Patch-ID# 101805-02
Keywords: terminating tnetd shutdown
Synopsis: Trusted Solaris 1.1: tnetd jumbo patch
Date: Jan/11/95

Solaris Release: Trusted_Solaris_1.1

SunOS Release: 

Unbundled Product:

Unbundled Release:

BugId's fixed with this patch: 1153408 1150107 1086622 1153187 1081183 1131127 1131148 1191348 1101384 1148646 1131142 1153408 1096955 1153189

Changes incorporated in this version: 

Relevant Architectures: sparc
    NOTE: sun4 sun4c sun4m

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by:

Problem Description:

BUGID	Synopsis

1150107	Blanket bug covered by patch tape and terminating tnetd.

1086622	tnet daemon doesn't exit properly during shutdown

1153187 TNETDB has limited number of page extents per page

1081183 tnetd shutdown will nuke the event queue for good

1131127 tnetd_ctl -d outputs so many messages that /var quickly fills 
		up.

1131148 tnetd_ctl -e results in 27000 nulls being placed in TNET_LOG.

1101384 tnetd_ctl does not parse command line options properly.
1148646 tnetd_ctl -h does not parse arguments as do standard UNIX 
		commands

1131142 tnetd_ctl -D allows values outside the valid debug level range
	of 1 though 5.

1153408 packets from unlabeled hosts cause hosts to be marked unlabeled on
	diskless clients.

1096955 tnetd dies during a tnet_send()

1153189 TNET daemon may not flush host token maps correctly.



    THIS PATCH DOES NOT APPLY TO 4.1.1, 4.1.2, 4.1.3, OR CMW 1.0 SYSTEMS.

Patch Installation Instructions:

0.  You must be able to reconfigure your machine's kernel (kernels if your
    machine is a server for diskless clients.)  In order to do this, you must
    have installed the kernel binaries (/usr/kvm, and /export/exec/kvm
    directories on diskless client servers) during the initial installation.

1.  Bring your machine to single user mode (choose the "Utilities" item in the
    trusted stripe menu, followed by "Shut Down Machine".

2.  Reboot your machine in single-user mode.  Depending on your system 
    architecture:

    sun4:
	b -s

    sun4c,sun4m:
	boot -s
	
	If you are prompted for your PROM password, enter the appropriate 
	password.
	
3.  Once in single-user mode, start the c-shell:

        # csh
        hostname #

4.  Extract the patch from the patch medium using tar.  This will
    require about 9MB of free space; be sure you have that much
    available before you begin.  In the following example, the patch
    is on cartridge tape loaded in /dev/rst0, and there is lots of free space
    in /var.
    
    hostname # mount -at cfs
    hostname # df /var
    Filesystem            kbytes    used   avail capacity  Mounted on
    /dev/sd0d              27751   13074   11902    52%    /var
    hostname # cd /var
    hostname # mkdir SFD101805-02
    hostname # cd SFD101805-02
    hostname # tar xvf /dev/rst0
    
5.  cd into the (newly created) patch directory.

        hostname # cd SFD101805-02
	
6.  You now have a choice.  If you have configured your system per
    the CMW Installation instructions and have suffficient disk space, you 
    may use the automated script provided with the patch.  If for some reason,
    you do not have a standard configuration (you are a diskless server with 
    diskless clients' mount points at spots other than /export/*, or
    with insufficient disk space), please go to step 7.  It is highly
    recommended that you install the patch using the automated script, as there
    are several steps involved in the manual installation.

    The automated script requires:
      * 2.5 MB free on your / partition.
      * 1 MB free on the /usr partition.
    If the machine being patched is a server for a diskless client, you will
    also need
      * 2.5 MB free on the /export/root partition for each diskless client
	    a machine serves.
      * Your diskless clients' mount points to be configured as per the
        instructions in the installation manuals for Trusted Solaris and
        Solaris 1.x.
    
6b.  Install the patch:
	This step replaces several files, makes a new TNETDB, and 
	re-syncs your consistency databases.
	
	hostname # cd SFD101805-02
	hostname # sh ./patch

6c. Run /etc/config on your kernel and do a make. Install the newly configured
	vmunix. If the machine serves diskless clients, reconfigure
	kernels for each of your clients, install the new kernels, 
	sync your disks, and reboot the server and all of the clients.
	Instructions for running /etc/config can be found in 
	/usr/kvm/`arch -k`/config/README.
	(If necessary, refer to the Systems and Network administrations manual
	on how to configure a kernel.)

	Once you're finished, you may delete the directory containing the patch
	files.


7.  If you want to install the patch manually,
    save your existing FCS binaries and kernel objects:

    hostname # mv /usr/etc/tnetd /usr/etc/tnetd.FCS
    hostname # mv /usr/etc/tnetd_ctl /usr/etc/tnetd_ctl.FCS
    hostname # mv /usr/etc/tnet_kstats /usr/etc/tnetd_kstats.FCS
    hostname # mv /usr/etc/mkdb /usr/etc/mkdb.FCS
    hostname # mv /usr/etc/halt /usr/etc/halt.FCS
    hostname # mv /usr/etc/reboot /usr/etc/reboot.FCS
    hostname # mv /usr/include/cmw/secpolicy.h /usr/include/cmw/secpolicy.h.FCS
    hostname # mv /usr/man/man8/tnetd_ctl.8t /usr/man/man8/tnetd_ctl.8t.FCS
    hostname # mv /sys/`arch -k`/OBJ/raw_usrreq.o /sys/`arch -k`/OBJ/raw_usrreq.o.FCS
    hostname # mv /sys/`arch -k`/OBJ/sec_tnet.o /sys/`arch -k`/OBJ/sec_tnet.o.FCS
    hostname # mv /sys/`arch -k`/OBJ/sec_driver.o /sys/`arch -k`/OBJ/sec_driver.o.FCS

7a.  Save your existing kernel.  If you don't have enough room in your / 
	partition (you need at least 2.5 MB), you should copy /vmunix to another 
	partition where you have enough space (in the following example, 
	/SOMEWHERE_YOU_HAVE_SPACE) 
	and remove it.

    (if you have space)
	hostname # mv /vmunix /vmunix.FCS
	(if you don't...)
	hostname # cp /vmunix /SOMEWHERE_YOU_HAVE_SPACE/vmunix.FCS
	hostname # rm /vmunix

7b.	If this machine is a server for diskless clients, you will need to save
	the object modules in the /export/exec directory for each kernel 
	architecture served. In the example, the server serves all kernel 
	architectures (sun4,sun4c, sun4m).  
	If your server does not serve one or more of these
	kernel architectures, remove the name of this kernel architecture from
	the argument to the foreach command in the following example.
	(If your mount point for kernel modules is at another location, substitute
	this location for /export/exec in the commands that follow.)

	hostname # foreach i (sun4 sun4c sun4m)
	? mv /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/raw_usrreq.o \
	    /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/raw_usrreq.o.FCS
	? mv /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_tnet.o \
	    /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_tnet.o.FCS
	? mv /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_driver.o \
	    /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_driver.o.FCS
	? end
	In addition, if your machine is a diskless server, you should save your 
	clients' kernels.  For each client (named in the following example CLIENT),
	(If your clients' root mount point is different than /export/root, 
	substitute the appropriate path for /export/root in the commands that 
	follow.) You will need 2.5M for each kernel you need to save; 
	if you don't have that much space in your /export/root partition, 
	save the kernels someplace else with enough space.

	(If you've got the space on /export/root)
	hostname # cd /export/root/CLIENT
	hostname # mv vmunix vmunix.FCS
	
	(and if you don't...)
	hostname # cd /export/root/CLIENT
	hostname # mkdir /SOMEWHERE_YOU_HAVE_SPACE/CLIENT
	hostname # cp vmunix /SOMEWHERE_YOU_HAVE_SPACE/CLIENT/vmunix.FCS
	
	
7c.	Install the new binaries and kernel objects:
	hostname # cp ./`arch -k`/tnetd /usr/etc/tnetd
	hostname # cp ./`arch -k`/tnet_kstats /usr/etc/tnet_kstats
	hostname # cp ./`arch -k`/tnetk_stat /usr/etc/tnetd_ctl
	hostname # cp ./`arch -k`/mkdb /usr/etc/mkdb
	hostname # cp ./`arch -k`/halt /usr/etc/halt
	hostname # cp ./`arch -k`/reboot /usr/etc/reboot
	hostname # cp ./`arch -k`/secpolicy.h /usr/include/cmw/secpolicy.h
	hostname # cp ./`arch -k`/tnetd_ctl.8t /usr/man/man8/tnetd_ctl.8t
	hostname # cp ./`arch -k`/sec_tnet.o /usr/kvm/sys/`arch -k`/OBJ/raw_usrreq.o
	hostname # cp ./`arch -k`/sec_tnet.o /usr/kvm/sys/`arch -k`/OBJ/sec_tnet.o
	hostname # cp ./`arch -k`/sec_driver.o /usr/kvm/sys/`arch -k`/OBJ/sec_tnet.o

7d.	If this machine is a server for diskless clients, you will need to replace
	the object modules in the /export/exec directory for each kernel 
	architecture served with the patch object modules. 
	In the example, the server serves all kernel architectures 
	(sun4,sun4c, sun4m).  If your server does not serve one or more of these
	kernel architectures, remove the name of this kernel architecture from
	the argument to the foreach command.
	(If your mount point for kernel modules is at another location, substitute
	this location for /export/exec in the commands that follow.)

	hostname # foreach i (sun4 sun4c sun4m)
	? cp ${i}/raw_usrreq.o \
	    /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/raw_usrreq.o
	? cp ${i}/sec_tnet.o \
	    /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_tnet.o
	? cp ${i}/sec_driver.o \
	    /export/exec/${i}.trusted_solaris.1.1/sys/${i}/OBJ/sec_driver.o
	? end
	
7e.	Make a new TNETDB and clear your old TNET_LOG file.
	hostname # mkdb /etc/security/TNETDB 4096 80
	hostname # rm /var/adm/TNET_LOG; touch /var/adm/TNET_LOG
	
7f.	If the machine is a server for diskless clients, you'll need to do the same
	thing for each client served.  Assuming your clients' root mount point is at 
	/export/root and the client is named CLIENT:
	
	hostname # mkdb /export/root/CLIENT/etc/security/TNETDB 4096 80
	hostname # rm /export/root/CLIENT/var/adm/TNET_LOG
	hostname # touch /export/root/CLIENT/var/adm/TNET_LOG

7g.	Place the appropriate permissions and privileges on each file you've 
	installed:

	hostname # chpriv a+all /usr/etc/mkdb
	hostname # chpriv f-all /usr/etc/mkdb
	hostname # chmod go-rwx /usr/etc/mkdb
	hostname # chmod go-rwx /usr/etc/tnetd
	hostname # chmod u+rwx /usr/etc/tnetd
	hostname # chown root.staff /usr/etc/tnetd
	hostname # chpriv a+all /usr/etc/tnetd
	hostname # chpriv f+net_allowaccess,proc_setclr,proc_setid,proc_setil,proc_setsl /usr/etc/tnetd
	hostname # chown root.staff /usr/etc/tnetd_ctl
	hostname # chmod go-rwx /usr/etc/tnetd_ctl
	hostname # chpriv a+all /usr/etc/tnetd_ctl
	hostname # chpriv f+net_allowaccess /usr/etc/tnetd_ctl
	hostname # chown root.staff /usr/etc/halt
	hostname # chpriv a+all /usr/etc/halt
	hostname # chpriv f+file_mac_read,net_allowaccess,proc_audit_tcb,sys_audit /usr/etc/halt
	hostname # chown root.staff /usr/etc/reboot
	hostname # chpriv a+all /usr/etc/reboot
	hostname # chpriv f+file_mac_read,net_allowaccess,proc_audit_tcb,sys_audit /usr/etc/reboot

	hostname # chmod ugo+r /usr/include/cmw/secpolicy.h
	hostname # chmod ugo+r /usr/man/man8/tnetd_ctl.8t

7h.	Synchronize your static consistency databases:
	hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/tnetd
	hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/tnetd_ctl
	hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/mkdb
	hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/halt
	hostname # sync_ctab /etc/security/tcb_static -o /usr/etc/reboot
	hostname # sync_ctab /etc/security/tcb_static -o \
					/usr/man/man8/tnetd_ctl.8t
	hostname # sync_ctab /etc/security/tcb_static -o \
					/usr/kvm/sys/`arch -k`/OBJ/sec_tnet.o
	hostname # sync_ctab /etc/security/tcb_static -o \
					/usr/kvm/sys/`arch -k`/OBJ/sec_driver.o
										
7i.	If the machine is a server for diskless clients, you'll need to do the same
	thing for each of your clients.  Also, we need to sync the .o modules
	for /export/exec.  For each kernel architecture (sun4, sun4c, sun4m) your 
	machine serves, do the following, with ARCH being an architecture served.
	hostname # sync_ctab /etc/security/tcb_static -o \
	    /export/exec/ARCH.trusted_solaris.1.1/sys/ARCH/OBJ/sec_tnet.o
	hostname # sync_ctab /etc/security/tcb_static -o \
	    /export/exec/ARCH.trusted_solaris.1.1/sys/ARCH/OBJ/sec_driver.o

Assuming your client is called CLIENT, do the following for each client:

	hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/tnetd 
	hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/tnetd_ctl
	hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/mkdb
	hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/halt
	hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o /usr/etc/reboot
	hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o \
					/usr/man/man8/tnetd_ctl.8t
	hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o \
					/usr/kvm/sys/`arch -k`/OBJ/sec_tnet.o
	hostname # sync_ctab /etc/security/tcb_static -c CLIENT -o \
					/usr/kvm/sys/`arch -k`/OBJ/sec_driver.o
					
7j.	Synchronize your dynamic consistency databases:
	hostname # sync_ctab /etc/security/tcb_dynamic -o /etc/security/TNETDB

7k.	If the machine is a server for diskless clients, you'll need to do the same
thing for each of your clients.  Assuming your client is called CLIENT:

(insert above with the each client name as CLIENT)
	hostname # sync_ctab /etc/security/tcb_dynamic -c CLIENT \
		-o /etc/security/TNETDB



7l.	Run /etc/config on your kernel and do a make. Install the newly configured
	vmunix. If the machine serves diskless clients, reconfigure
	kernels for each of your clients, install the new kernels, 
	sync your disks, and reboot the server and all of the clients.
	(If necessary, Refer to the Systems and Network administrations manual
	on how to configure a kernel.)

	Once you're finished, you may delete the directory containing the patch
	files.
