environment variables (MANPAGER, LESSSECURE), or uses 'man -c'.
