Patch-ID# 104418-05
Keywords:flush gateways tnetd memory leak spdbm_close TNETDB spdbm errors auto recover 
Synopsis: Trusted Solaris 1.2: tnetd patch
Date: Mar/16/00

Solaris Release: Trusted_Solaris_1.2

SunOS Release:

Unbundled Product:

Unbundled Release:

Relevant Architectures: sparc
                  NOTE: sun4 sun4c sun4m

BugId's fixed with this patch: 4301772 4135547 4038931 1257994 

Changes incorporated in this version: 4301772

Patches accumulated and obsoleted by this patch: 104418-04

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 

README			 - This file.

install_patch		 - Script to install the appropriate patch
			   components for the machine on which it
			   is run.

nis_master.<arch>.tar.Z  - Patches for NIS master machines for each
			   supported architecture.

nis_client.<arch>.tar.Z  - Patches for NIS client machines for each
			   supported architecture.

diskless.<arch>.tar.Z    - Patches for diskless machines for each
			   supported architecture.

Problem Description: 

THIS PATCH DOES NOT APPLY TO 4.1.1, 4.1.2, 4.1.3, 4.1.3_U1, CMW 1.0, OR
TRUSTED SOLARIS 1.1 SYSTEMS.

This patch contains a fix for the following bug(s):

Bug:	4301772
Desc:	A possible infinite loop introduced by patch 104418-04. The code
	in flushdb was in error and would loop if the caller's retry loop
	failed as well. Fix by set *open flag to 1 instead of incrementing.	

Bug:    4135547
Desc:   Auto recover from spdbm errors by closing the database and
        reopening it.  This doesn't really fix the problem, but it
        appears to provide an acceptable work around.

Bug:    4038931
Desc:   added feature to flush directly attached gateways if listed in
        "/etc/security/m6.gateways"

        To active this feature, create an /etc/security/m6.gateways
        file with a list of host names to be flushed, one host name
        per line.  Comments may be in the file via the # in col 1.

        This is a work around for the SecureWare architecture flaw
        where A -> B -> C such that B's tokens are out of date
        w.r.t. C and C sends a flush host to A rather than B because
        it doesn't know that B was the intermediary.  This feature
        recognizes that A is not on the same subnet as C and then
        flushes the gateway hosts listed in /etc/security/m6.gateways
        rather than A.

        This does not fix the architecture flaw.  It merely provides
        for an automated way to flush gateways that may be have
        out of date tokens.

        Also added feature to manually flush local and remote databases
        using new options to "tnetd_ctl". Add -H option to cause a remote
        host to flush its entries for the local host, and -X option to
        flush the local hosts entries for a given remote host.

Bug:    1257994
        Fixed memory leak in spdbm_close() when closing multi-exetent TNETDB

Note:   In the following lists of files, the export/exec path prefix is
        used to load files into the appropriate places on the machine.
        For example, export/exec/kvm/<arch> is used to refer to
        /usr/kvm on a machine where <arch> is the native architecture.

Files:
        export/exec/sparc/etc/tnetd
        export/exec/sparc/etc/tnetd_ctl
        export/exec/sparc/share/man/man8/tnetd_ctl.8t


Patch Installation Instructions: 

1.	Boot the machine single user, clean the disks, and start a csh(1).

		> b -s
	or
		ok boot -s

		# fsck -f -p
		# exec csh
		<host># source /.cshrc
		<host># source /.login

2.	Load this patch in a location that has disk space.  This
	example assumes that /var is a separate partition and that
	the patch is delivered on tape.

	<host># mount /var
	<host># cd /var
	<host># mkdir -p patches/<PATCH_NUMBER_HERE>
	<host># cd patches/<PATCH_NUMBER_HERE>
	<host># tar xvf /dev/rst0

3.	Install the patch and check the "log" for errors.
	<host># ./install_patch |& tee log
	<host># vi log

3a.	This patch contains changes to the machine's kernel. In order
	for the changes to take effect, the kernel must be reconfigured.

	To reconfigure the kernel, follow the procedure in the README
	file, located in the /export/exec/kvm/<arch>/sys/<arch>/conf 
	directory for each architecture.

4.	Reboot the machine.
	<host># cd /
	<host># umount -at cfs
	<host># sync; sync; sync; reboot

Special Instructions for tnetd patch installation:

When the new tnetd is installed, it would be useful to start
everything fresh.

1.      At single user mode, create an empty token database
        to start afresh.
        <host>#/usr/etc/mkdb /etc/security/TNETDB 4096 80;

2.      Remove the old tnet log file.
        <host>#mv /var/adm/TNET_LOG /var/adm/TNET_LOG.old;
        <host>#touch /var/adm/TNET_LOG;
        <host>#chmod 644 /var/adm/TNET_LOG;
        <host>#chown root /var/adm/TNET_LOG;
        <host>#setlabel "system_high[system_high]" /var/adm/TNET_LOG;

3.      Reboot the machine.
        <host>#sync;sync; reboot


