COMMAND

    /usr/local/bin/workman

SYSTEMS AFFECTED

    UNIX System V Release 4.0 and derivatives and Linux systems.

PROBLEM

    When the program is installed set-user-id root, it can be used  to
    make any  file on  the system  world-writable.   On systems  where
    WorkMan  was  built  and  installed  using the procedures that are
    given  in  "Makefile.linux"  or  "Makefile.svr4" (in general, this
    means on  Linux systems  and UNIX  System V  Release 4.0 systems),
    the  WorkMan  program  is  installed  set-user-id root. This means
    that when  the program  is run,  it will  execute with  super-user
    permissions.

    In order to  allow signals to  be sent to  it, WorkMan writes  its
    process-id to a file called  /tmp/.wm_pid. The "-p" option to  the
    program allows the user to specify a different file name in  which
    to record this information.   When a file is specified  with "-p",
    WorkMan simply attempts  to create and/or  truncate the file,  and
    if this succeeds, WorkMan changes  the permissions on the file  so
    that it is world-readable and world-writable.

SOLUTION

    chmod u-s /usr/local/bin/workman