Manpages are meant to display documentation. But in certain configurations, they can execute more than text. A misconfigured MANPATH, dangerous environment variables, or insecure file permissions can turn a benign command like man into a direct vector for privilege escalation.
When man reads from system directories without proper access control, an attacker can inject or replace manual files with malicious payloads. If those files leverage local formatting tools (groff, less, or even custom preprocessors) that run with elevated privileges, the result is privilege escalation.
Common attack surfaces include:
- Writable manpage directories in
/usr/share/man or /var/cache/man - PATH manipulation leading
man to call trojan binaries - Exploiting
MANROFFSEQ or PAGER environment variables to run arbitrary commands
Mitigation requires tightening file permissions, sanitizing environment variables, and isolating manpage processing from system-level execution. Always audit man configuration, especially on systems with multiple user accounts or exposed shell access. Track changes to man-related directories with file integrity monitoring. Disable unnecessary formatting pipelines. And when possible, run man in a restricted environment.
Manpages privilege escalation is a reminder: the smallest utility can become a root compromise if left unchecked.
Test secure configurations now. See it live, fast, with hoop.dev — build, run, and verify in minutes.