Note: This is an archival copy of Security Sun Alert 201325 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000999.1.
Article ID : 1000999.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-03-30
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability with the at(1) Command on Solaris


Release Phase

Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id

Date of Workaround Release

Date of Resolved Release


A local unprivileged user may be able to remove any file on the system due to a security vulnerability in the at(1) command.

Sun acknowledges with thanks, Wojciech Purczynski of iSEC Security Research, for bringing this issue to our attention.

This issue is described in an iSEC Security Research advisory (see

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 105181-34
  • Solaris 7 without patch 108319-03
  • Solaris 8 without patches 109007-09 and 108875-13
  • Solaris 9 without patch 114135-01

x86 Platform

  • Solaris 2.6 without patch 105182-34
  • Solaris 7 without patch 108320-03
  • Solaris 8 without patches 109008-09 and 108876-13
  • Solaris 9 without patch 114136-01

Notes: Solaris 2.5.1 will not be evaluated regarding a potential impact of the issue described in this Sun Alert document.

The Solaris 8 cron/at patches 109007-09 and 109008-09 require the libbsm/c2audit patches 108875-13 and 108876-13 respectively for the correct functioning of the crontab(1) command. Future revisions of the Solaris 8 cron/at patches will contain the libbsm/c2audit binaries and will not require the installation of the libbsm/c2audit patches.


There are no predictable symptoms that would show the described issue has been exploited, as it depends on what file or files were deleted.


To work around the described issue, the set-user-ID bit can be removed from the at(1) command. However, once the set-user-ID bit is removed the "at" command will no longer function. As root do the following:

	# chmod u-s /usr/bin/at


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 105181-34 or later
  • Solaris 7 with patch 108319-03 or later
  • Solaris 8 with patch 109007-09 and 108875-13 or later
  • Solaris 9 with patch 114135-01 or later

x86 Platform

  • Solaris 2.6 with patch 105182-34 or later
  • Solaris 7 with patch 108320-03 or later
  • Solaris 8 with patch 109008-09 and 108876-13 or later
  • Solaris 9 with patch 114136-01 or later

Modification History
Date: 31-MAR-2003
  • State: Resolved
  • Updated Contributing Factors and Resolution sections



This solution has no attachment