From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from scc-mailout-kit-02.scc.kit.edu (scc-mailout-kit-02.scc.kit.edu [129.13.231.82]); by fantadrom.bsd.lv (OpenSMTPD) with ESMTP id e60bc385; for ; Tue, 9 Dec 2014 09:25:21 -0500 (EST) Received: from asta-nat.asta.uni-karlsruhe.de ([172.22.63.82] helo=hekate.usta.de) by scc-mailout-kit-02.scc.kit.edu with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (envelope-from ) id 1XyLiz-0003zg-UB; Tue, 09 Dec 2014 15:25:18 +0100 Received: from donnerwolke.usta.de ([172.24.96.3]) by hekate.usta.de with esmtp (Exim 4.77) (envelope-from ) id 1XyLiz-0000Zv-OI; Tue, 09 Dec 2014 15:25:13 +0100 Received: from iris.usta.de ([172.24.96.5] helo=usta.de) by donnerwolke.usta.de with esmtp (Exim 4.72) (envelope-from ) id 1XyLiz-0000Uz-Lm; Tue, 09 Dec 2014 15:25:13 +0100 Received: from schwarze by usta.de with local (Exim 4.77) (envelope-from ) id 1XyLiz-0008St-8o; Tue, 09 Dec 2014 15:25:13 +0100 Date: Tue, 9 Dec 2014 15:25:12 +0100 From: Ingo Schwarze To: Kristaps Dzonsons Cc: discuss@mdocml.bsd.lv Subject: Re: makewhatis and homebrew Message-ID: <20141209142512.GB327@iris.usta.de> References: <5486E96D.5020001@bsd.lv> X-Mailinglist: mdocml-discuss Reply-To: discuss@mdocml.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5486E96D.5020001@bsd.lv> User-Agent: Mutt/1.5.21 (2010-09-15) Kristaps Dzonsons wrote on Tue, Dec 09, 2014 at 01:22:05PM +0100: > When I'm forced to use OS X, I'm forced to use "homebrew" to manage > software. What this does is, instead of installing software, it > links the software to a magical location, e.g., > > /usr/local/share/man/man1/itstool.1@ -> > ../../../Cellar/itstool/2.0.2/share/man/man1/itstool.1 Yikes. Specifically designed to be insecure: /usr/local/share/man/man1/mostly_harmless@-> ../../../../../etc/master.passwd > These manuals don't appear anywhere in man(1) now because they're > outside of the chdir. In fact, when I run makewhatis with -p, I see > many more of these from the base system installation: > > /usr/share/man/: /System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/Documentation/man/jstat.1: > outside base directory > > (Which is linked from /usr/share/man/man1/jstat.1.) > > ...etc. > > Is there a way to relax this constraint, Deleting the five lines if (strstr(buf, basedir) != buf) { if (warnings) say("", "%s: outside base directory", buf); continue; } should just work. The file will be treated as if it resided at the place where the symlink was found. Note, though, that this is not a functionality check, but a *security* check you are deleting, so we cannot possibly commit it to the repository. If it works, we could introduce a compile time switch (with a big red warning) to allow it, if you consider that helpful. > or would that break > anything further into the parse sequence, i.e., so's? Well, .so is fragile in the first place, and this madness is certainly not making it any better. I hope those crazy people don't combine the above with .so... Or if they do, the .so will be resolved relative to the directory where the symlink resides, not relative to the directory of the file pointed to. Yours, Ingo -- To unsubscribe send an email to discuss+unsubscribe@mdocml.bsd.lv