>As first aid, I'd do vi /etc/man.conf and :%s/nroff/groff -Tascii -S/.

looks good.

>For a cleaner modification, I'd introduce a user man,
>chown -R man /usr/share/man and make man(1) setuid man.
>I dunno, but I have seen man(1) write formatted catfiles to /usr/share/cat*,
>am I mistaken that it doesn't do this on NetBSD and hence doesn't need
>to have write access there?  Anyways, it's a good idea nevertheless to
>give a subsystem like man its own user, imho.

i seem to recall there being problems with this as well.  and, while i
do like the idea of formatted man pages accumulating (the more you
read, they quicker they all get to read), this is also a probem.  i
recall several times where the cat* directories were on a disk that
filled up (we were reading too many man pagess, so sue me :), but
since i didn't "own" any of the empty man pages (or the full ones, for
that matter), i couldn't remove them.  so i couldn't read anything.

what would be nice, imho, would (just off the top of my head) be a way
to make privileges "close-on-exec", so that things like all the dm and
man and crontab (and whatever else that's suid root (or someone else)
that needs to spawn, say, an external pager or editor) can just say
"kernel...please remove any extra privileges i have if exec anything,
even if i forget to do so myself.  thank you."  or maybe just have it
default to something other than root on exec.

heh.  that way, programs that run as root normally could make this
(presumably) system call, and then you wouldn't have to worry so much
about people breaking in and getting root by buffer overflowing
something.  buffer overflow -> exec -> loseuid() -> lamer doesn't win.

(just me rattling on late on a sunday night)

>I'd much prefer if groff kept those problematic operations disabled
>by default (especially when they're not in troff) but well.

like, by perhaps adding a switch that turns them on?

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."