COMMAND
	    crontab
SYSTEMS AFFECTED
	    FreeBSD 2.1.0 and possibly others
PROBLEM
	    /usr/libexec/locate.updatedb is  called from  /etc/weekly. It  has
	    _exactly_  the  same  problem  as  /etc/security with it's opening
	    temp files.  By default,  it uses  /var/tmp instead  of /tmp,  but
	    they're both mode  1777 so it  doesn't make any  difference. I was
	    able to  overwrite my  own /etc/master.passwd  by just  creating a
	    symlink (as a normal user) and running locate.updatedb (as  root).
	    I  don't  know  if  the  content  of  the files can be manipulated
	    enough to gain  root, but users  being able to  munge any file  on
	    the system is  not a Good  Thing.  Credit  for this goes  to Steve
	    Reid.
SOLUTION
	    The  easiest  fix  for  this  is  the  same as the easiest fix for
	    /etc/security:   use  a  root-only  directory  such  as   /var/run
	    instead  of  something  world  writable.  There's a handy line for
	    this in the script:
	
	        if (! $?TMPDIR) setenv TMPDIR /var/tmp
	
	    Change it to
	
	        if (! $?TMPDIR) setenv TMPDIR /var/run
	                                           ^^^
	
	    or just
	
	        setenv TMPDIR /var/run