CERT® Advisory CA-1993-03 SunOS File/Directory PermissionsOriginal issue date: February 3, 1993
Last revised: September 19, 1997
Attached copyright statement
A complete revision history is at the end of this file.
The default permissions on a number of files and directories in SunOS 4.1, 4.1.1, 4.1.2, and 4.1.3 are set incorrectly. These problems are relevant for the sun3, sun3x, sun4, sun4c, and sun4m architectures. They have been fixed in SunOS 5.0. (Note that SunOS 5.0 is the operating system included in the Solaris 2.0 software distribution.)
An updated patch to reset these permissions is available from Sun. CERT has seen an increasing number of attackers exploit these problems on systems and we encourage sites to consider installing this patch.
File permissions on numerous files were set incorrectly in the distribution tape of 4.1.x. A typical example is that a file which should have been owned by "root" was set to be owned by "bin".
Not all sites will need or want to install the patch for this problem. The decision of what user id should own most system files and directories depends on the administrative practices of the site. It is quite reasonable to run a system where the majority of files are owned by "bin" as long as the entire system is run in a manner consistent with that practice. As distributed, the SunOS configuration expects most system files to be owned by "root". The fact that some are not creates security problems.
Therefore, sites that are running the SunOS versions listed above as distributed should install the patch described below. Sites that have made an informed choice to configure their system differently may instead want to review the patch script and consider which, if any, of the changes should be made on their system.
Depending on the specific configuration of the local site, the default permissions may allow local users to gain "root" access.
This document is available from: http://www.cert.org/advisories/CA-1993-03.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1993 Carnegie Mellon University.
September 19,1997 Attached Copyright Statement