Patch-ID# 100201-04 Keywords: login rpc.yppasswdd rpc.pwdauthd Synopsis: SunOS 4.1, SunOS 4.1_PSR_A 4.1.1: c2 jumbo patch Date: 3/July/91 SunOS release: 4.1 4.1_PSR_A 4.1.1 Unbundled Product: Unbundled Release: Topic: BugID'd fixed for this patch: 1059261 1043667 1040465 1044204 1040334 1047131 1049585 1063796 1058378 Architectures for which this patch is available: sun3(x), sun4(c,490,390) Patches which may conflict with this patch: 100138-02 This patch obsoletes patch 100138-02 Obsoleted by: Sys_V_Rel4 Problem Description: This patch contains the bug fixes for serveral bugs that were reported in relation to C2 security. login contains the bug fix related to password aging. The bug is due to the fact that the utility in libc that is used to read and parse passwd.adjunct does not parse the age field correctly. It always returns an empty field. login uses this utility to get the age field and does nothing with it. Therefore password aging is disabled. passwd does not have this problem because it reads and parses passwd.adjunct itself and uses the actual age field. rpc.pwdauthd contains the bug fix related to not being able to disable remote use of the daemon. It also allows the daemon to generate audit records using its own pseudo-user. rpc.yppasswdd contains the fix for the daemon mysteriously dying. It also allows the daemon to generate audit records using it's own pseudo-user. rpc.yppasswdd contains the fix for using the same lockfile as vipw (i.e /etc/ptmp). rpc.yppasswdd contains the fix for passwd.adjunct file can get overwritten by yppasswd command when NIS and C2 is running. bug 1063796: When running C2 with NIS, NIS client users will notice the result of the yppasswd command would be effective immediately (it takes 5 mintues delay). bug 1058378: rpc.pwdauthd includes in its C2 audit log the cleartext password for every call, whether successful or not. FOR PROGRAMMERS ONLY: Patch 100201-02 fixed many of the C2 auditing problems in SunOS 4.1, 4.1.1 For Compatibility sake, the fixes to login ,rpc.yppasswd and rpc.pwauthd were statically linked to getauditflags.o and getpwaent.o two c library function calls in libc. This eliminated the need to change libc for the patch to function. The problem with this is customers who use libc's function of getauditflags or getpwaent will get the origional version which exist in libc. Supplying the getauditflags.o and getpwaent.o seperate from libc for linking to your application solves this problem. You should link the new getauditflags.o and getpwaent.o to you application with -lrpcsvc flag. Modified binaries: /bin/login /usr/etc/rpc.pwdauthd /usr/etc/rpc.yppasswdd INSTALL: NOTE: If you are not building applications which call getauditflags or getpwaent C library function calls, the getauditflags.o and getpwaent.o modules are not needed since they are statically linked into login, rpc.pwdauthd, and rpc.yppasswdd already. These modules can be ignored. ============================================================================= = IF NIS is being run the new binaries need to be installed on all machines = = in the domain. Additionally yppasswdd needs to be started in /etc/rc.local= = edit /etc/rc.local and add in the following lines after the ypbind = = startup statements: = #This starts yppasswd daemon and tells it to look for the passwd.adjunct file rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m ============================================================================= Generically for all systems: *************************************************************************** * The following pseudo-users must be added to /etc/passwd and * * /etc/security/passwd.adjunct before changing any binaries * * This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur * * * * /etc/passwd additions: * * * AUpwdauthd:##AUpwdauthd:10:10::: AUyppasswdd:##AUyppasswdd:11:10::: * * * * */etc/security/passwd.adjunct additions: * * * AUpwdauthd:*::::: AUyppasswdd:*::::: * * *************************************************************************** NOTE: If you are not running with C2 but want the fix for rpc.yppasswdd (bug id 1043667), you can skip the above passwd file additions and all you need is the rpc.yppasswdd binary. Please follow the following instruction for restoring rpc.yppasswdd. As root: First save the FCS distribution versions as a precaution: # cp /bin/login /bin/login.orig # cp /usr/etc/rpc.pwdauthd /usr/etc/rpc.pwdauthd.orig # cp /usr/etc/rpc.yppasswdd /usr/etc/rpc.yppasswdd.orig It is critical that the following steps be completed in single-user mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both disabled while the new versions are installed. # shutdown now The new version of the binaries can now be installed. The 4.1 and 4.1.1 versions are identical except for the library version they are expecting to dynamically link to. Substitute either sun3 or sun4 for {arch} and either 4.1 or 4.1.1 for {OS rev} # cp {arch}/{OS rev}/login /bin/login # chown root /bin/login # chmod 4755 /bin/login # chgrp staff /bin/login # cp {arch}/{OS rev}/rpc.pwdauthd /usr/etc/rpc.pwdauthd # chown root /usr/etc/rpc.pwdauthd # chgrp staff /usr/etc/rpc.pwdauthd # chmod 755 /usr/etc/rpc.pwdauthd # cp {arch}/{OS rev}/rpc.yppasswdd /usr/etc/rpc.yppasswdd # chown root /usr/etc/rpc.yppasswdd # chgrp staff /usr/etc/rpc.yppasswdd # chmod 755 /usr/etc/rpc.yppasswdd Double check permissions of the new files. If the permissions are set wrong, or the wrong architecture type is installed, login will not be able to occur except in single user mode (boot -s) Note the example below does not show the size of the binary as the sun3 and sun4 versions are different size. Doing a "file /bin/login" should tell you that it is a: mc68020 demand paged dynamically linked executable not stripped on a sun3, and a : sparc demand paged set-uid executable not stripped on a sun4 # ls -lg /bin/login -rwsr-xr-x 1 root staff # ls -lg /usr/etc/rpc/rpc.pwdauthd -rwxr-xr-x 1 root staff # ls -lg /usr/etc/rpc.yppasswdd -rwxr-xr-x 1 root staff Now you can either give a ^D (control D) from single user mode or reboot the machine. This finishes the installation.