Patch-ID# 101718-03
Keywords: C2 Jumbo rpc.yppasswdd rpc.pwdauthd
Synopsis: SunOS 4.1.3_U1:  C2 rpc.yppasswdd patch
Date: Aug/01/95

Solaris Release: 1.1.1A

SunOS Release: 4.1.3_U1A

Unbundled Product: 

Unbundled Release: 

Relevant Architectures: sparc

BugId's fixed with this patch: 1173802 1040334 

Changes incorporated in this version: 

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 

	/usr/etc/rpc.yppasswdd
	/usr/etc/rpc.pwdauthd

Problem Description: 

   bug 1173802:
   4.1.3_U1 rpc.yppasswd dumps core.

   bug 1040334:
   yppasswd will not allow user to change passwd from client, the daemon
   dies on server, this problem has been fixed in previous 100564-XX patch,
   but not correctly integrated into 4.1.3_U1 release

Patch Installation Instructions: 

NOTE: If you do not plan to run C2, but want the fix for rpc.yppasswdd
      (bug id 1040334), you can just install a new
      rpc.yppasswdd as given below in the steps for all systems.
 
=============================================================================
 
Only on the MASTER NIS server
 
=============================================================================
* Add the following lines to the /etc/rc.local file on the NIS master, after
* the entry for ypbind startup. Note that the -m option has no arguments,
* thus ensuring both passwd and passwd.adjunct maps are  built when a passwd
* change occurs.
 
#
# This starts yppasswd daemon and tells it to look for the passwd.adjunct file
#
if [ -f /usr/etc/rpc.yppasswdd -a -d /var/yp/`domainname` ]; then
   rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m; echo rpc.yppasswdd
fi
 
* Now follow the step given for all systems.
 
=============================================================================
 
Only on NIS client machines not running C2 security with a
MASTER NIS server converted to running C2 security.
 
=============================================================================
* Normally all machines will be C2 converted within a NIS domain to
* achieve C2 classification. These steps are for cases where NIS
* clients have not been C2 converted, but the NIS MASTER has been converted.
*
* Machines with a NIS master using passwd shadowing (passwd.adjunct) need
* to run the rpc.pwdauthd to decrypt shadowed passwd's. This daemon will
* automatically be started by the default rc.local script if a passwd.adjunct
* file exists. Do the following to create this file with a "+" entry in it
* to use the NIS passwd.adjunct map.
 
# mkdir /etc/security
# chown root.staff /etc/security
# chmod 2711 /etc/security
# echo "+" > /etc/security/passwd.adjunct
# chown root.staff /etc/security/passwd.adjunct
# chmod 644 /etc/security/passwd.adjunct
 
* To prevent the auditd process from starting in /etc/rc.local,
* modify the /etc/rc.local script for the startup of auditd to:
 
echo -n 'starting local daemons:'
if [ -f /usr/etc/auditd -a -d /etc/security/audit ]; then
        auditd;                 echo -n ' auditd'
fi
 
* Now follow the step given for all systems.

=============================================================================

Generically for all systems:

===========================================================================

* The following pseudo-users must be added to /etc/passwd and             *
* /etc/security/passwd.adjunct before changing any binaries               *
* This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur  *
* These additions do not need to be done on NIS client machines since
* they will pick these changes up from the NIS master.
*                                                                         *
* /etc/passwd additions:                                                  *

AUpwdauthd:##AUpwdauthd:10:10:::/bin/false
AUyppasswdd:##AUyppasswdd:11:10:::/bin/false                              *

*/etc/security/passwd.adjunct additions:                                  *

AUpwdauthd:*:::::                                                         *
AUyppasswdd:*:::::                                                        *

===========================================================================

Now, complete the install by loading in the modified binaries.
Note that the dynamically linked binaries are incompatible with the
use of the US Encryption Kit.  If you will be using the US
Encryption Kit, load the static versions (rpc.pwdauthd.static and
rpc.yppasswdd.static) of the provided binaries.

First save the FCS distribution versions as a precaution:

# cp /usr/etc/rpc.pwdauthd /usr/etc/rpc.pwdauthd.FCS
# cp /usr/etc/rpc.yppasswdd /usr/etc/rpc.yppasswdd.FCS

It is critical that the following steps be completed in single-user
mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both
disabled while the new versions are installed.

# shutdown now

 The new version of the binaries can now be installed.

# cp rpc.pwdauthd /usr/etc/rpc.pwdauthd
# chown root.staff /usr/etc/rpc.pwdauthd
# chmod 755 /usr/etc/rpc.pwdauthd

# cp rpc.yppasswdd /usr/etc/rpc.yppasswdd
# chown root.staff /usr/etc/rpc.yppasswdd
# chmod 755 /usr/etc/rpc.yppasswdd


Double check permissions of the new files.  If the permissions are set
incorrectly, login will not be able to occur except in single user mode
(boot -s).

Now you can either enter a ^D (control D) from single user
mode or reboot the machine. This finishes the installation.
