COMMAND

    sunsrc

SYSTEMS AFFECTED

    SunOS 4.0.3, 4.1, and 4.1.1

PROBLEM

    Sun Bug  ID 1059621.  This applies  to sites  that have  installed
    Sun Source tapes only.

    The  Sun  distribution  of  sources  (sunsrc)  has an installation
    procedure  which  creates   the  directory  /usr/release/bin   and
    installs two setuid  root files in  it: makeinstall and  winstall.
    These are both  binary files which  exec other programs:  "make -k
    install" (makeinstall) or "install" (winstall).

    This makes it possible for users on that system to become root.

SOLUTION

    chmod ug-s /usr/release/bin/{makeinstall, winstall}
    (if the sources have already been installed)

    and/or

    edit  the  makefile  in  sunsrc/release  and  change  the   SETUID
    definition (if the sources have  been extracted from tape but  not
    installed yet)