_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin

May 16, 1991, 1330 PST                                     Number B-26

   Inconsistent Directory and File Permissions in SunOS 4.1 and  4.1.1  
________________________________________________________________________
PROBLEM:  SunOS versions 4.1 and 4.1.1 have several inconsistent file 
  and directory permissions.
PLATFORM: Sun computer architectures sun3, sun3x, sun4, and sun4c that
  run SunOS 4.1 or SunOS 4.1.1.
DAMAGE:  May allow unauthorized or unintended user access to files.
SOLUTIONS:  Patch/update available from Sun via Patch-ID# 100103-06 or
  through anonymous ftp from uunet.uu.net or from CIAC
IMPACT OF PATCH:  File and directory permissions set to intended
  permissions.  No other side-effects reported.  
________________________________________________________________________
 Critical Information about Inconsistent Directory and File Permissions

CIAC has discovered inconsistent directory and file permissions on
Sun Microsystems computers that run the SunOS 4.1 and 4.1.1 operating 
systems.  A patch is available from Sun Microsystems as the updated Patch 
ID# 100103-06 (this number is required to order this patch from the 
Sun Answer Center).  Sun Microsystems, Inc. states that this patch is
applicable to Sun architectures sun3, sun3x, sun4, and sun4c.  This patch
is also available via anonymous ftp at uunet.uu.net (IP address  192.48.96.2)
in the file sun-dist/100103-06.tar.Z or from CIAC. 

If you need assistance in obtaining this patch by anonymous ftp or
extracting compressed files, please use the instructions in the
appendix of this bulletin.  For additional information or assistance,
please contact CIAC:

        Kenneth L. Pon
        (415) 422-1783 or (FTS) 532-1783
        pon@cheetah.llnl.gov

        or

        Hal Brand
        (415) 422-0039 or (FTS) 532-0039
        brand@addvax.llnl.gov

        During working hours call CIAC at (415) 422-8193 or (FTS)
        532-8193 or send e-mail to ciac@llnl.gov.

        Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913.
_________________________________________________________________________
                             Appendix
      Instructions for Obtaining Patch using ftp anonymous and 
                    Extracting Compressed Files

The string "%" is the default UNIX csh(1) prompt; the string "ftp>" is
the ftp(1C) prompt.  In the procedure described below, the text
displayed after these prompts on the same line as the prompts is what
you must enter.  Text displayed on any line without a prompt is what
the system replies in response.  System dialogue is indented to
distinguish it from surrounding comments.

First log into your system and find a place (e.g., a writeable
directory) to put the patch.  In this example, a directory is made for
the patch.  Note that you do not need to login as root to obtain the
patch.  However, you need to be root to apply the patch.

   % mkdir newpatch
   % cd newpatch

Next ftp to uunet.uu.net.  Login as "anonymous" and enter your identity
(in the following example, "pon") as your password.  Your password will 
not be echoed.  Then use the following procedure to obtain 100103-06.tar.Z.

   % ftp uunet.uu.net
   Connected to uunet.uu.net.
   220 uunet FTP server (Version 5.100 Mon Feb 11 17:13:28 EST 1991) ready.
   Name (uunet.uu.net:pon): anonymous
   331 Guest login ok, send ident as password.
   Password:
   230 Guest login ok, access restrictions apply.
   ftp> cd sun-dist
   250 CWD command successful.
   ftp> ls
   200 PORT command successful.
   150 Opening ASCII mode data connection for file list.
   100100-01.tar.Z
   100108-01.tar.Z
   100125-04.tar.Z
   100133-01.tar.Z
   100184-02.tar.Z
   100187-01.tar.Z
   100188-01.tar.Z
   100201-02.tar.Z
   100224-02.tar.Z
   100251-01.tar.Z
   100103-06.tar.Z
   README.sendmail
   226 Transfer complete.
   204 bytes received in 0.033 seconds (6 Kbytes/s)
   ftp> binary
   200 Type set to I.
   ftp> get 100103-06.tar.Z
   200 PORT command successful.
   150 Opening BINARY mode data connection for 100103-06.tar.Z (3830 bytes).
   226 Transfer complete.
   local: 100103-06.tar.Z remote: 100103-06.tar.Z
   3830 bytes received in 0.0039 seconds (9.7e+02 Kbytes/s)
   ftp> quit
   221 Goodbye.
   %

Now extract the usable files from the compressed (evident by the "Z"
suffice), tar (tape archive) file that you just ftp'ed.

   % uncompress 100103-06.tar.Z

This will uncompress 100103-06.tar.Z into 100103-06.tar.  To see what files
are archived on the 100103-06.tar file, use the following command:

   % tar tvf 100103-06.tar
   rw-r--r--  0/0   8106 May 14 10:23 1991 4.1secure.sh
   rw-r--r--  0/0    692 May  9 10:30 1991 README

Now extract the two files from tar format:

   % tar xvf 100103-06.tar
   x 4.1secure.sh, 8106 bytes, 16 tape blocks
   x README, 692 bytes, 2 tape blocks

The README file contains instructions for applying the patch.  Note that
the patch needs to be applied by user root.
__________________________________________________________________________
Brad Powell provided some of the information used in this bulletin.  This
document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor
the University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by the
United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government or the University of
California, and shall not be used for advertising or product
endorsement purposes.