diff options
Diffstat (limited to '')
-rw-r--r-- | manual/misc.me | 220 |
1 files changed, 220 insertions, 0 deletions
diff --git a/manual/misc.me b/manual/misc.me new file mode 100644 index 0000000..48fb8d5 --- /dev/null +++ b/manual/misc.me @@ -0,0 +1,220 @@ +.\" Copyright (C), 1995, Graeme W. Wilford. (Wilf.) +.\" Copyright (c) 2001, 2002 Colin Watson. +.\" +.\" You may distribute under the terms of the GNU General Public +.\" License as specified in the file docs/COPYING.GPLv2 that comes with the +.\" man-db distribution. +.\" +.\" Thu Sep 21 19:22:47 BST 1995 Wilf. (G.Wilford@ee.surrey.ac.uk) +.\" +.BS 1 "Miscellaneous" +.BS 2 "Modes of operation" +.lp +The \*M utilities can operate in many different modes, allowing varying +degrees of freedom, functionality and security. +No mode requires that the manual page hierarchies be writable. +.lp +.ip "(1) Default mode" +.b man +is setuid to the user MAN_OWNER which is \(oqman\(cq by default and is +changeable via options to +.b configure . +.b mandb , +if run by the superuser or MAN_OWNER, creates globally accessible index +databases owned by MAN_OWNER. +Once the databases are created, +.b man +will update entries in them if it finds newly installed +manual pages (if the +.b \-\-update +flag is used) or delete entries if manual pages are removed. +In this mode it is possible for a malicious +.b man +user to deliberately lock a database as a writer, thus denying read access to +other users. +.br +If cat directories exist and have the correct permissions, +.b man +will take care of producing cat files. +These will be owned by MAN_OWNER. +The default permissions of both cat files and databases are 0644. +.ip "(2) No man database updates" +This mode also requires +.b man +to be setuid, but is favoured where databases must be shared in an +environment unfriendly to kernel locking procedures, eg. NFS. +It also prevents possible +.q "denial of service" +attacks by malicious +.b man +users as +.b man +never opens the databases as a writer in this mode. +To replace the functionality lost by disallowing +.b man +write access to the databases, +.b mandb +should be rerun whenever new manual pages are installed. +Otherwise, +.b man +will not be able to use the database to find and display the newly added +manual pages, and will have to use the filesystem instead. +Each index database may be owned by an arbitrary user who will have +subsequent write access to the database. +Cat files are created in the same way as for mode (1) above. +.br +To use the \*M utilities in this mode, give the option +\(oq\-\-disable\-automatic\-update\(cq to +.b configure . +.ip "(3) No man database updates or cat production" +.b man +is installed not setuid. +This mode of operation probably offers the highest level of security but +it requires higher levels of maintenance than other modes due to the +restrictions imposed upon +.b man . +Each database is owned by an arbitrary user as in mode (2). +Each cat hierarchy is also owned by +an arbitrary user who is responsible for creating cat files using +.b catman +whenever new manual files are installed. +.b man +will be completely passive in its action, i.e. no index databases will be +written to and no cat files are ever produced. +.br +To use the \*M utilities in this mode, supply the options +\(oq\-\-disable\-cache\-owner \-\-disable\-setuid +\-\-disable\-automatic\-update \-\-disable\-cats\(cq to +.b configure , +or build \*M as in mode (1) and install the binaries without the setuid +bit set. +.ip "(4) Wide open" +.b man +is installed not setuid. +This mode is similar in operation to the majority of vendor supplied, non +setuid, cat file supporting manual pager suites. +It is not recommended. +The databases are owned by an arbitrary user who maintains them using +.b mandb . +.b man +does not update the databases. +Cat files are produced and stored in world writable cat directories and have +world write access themselves. +.br +To use the \*M utilities in this mode, supply the options +\(oq\-\-disable\-cache\-owner \-\-disable\-setuid +\-\-disable\-automatic\-update\(cq to +.b configure , +edit +.i include/manconfig.h +and change the definition of CATMODE from 0644 to 0666. +.lp +Other variations can also be used. +In fact it is possible for +.b man +to actually create index databases, usually the job of +.b mandb , +for users' private manual page hierarchies. +This is enabled by giving the option +\(oq\-\-enable\-automatic\-create\(cq to +.b configure . +.lp +In summary, +.i include/manconfig.h +contains definitions for +.bu +CATMODE +.bu +DBMODE +.lp +the setuid installation and operation of +.b man +is modified by supplying either of the following options to +.b configure : +.bu +\-\-enable\-setuid +.bu +\-\-disable\-setuid +.lp +and other aspects of +.b man 's +behaviour are controlled by the following options to +.b configure : +.bu +\-\-enable\-automatic\-create +.bu +\-\-disable\-automatic\-update +.bu +\-\-disable\-cats +.BS 2 "NFS root squash" +.lp +If +.b man +is installed setuid to an arbitrary user and is run by root, instead of +gaining the effective user id of the setuid user, +.b man +is run with both uid and euid as root. +This is neccesary due to infelicities with the +.b POSIX +setuid() function call: All users except root may change to and from the +effective (setuid) user, however once root has setuid(user), there is no way +back. +.lp +A side effect of this is that +.b NFS +mounted cat hierarchies or databases will be unwritable if the following +conditions exist: +.bu +man/catman/mandb is run by root +.bu +The NFS mount has the root squash flag set +.lp +To get around this problem, the root user must first attain the ID of the +cat hierarchy or database owner before running +.b man/catman/mandb +whenever the databases need updating or cat files are to be produced. +.BS 2 "NLS message catalogues" +.lp +\*M has built in support for native language message catalogues. +That is, it can issue messages in the locale of the user's choice. +This will only occur if the locale's translation has been written. +Before undertaking a translation, please contact the Translation Project +(https://translationproject.org/) who are coordinating such activities. +.BS 2 "Credits" +.lp +The authors would like to thank the following people for their time, effort, +support, ideas and code which went into \*M: +.(l +Markus Armbruster <armbru@pond.sub.org> +Lionel Cons & colleages <cons@dxcern.cern.ch> +Carl Edman <cedman@princeton.edu> +Caleb Epstein <epstein_caleb@jpmorgan.com> +Lars Fenneberg <lf@gimli.comlink.de> +Zoltan Hidvegi <hzoli@cs.elte.hu> +Nils Magnus <magnus@unix-ag.uni-kl.de> +Daniel Quinlan <quinlan@yggdrasil.com> +Fabrizio Polacco <fpolacco@debian.org> +Gordon Sadler <gbsadler1@lcisp.com> +Colin Phipps <cph@cph.demon.co.uk> +Paul Slootman <paul@wurtel.net> +Jose Rodriguez <boriel@airtel.net> +Eirik Fuller <eirik@hackrat.com> +Matej Vela <vela@debian.org> +Clint Adams <schizo@debian.org> +Jeremy C. Reed <reed@reedmedia.net> +Erik Andersen <andersen@codepoet.org> +Giuseppe Sacco <eppesuig@debian.org> +David Weinehall <tao@debian.org> +Ralph Corderoy <ralph@inputplus.co.uk> +Yuri Kozlov <kozlov.y@gmail.com> +Henning Makholm <henning@makholm.net> +Lars Wirzenius <liw@iki.fi> +Nicolas Fran\(,cois <nicolas.francois@centraliens.net> +Ivan Shmakov <oneingray@gmail.com> +Peter Breitenlohner <peb@mppmu.mpg.de> +Robert Luberda <robert@debian.org> +Chusslove Illich <caslav.ilic@gmx.net> +.)l +and all those translators listed in the +.b man/THANKS +file. |