[Bug 206946] possibility to escape restricted shell using custom MANPAGER variable when user has access to man(1)

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 24 May 2025 09:15:19 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206946

Wolfram Schneider <wosch@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wosch@FreeBSD.org
             Status|New                         |Open

--- Comment #1 from Wolfram Schneider <wosch@FreeBSD.org> ---
Does this problem still exist? I'm not sure if I understand it, and if it is
related to MANPAGER variable or a user with a restricted shell.


unset MANPAGER
cp /usr/bin/man .
env PATH=$PWD /usr/local/bin/rbash

# fails as expected due the "./" in command name
./man man
rbash: ./man: restricted: cannot specify `/' in command names

# works because there is no "/" in command name
$ man man
/home/wosch/tmp/4/man: grep: not found
/home/wosch/tmp/4/man: which: not found
This manpage needs groff(1) to be rendered
First install groff(1):
pkg install groff

-- 
You are receiving this mail because:
You are the assignee for the bug.