Patch-ID# 101363-01 Keywords: C2 Jumbo rpc.yppasswdd rpc.pwdauthd Synopsis: NSkit 1.0: porting C2 jumbo patch to NSkit C2 security support Date: Nov/24/93 Solaris Release: 2.2 SunOS release: 5.2 Unbundled Product: Name Services Transition Kit (5.x NIS BCP-mode Server) Unbundled Release: 1.0 Topic: Solaris 2.2: porting patch-ID 100564-07 C2 security jumbo patch to NSkit for C2 security support. BugId's fixed with this patch: 1040334 1043667 1058378 1059261 1063796 1039587 1097292 1006905 Changes incorporated in this version: Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: Patches which may conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /usr/lib/netsvc/yp/rpc.yppasswdd /usr/lib/netsvc/yp/rpc.pwdauthd Problem Description: This is a port of the C2 Jumbo patch (100201-04) to NSkit. It is required on Solaris 2.x machines using the NSkit to support C2 security. This patch includes fixes for the following bugs: bug 1040334: yppasswd will not allow user to change passwd from client, the daemon dies on server bug 1043667: rpc.yppasswdd uses an incorrect lock file bug 1058378: rpc.pwdauthd logs cleartext passwords via auditd bug 1059261: NIS and C2 Security passwd.adjunct file can get overwritten by passwd bug 1063796: When running C2 with NIS, yppasswd password changes from client system would take 5 minutes of delay before taking effect. bug 1039587: rpc.yppasswdd does not accept ":" characters as a valid passwd character when changing an existent passwd entry. bug 1097292: rpc.pwdauthd's core image contains plaintext passwords and passwd.adjunct ` file Bug 1006905 rpc.yppasswdd sometimes corrupt passwd dbm files Patch Installation Instructions: -------------------------------- Generic 'installpatch' and 'backoutpatch' scripts are provided within each patch package with instructions appended at the end of this section. Other specific or unique installation instructions may also be necessary and should be described below. Special Install Instructions: ----------------------------- ============================================================================= Only on the MASTER NIS server ============================================================================= * Add the following lines to the /etc/init.d/yp file on the NIS master, after * the entry for ypbind startup. Note that the -m option has no arguments, * thus ensuring both passwd and passwd.adjunct maps are built when a passwd * change occurs. # # This starts yppasswd daemon and tells it to look for the passwd.adjunct file # if [ -f /usr/lib/netsvc/yp/rpc.yppasswdd -a -d /var/yp/`domainname` ]; then rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m; echo rpc.yppasswdd fi * Now follow the step given for all systems. ============================================================================= Only on NIS client machines not running C2 security with a MASTER NIS server converted to running C2 security. ============================================================================= * Normally all machines will be C2 converted within a NIS domain to * achieve C2 classification. These steps are for cases where NIS * clients have not been C2 converted, but the NIS MASTER has been converted. * * Machines with a NIS master using passwd shadowing (passwd.adjunct) need * to run the rpc.pwdauthd to decrypt shadowed passwd's. This daemon will * automatically be started by the default rc.local script if a passwd.adjunct * file exists. Do the following to create this file with a "+" entry in it * to use the NIS passwd.adjunct map. # mkdir /etc/security # chown root.staff /etc/security # chmod 2711 /etc/security # echo "+" > /etc/security/passwd.adjunct # chown root.staff /etc/security/passwd.adjunct # chmod 644 /etc/security/passwd.adjunct * Now follow the step given for all systems. ============================================================================= Generically for all systems: =========================================================================== * The following pseudo-users must be added to /etc/passwd and * * /etc/security/passwd.adjunct before changing any binaries * * This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur * * These additions do not need to be done on NIS client machines since * they will pick these changes up from the NIS master. * * * /etc/passwd additions: * AUpwdauthd:##AUpwdauthd:10:10:::/bin/false AUyppasswdd:##AUyppasswdd:11:10:::/bin/false * */etc/security/passwd.adjunct additions: * AUpwdauthd:*::::: * AUyppasswdd:*::::: * =========================================================================== Now, complete the install by loading in the modified binaries. Note that the dynamically linked binaries are incompatible with the use of the US Encryption Kit. If you will be using the US Encryption Kit, load the static versions (rpc.pwdauthd.static and rpc.yppasswdd.static) of the provided binaries. First save the FCS distribution versions as a precaution: # cp /usr/lib/netsvc/yp/rpc.pwdauthd /usr/lib/netsvc/yp/rpc.pwdauthd.FCS # cp /usr/lib/netsvc/yp/rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd.FCS It is critical that the following steps be completed in single-user mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both disabled while the new versions are installed. # init 1 The new version of the binaries can now be installed. # cp rpc.pwdauthd /usr/lib/netsvc/yp/rpc.pwdauthd # chown root.staff /usr/lib/netsvc/yp/rpc.pwdauthd # chmod 755 /usr/lib/netsvc/yp/rpc.pwdauthd # cp rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd # chown root.staff /usr/lib/netsvc/yp/rpc.yppasswdd # chmod 755 /usr/lib/netsvc/yp/rpc.yppasswdd Double check permissions of the new files. If the permissions are set incorrectly, login will not be able to occur except in single user mode (boot -s). Now you can either enter a ^D (control D) from single user mode or reboot the machine. This finishes the installation. =========================================================================== Instructions to install patch using "installpatch" -------------------------------------------------- 1. Become super-user. 2. Apply the patch by typing: //installpatch / where is the directory containing the patch and is the patch number. must be a full path name. Example: # /tmp/123456-01/installpatch /tmp/123456-01 3. If any errors are reported, see "Patch Installation Errors" in the Command Descriptions section below. Rebooting the system or restarting the application after a successful patch installation is usually necessary to utilize patch. NOTE: On client server machines the patch package is NOT applied to existing clients or to the client root template space. Therefore, when appropriate, ALL CLIENT MACHINES WILL NEED THE PATCH APPLIED DIRECTLY USING THIS SAME INSTALLPATCH METHOD ON THE CLIENT. See the next section for instructions for installing a patch on a client. Instructions for installing a patch on a diskless or dataless client -------------------------------------------------------------------- 1. Before applying the patch, the following command must be executed on the server to give the client read-only, root access to the exported /usr file system so that the client can execute the pkgadd command: share -F nfs -o ro,anon=0 /export/exec/Solaris_2.1_sparc.all/usr The command: share -F nfs -o ro,root= \ /export/exec/Solaris_2.1_sparc.all/usr accomplishes the same goal, but only gives root access to the client specified in the command. 2. Login to the client system and become super-user. 3. Continue with step 2 in the "Instructions to install patch using installpatch" section above. Instructions for backing out patch using "backoutpatch" ------------------------------------------------------- 1. Become super-user. 2. Change directory to /var/sadm/patch: cd /var/sadm/patch 3. Backout patch by typing: /backoutpatch where is the patch number. Example: # 123456-01/backoutpatch 123456-01 4. If any errors are reported, see "Patch Backout Errors" in the Command Descriptions section below. Instructions for identifying patches installed on system: ---------------------------------------------------------- Type: installpatch -p This command produces a list of the patch IDs of the patches that are currently applied to the system. When executed with the -p option, the installpatch command does not modify the system in any way. Command Descriptions -------------------- NAME installpatch - apply patch package to Solaris 2.x system backoutpatch - remove patch package from Solaris 2.x system SYNOPSIS installpatch [-u] [-d] backoutpatch DESCRIPTION These installation and backout utilities apply only to Solaris 2.x associated patches. They do not apply to Solaris 1.x associated patches. These utilities are currently only provided with each patch package and are not included with the standard Solaris 2.x release software. OPTIONS installpatch -u unconditional install, do not verify file attributes -d do not save original files being replaced -p print a list of the patches currently applied on the system DIAGNOSTICS Patch Installation Errors: -------------------------- Error message: Patch has already been applied. Explanation and recommended action: This patch has already been applied to the system. If the patch has to be reapplied for some reason, backout the patch and then reapply it. Error message: This patch is obsoleted by a patch which has already been applied to this system. Application of this patch would leave the system in an inconsistent state. Patch installation is aborted. Explanation and recommended action: Occasionally, a patch is replaced by a new patch which incorporates the bug fixes in the old patch and supplies additional fixes also. At this time, the earlier patch is no longer made available to users. The second patch is said to "obsolete" the first patch. However, it is possible that some users may still have the earlier patch and try to apply it to a system on which the later patch is already applied. If the obsoleted patch were allowed to be applied, the additional fixes supplied by the later patch would no longer be available, and the system would be left in an inconsistent state. This error message indicates that the user attempted to install an obsoleted patch. There is no need to apply this patch because the later patch has already supplied the fix. Error message: The packages to be patched are not installed on this system. Explanation and recommended action: None of the packages to be updated by this patch are installed on the system. Therefore, this patch cannot be applied to the system. Error message: This patch is not applicable to client systems. Explanation and recommended action: The patch is only applicable to servers and standalone machines. Attempting to apply this patch to a client system will have no effect on the system. Error message: The /usr/sbin/pkgadd command is not executable. Explanation and recommended action: The /usr/sbin/pkgadd command cannot be executed. The most likely cause of this is that installpatch is being run on a diskless or dataless client and the /usr file system was not exported with root access to the client. See the section above on "Instructions for installing a patch on a diskless or dataless client". Error message: Patch directory is not of expected format. Explanation and recommended action: The patch directory supplied as an argument to installpatch did not contain any patch packages. Verify that the argument supplied to installpatch is correct. Error message: The following validation errors were found: Explanation and recommended action: Before applying the patch, the patch application script verifies that the current versions of the files to be patched have the expected fcs checksums and attributes. If a file to be patched has been modified by the user, the user is notified of this fact. The user then has the opportunity to save the file and make a similar change to the patched version. For example, if the user has modified /etc/inet/inetd.conf and /etc/inet/inetd.conf is to be replaced by the patch, the user can save the locally modified /etc/inet/inetd.conf file and make the same modification to the new file after the patch is applied. After the user has noted all validation errors and taken the appropriate action for each one, the user should re-run installpatch using the "-u" (for "unconditional") option. This time, the patch installation will ignore validation errors and install the patch anyway. Error message: Insufficient space in /var/sadm to save old files. Explanation and recommended action: There is insufficient space in the /var/sadm directory to save old files. The user has two options for handling this problem: (1) generate additional disk space by deleting unneeded files, or (2) override the saving of the old files by using the "-d" (do not save) option when running installpatch. However if the user elects not to save the old versions of the files to be patched, backoutpatch CANNOT be used. One way to regain space on a system is to remove the save area for previously applied patches. Once the user has decided that it is unlikely that a patch will be backed out, the user can remove the files that were saved by installpatch. The following commands should be executed to remove the saved files for patch xxxxxx-yy: cd /var/sadm/patch/xxxxxx-yy rm -r save/* rm .oldfilessaved After these commands have been executed, patch xxxxxx-yy can no longer be backed out. Error message: Save of old files failed. Explanation and recommended action: Before applying the patch, the patch installation script uses cpio to save the old versions of the files to be patched. This error message means that the cpio failed. The output of the cpio would have been preceded this message. The user should take the appropriate action to correct the cpio failure. A common reason for failure will be insufficient disk space to save the old versions of the files. The user has two options for handling insufficient disk space: (1) generate additional disk space by deleting unneeded files, or (2) override the saving of the old files by using the "-d" option when running installpatch. However if the user elects not to save the old versions of the files to be patched, the patch CANNOT be backed out. Error message: Pkgadd of package failed. See /tmp/log. for reason for failure. Explanation and recommended action: The installation of one of patch packages failed. Any previously installed packages in the patch should have been removed. See the log file for the reason for failure. Correct the problem and re-apply the patch. Error message: error while adding patch to root template Explanation and recommended action: The install script determined this system to be a client server. The attempt to apply the patch package to the appropriate root template space located under /export/root/templates failed unexpectedly. Check the log file for any failure messages. Correct the problem and re-apply the patch. Patch Backout Errors: --------------------- Error message: Patch has not been applied to this system. Explanation and recommended action: The user has attempted to back out a patch that was never applied to this system. It is possible that the patch was applied, but that the patch directory /var/sadm/patch/ was deleted somehow. If this is the case, the patch cannot be backed out. The user may have to restore the original files from the initial installation CD. Error message: Patch was installed without backing up the original files. It cannot be backed out. Explanation and recommended action: Either the -d option of installpatch was set when the patch was applied, or the save area of the patch was deleted to regain space. As a result, the original files are not saved and backoutpatch cannot be used. The original files can only be recovered from the original installation CD. Error message: Pkgrm of package failed. See /var/sadm/patch//log for reason for failure. Explanation and recommended action: The removal of one of patch packages failed. See the log file for the reason for failure. Correct the problem and run the backout script again. Error message: Restore of old files failed. Explanation and recommended action: The backout script uses the cpio command to restore the previous versions of the files that were patched. The output of the cpio command should have preceded this message. The user should take the appropriate action to correct the cpio failure. KNOWN PROBLEMS: On client server machines the patch package is NOT applied to existing clients or to the client root template space. Therefore, when appropriate, ALL CLIENT MACHINES WILL NEED THE PATCH APPLIED DIRECTLY USING THIS SAME INSTALLPATCH METHOD ON THE CLIENT. See instructions above for applying patches to a client. After a patch package has been installed pkginfo(1) will not recognize the SUNW_PATCHID macro in the patch package pkginfo file. Instead, to identify patches installed on the system use the grep command method described in the patch README. The pkgadd command shipped with Solaris 2.1 fails (drops core without any error message) when there are more than 100 entries in the /etc/mnttab file. This means that installpatch can fail, because it uses pkgadd. Since this is very likely on any big system with lots of automounts, ANY patch could fail. Applying patch 100901-01 fixes this problem (the README for patch 100901 mentions shutting down the automounter while applying it). SEE ALSO pkgadd(1), pkgchk(1), pkgrm(1), pkginfo(1)