Beyond the good ol' LaunchAgents - 30 - The man config file - man.conf

This is part 30 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction.

I was watching an old BSidesLuxemburg 2019 talk by Aaron Jewitt, called “Threat Hunting On Linux And Mac With Auditbeat System Module”, it’s up on YouTube. Aaron mentioned in one of the slides that you can persist using man.conf files. It looked really odd, I tried to quickly Google it, but haven’t found anything about it. So I took a look at the configuration file, and indeed, it turns out you can persist via man’s configuration file, man.conf, which can be found at /private/etc/man.conf.

Looking at the configuration file, there are a handful of option, and some of them are related to external tools.

# The default MANPAGER is less(1), while the default WHATISPAGER for whatis and
# apropos remains more(1) for historical compatibility.  This can either
# be switched in the environment, or globally on a system by setting MANPAGER or
# WHATISPAGER:
#
# MANPAGER      /usr/bin/less -s
# WHATISPAGER   /usr/bin/more -E

Both MANPAGER and WHATISPAGER will set the binary to view man pages. For example we can do this:

MANPAGER /tmp/view

This will invoke /tmp/view. It can be even a script. If we don’t want to break man’s functionality we can invoke the default binary at the end of our script. For example:

#!/bin/zsh

touch /tmp/manconf

/usr/bin/less -s

The main drawback that we need root level access to edit the configuration file and it depends on the user running the man command. Yet it’s an interesting idea.

I haven’t tested but I think the following can be also used.

# Useful paths - note that COL should not be defined when
# NROFF is defined as "groff -Tascii" or "groff -Tlatin1";
# not only is it superfluous, but it actually damages the output.
# For use with utf-8, NROFF should be "nroff -mandoc" without -T option.
# (Maybe - but today I need -Tlatin1 to prevent double conversion to utf8.)   
# 
# If you have a new troff (version 1.18.1?) and its colored output
# causes problems, add the -c option to TROFF, NROFF, JNROFF.
# 
# Uncomment these if you have installed groff manually.
# 
# TROFF         /usr/local/bin/groff -Tps -mandoc -c
# NROFF         /usr/local/bin/groff -Wall -mtty-char -Tascii -mandoc -c
# EQN           /usr/local/bin/eqn -Tps
# TBL           /usr/local/bin/tbl
# REFER         /usr/local/bin/refer
# PIC           /usr/local/bin/pic
# VGRIND