COMMAND

    login(M)

SYSTEMS AFFECTED

    SCO Unix System V/386 Release 3.2 Versions 4.2, 4.1, and 4.0
    SCO Open Desktop Lite Release 3.0
    SCO Open Desktop Release 3.0 and 2.0
    SCO Open Server Network System Release 3.0
    SCO Open Server Enterprise System Release 3.0

PROBLEM

    /bin/login updates  ~/.lastlogin to  record the  time of  the last
    successful  login.   Unfortunately   the  file  is  opened   while
    /bin/login has  root privileges,  and no  checks are  made on  the
    file before it is opened; hence  a symlink may be inserted and  an
    arbitrary file created.

    % rm -f ~/.lastlogin
    % ln -s /etc/8LGMFILE ~/.lastlogin

    Logout and login  to the system  again, and /etc/8LGMFILE  will be
    created.  The file will be owned by you, and will be mode 600.

SOLUTION

    Contact sco for a patch.
    The patch is available at ftp.sco.com:/sse/sse002.*