Patch-ID# 101805-02 Keywords: terminating tnetd shutdown Synopsis: Trusted Solaris 1.1: tnetd jumbo patch Date: Jan/11/95 Solaris Release: Trusted Solaris 1.1 SunOS Release: Unbundled Product: Unbundled Release: BugId's fixed with this patch: 1153408 1150107 1086622 1153187 1081183 1131127 1131148 1191348 1101384 1148646 1131142 1153408 1096955 1153189 Changes incorporated in this version: Relevant Architectures: sun4 sun4c sun4m Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Problem Description: BUGID Synopsis 1150107 Blanket bug covered by patch tape and terminating tnetd. 1086622 tnet daemon doesn't exit properly during shutdown 1153187 TNETDB has limited number of page extents per page 1081183 tnetd shutdown will nuke the event queue for good 1131127 tnetd_ctl -d outputs so many messages that /var quickly fills up. 1131148 tnetd_ctl -e results in 27000 nulls being placed in TNET_LOG. 1101384 tnetd_ctl does not parse command line options properly. 1148646 tnetd_ctl -h does not parse arguments as do standard UNIX commands 1131142 tnetd_ctl -D allows values outside the valid debug level range of 1 though 5. 1153408 packets from unlabeled hosts cause hosts to be marked unlabeled on diskless clients. 1096955 tnetd dies during a tnet_send() 1153189 TNET daemon may not flush host token maps correctly. THIS PATCH DOES NOT APPLY TO 4.1.1, 4.1.2, 4.1.3, OR CMW 1.0 SYSTEMS. Patch Installation Instructions: 0. You must be able to reconfigure your machine's kernel (kernels if your machine is a server for diskless clients.) In order to do this, you must have installed the kernel binaries (/usr/kvm, and /export/exec/kvm directories on diskless client servers) during the initial installation. 1. Bring your machine to single user mode (choose the "Utilities" item in the trusted stripe menu, followed by "Shut Down Machine". 2. Reboot your machine in single-user mode. Depending on your system architecture: sun4: b -s sun4c,sun4m: boot -s If you are prompted for your PROM password, enter the appropriate password. 3. Once in single-user mode, start the c-shell: # csh hostname # 4. Extract the patch from the patch medium using tar. This will require about 9MB of free space; be sure you have that much available before you begin. In the following example, the patch is on cartridge tape loaded in /dev/rst0, and there is lots of free space in /var. hostname # mount -at cfs hostname # df /var Filesystem kbytes used avail capacity Mounted on /dev/sd0d 27751 13074 11902 52% /var hostname # cd /var hostname # mkdir SFD101805-02 hostname # cd SFD101805-02 hostname # tar xvf /dev/rst0 5. cd into the (newly created) patch directory. hostname # cd SFD101805-02 6. You now have a choice. If you have configured your system per the CMW Installation instructions and have suffficient disk space, you may use the automated script provided with the patch. If for some reason, you do not have a standard configuration (you are a diskless server with diskless clients' mount points at spots other than /export/*, or with insufficient disk space), please go to step 7. It is highly recommended that you install the patch using the automated script, as there are several steps involved in the manual installation. The automated script requires: * 2.5 MB free on your / partition. * 1 MB free on the /usr partition. If the machine being patched is a server for a diskless client, you will also need * 2.5 MB free on the /export/root partition for each diskless client a machine serves. * Your diskless clients' mount points to be configured as per the instructions in the installation manuals for Trusted Solaris and Solaris 1.x. 6b. Install the patch: This step replaces several files, makes a new TNETDB, and re-syncs your consistency databases. hostname # cd SFD101805-02 hostname # sh ./patch 6c. Run /etc/config on your kernel and do a make. Install the newly configured vmunix. If the machine serves diskless clients, reconfigure kernels for each of your clients, install the new kernels, sync your disks, and reboot the server and all of the clients. Instructions for running /etc/config can be found in /usr/kvm/`arch -k`/config/README. (If necessary, refer to the Systems and Network administrations manual on how to configure a kernel.) Once you're finished, you may delete the directory containing the patch files. 7. If you want to install the patch manually, save your existing FCS binaries and kernel objects: hostname # mv /usr/etc/tnetd /usr/etc/tnetd.FCS hostname # mv /usr/etc/tnetd_ctl /usr/etc/tnetd_ctl.FCS hostname # mv /usr/etc/tnet_kstats /usr/etc/tnetd_kstats.FCS hostname # mv /usr/etc/mkdb /usr/etc/mkdb.FCS hostname # mv /usr/etc/halt /usr/etc/halt.FCS hostname # mv /usr/etc/reboot /usr/etc/reboot.FCS hostname # mv /usr/include/cmw/secpolicy.h /usr/include/cmw/secpolicy.h.FCS hostname # mv /usr/man/man8/tnetd_ctl.8t /usr/man/man8/tnetd_ctl.8t.FCS hostname # mv /sys/`arch -k`/OBJ/raw_usrreq.o /sys/`arch -k`/OBJ/raw_usrreq.o.FCS hostname # mv /sys/`arch -k`/OBJ/sec_tnet.o /sys/`arch -k`/OBJ/sec_tnet.o.FCS hostname # mv /sys/`arch -k`/OBJ/sec_driver.o /sys/`arch -k`/OBJ/sec_driver.o.FCS 7a. Save your existing kernel. If you don't have enough room in your / partition (you need at least 2.5 MB), you should copy /vmunix to another partition where you have enough space (in the following example, /SOMEWHERE_YOU_HAVE_SPACE) and remove it. (if you have space) hostname # mv /vmunix /vmunix.FCS (if you don't...) hostname # cp /vmunix /SOMEWHERE_YOU_HAVE_SPACE/vmunix.FCS hostname # rm /vmunix 7b. If this machine is a server for diskless clients, you will need to save the object modules in the /export/exec directory for each kernel architecture served. In the example, the server serves all kernel architectures (sun4,sun4c, sun4m). If your server does not serve one or more of these kernel architectures, remove the name of this kernel architecture from the argument to the foreach command in the following example. (If your mount point for kernel modules is at another location, substitute this location for /export/exec in the commands that follow.) hostname # foreach i (sun4 sun4c sun4m) ? mv /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/raw_usrreq.o \ /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/raw_usrreq.o.FCS ? mv /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_tnet.o \ /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_tnet.o.FCS ? mv /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_driver.o \ /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_driver.o.FCS ? end In addition, if your machine is a diskless server, you should save your clients' kernels. For each client (named in the following example CLIENT), (If your clients' root mount point is different than /export/root, substitute the appropriate path for /export/root in the commands that follow.) You will need 2.5M for each kernel you need to save; if you don't have that much space in your /export/root partition, save the kernels someplace else with enough space. (If you've got the space on /export/root) hostname # cd /export/root/CLIENT hostname # mv vmunix vmunix.FCS (and if you don't...) hostname # cd /export/root/CLIENT hostname # mkdir /SOMEWHERE_YOU_HAVE_SPACE/CLIENT hostname # cp vmunix /SOMEWHERE_YOU_HAVE_SPACE/CLIENT/vmunix.FCS 7c. Install the new binaries and kernel objects: hostname # cp ./`arch -k`/tnetd /usr/etc/tnetd hostname # cp ./`arch -k`/tnet_kstats /usr/etc/tnet_kstats hostname # cp ./`arch -k`/tnetk_stat /usr/etc/tnetd_ctl hostname # cp ./`arch -k`/mkdb /usr/etc/mkdb hostname # cp ./`arch -k`/halt /usr/etc/halt hostname # cp ./`arch -k`/reboot /usr/etc/reboot hostname # cp ./`arch -k`/secpolicy.h /usr/include/cmw/secpolicy.h hostname # cp ./`arch -k`/tnetd_ctl.8t /usr/man/man8/tnetd_ctl.8t hostname # cp ./`arch -k`/sec_tnet.o /usr/kvm/sys/`arch -k`/OBJ/raw_usrreq.o hostname # cp ./`arch -k`/sec_tnet.o /usr/kvm/sys/`arch -k`/OBJ/sec_tnet.o hostname # cp ./`arch -k`/sec_driver.o /usr/kvm/sys/`arch -k`/OBJ/sec_tnet.o 7d. If this machine is a server for diskless clients, you will need to replace the object modules in the /export/exec directory for each kernel architecture served with the patch object modules. In the example, the server serves all kernel architectures (sun4,sun4c, sun4m). If your server does not serve one or more of these kernel architectures, remove the name of this kernel architecture from the argument to the foreach command. (If your mount point for kernel modules is at another location, substitute this location for /export/exec in the commands that follow.) hostname # foreach i (sun4 sun4c sun4m) ? cp ${i}/raw_usrreq.o \ /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/raw_usrreq.o ? cp ${i}/sec_tnet.o \ /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_tnet.o ? cp ${i}/sec_driver.o \ /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_driver.o ? end 7e. Make a new TNETDB and clear your old TNET_LOG file. hostname # mkdb /etc/security/TNETDB 4096 80 hostname # rm /var/adm/TNET_LOG; touch /var/adm/TNET_LOG 7f. If the machine is a server for diskless clients, you'll need to do the same thing for each client served. Assuming your clients' root mount point is at /export/root and the client is named CLIENT: hostname # mkdb /export/root/CLIENT/etc/security/TNETDB 4096 80 hostname # rm /export/root/CLIENT/var/adm/TNET_LOG hostname # touch /export/root/CLIENT/var/adm/TNET_LOG 7g. Place the appropriate permissions and privileges on each file you've installed: hostname # chpriv a+all /usr/etc/mkdb hostname # chpriv f-all /usr/etc/mkdb hostname # chmod go-rwx /usr/etc/mkdb hostname # chmod go-rwx /usr/etc/tnetd hostname # chmod u+rwx /usr/etc/tnetd hostname # chown root.staff /usr/etc/tnetd hostname # chpriv a+all /usr/etc/tnetd hostname # chpriv f+net_allowaccess,proc_setclr,proc_setid,proc_setil,proc_setsl /usr/etc/tnetd hostname # chown root.staff /usr/etc/tnetd_ctl hostname # chmod go-rwx /usr/etc/tnetd_ctl hostname # chpriv a+all /usr/etc/tnetd_ctl hostname # chpriv f+net_allowaccess /usr/etc/tnetd_ctl hostname # chown root.staff /usr/etc/halt hostname # chpriv a+all /usr/etc/halt hostname # chpriv f+file_mac_read,net_allowaccess,proc_audit_tcb,sys_audit /usr/etc/halt hostname # chown root.staff /usr/etc/reboot hostname # chpriv a+all /usr/etc/reboot hostname # chpriv f+file_mac_read,net_allowaccess,proc_audit_tcb,sys_audit /usr/etc/reboot hostname # chmod ugo+r /usr/include/cmw/secpolicy.h hostname # chmod ugo+r /usr/man/man8/tnetd_ctl.8t 7h. Synchronize your static consistency databases: hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/tnetd hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/tnetd_ctl hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/mkdb hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/halt hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/reboot hostname # sync_ctab /etc/security/tcb_static -o \ /usr/man/man8/tnetd_ctl.8t hostname # sync_ctab /etc/security/tcb_static -o \ /usr/kvm/sys/`arch -k`/OBJ/sec_tnet.o hostname # sync_ctab /etc/security/tcb_static -o \ /usr/kvm/sys/`arch -k`/OBJ/sec_driver.o 7i. If the machine is a server for diskless clients, you'll need to do the same thing for each of your clients. Also, we need to sync the .o modules for /export/exec. For each kernel architecture (sun4, sun4c, sun4m) your machine serves, do the following, with ARCH being an architecture served. hostname # sync_ctab /etc/security/tcb_static -o \ /export/exec/ARCH.trusted_solaris.1.1/sys/ARCH/OBJ/sec_tnet.o hostname # sync_ctab /etc/security/tcb_static -o \ /export/exec/ARCH.trusted_solaris.1.1/sys/ARCH/OBJ/sec_driver.o Assuming your client is called CLIENT, do the following for each client: hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/tnetd hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/tnetd_ctl hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/mkdb hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/halt hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/reboot hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o \ /usr/man/man8/tnetd_ctl.8t hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o \ /usr/kvm/sys/`arch -k`/OBJ/sec_tnet.o hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o \ /usr/kvm/sys/`arch -k`/OBJ/sec_driver.o 7j. Synchronize your dynamic consistency databases: hostname # sync_ctab /etc/security/tcb_dynamic -o /etc/security/TNETDB 7k. If the machine is a server for diskless clients, you'll need to do the same thing for each of your clients. Assuming your client is called CLIENT: (insert above with the each client name as CLIENT) hostname # sync_ctab /etc/security/tcb_dynamic -c CLIENT \ -o /etc/security/TNETDB 7l. Run /etc/config on your kernel and do a make. Install the newly configured vmunix. If the machine serves diskless clients, reconfigure kernels for each of your clients, install the new kernels, sync your disks, and reboot the server and all of the clients. (If necessary, Refer to the Systems and Network administrations manual on how to configure a kernel.) Once you're finished, you may delete the directory containing the patch files.