Patch-ID# 100201-06
Keywords: login rpc.yppasswdd rpc.pwdauthd
Synopsis: 4.1, 4.1_PSR_A, 4.1.1: c2 jumbo patch
Date: 05/Nov/92
 
SunOS release: 4.1 4.1_PSR_A 4.1.1
 
Unbundled Product:
 
Unbundled Release:
 
Topic: c2 jumbo patch
 
BugID'd fixed for this patch: 1059261 1043667 1040465 1044204 1040334 1047131 1049585 1058378 1063796 1085851 1097292

Changes incorporated in this -06 version: 1097292

Architectures for which this patch is available: sun3(x), sun4(c,490,390)

Patches which may conflict with this patch: 100138-02 This patch obsoletes patch 100138-02

Obsoleted by: BSM 1.0 or 4.1.2

Problem Description:

This patch contains the bug fixes for several bugs that were reported
in relation to C2 security. 

	login contains the bug fix related to password aging.
	The bug is due to the fact that the utility in libc that is used
        to read and parse passwd.adjunct does not parse the age field
        correctly. It always returns an empty field. login uses
        this utility to get the age field and does nothing with it.
        Therefore password aging is disabled. passwd does not have
        this problem because it reads and parses passwd.adjunct itself
        and uses the actual age field.


	rpc.pwdauthd contains the bug fix related to not being able to
	disable remote use of the daemon. It also allows the daemon to
	generate audit records using its own pseudo-user.

	rpc.yppasswdd contains the fix for the daemon mysteriously dying.
	It also allows the daemon to generate audit records using it's 
	own pseudo-user.

	rpc.yppasswdd contains the fix for using the same lockfile as
	vipw (i.e /etc/ptmp).

	rpc.yppasswdd contains the fix for passwd.adjunct file can get
	overwritten by yppasswd command when NIS and C2 is running. 

   	bug 1063796:
  	When running C2 with NIS, NIS client users will notice the result of 
	the yppasswd command would be effective immediately (it takes 5 mintues 	delay).

	bug 1058378:
	rpc.pwdauthd includes in its C2 audit log the cleartext
	password for every call, whether successful or not.

	For -05 version: bugid 1085851 -- a dynamically-linked program that 
	is executed by a setuid program has access to the callers environmental
	variables if the setuid program sets the real UID equal to the 
	effective UID and the real GID equal to the effective GID before the 
	dynamically-linked program is executed.

	For -06 version: bugid 1097292 -- rpc.pwdauthd's core image contains 
        plaintext passwords and passwd.adjunct file
	

FOR PROGRAMMERS ONLY:
 
Patch 100201-02 fixed many of the C2 auditing problems in SunOS 4.1, 4.1.1
For Compatibility sake, the fixes to login ,rpc.yppasswd and rpc.pwauthd were
statically linked to getauditflags.o and getpwaent.o two c library function calls
in libc. This eliminated the need to change libc for the patch to function.
The problem with this is customers who use libc's function of getauditflags or
getpwaent will get the origional version which exist in libc.
Supplying the getauditflags.o and getpwaent.o separate from libc for linking to
your application solves this problem.
You should link the new getauditflags.o and getpwaent.o to you application with
-lrpcsvc flag. 

Modified binaries:
	/bin/login
	/usr/etc/rpc.pwdauthd
	/usr/etc/rpc.yppasswdd

INSTALL:

NOTE: If you are not building applications which call getauditflags or getpwaent
      C library function calls, the getauditflags.o and getpwaent.o modules
      are not needed since they are statically linked into login, rpc.pwdauthd,
      and rpc.yppasswdd already. These modules can be ignored.
=============================================================================
= IF NIS is being run the new binaries need to be installed on all machines =
= in the domain. Additionally yppasswdd needs to be started in /etc/rc.local=
= edit /etc/rc.local and add in the following lines after the ypbind        =
= startup statements:                                                       =
=                                                                           =
#This starts yppasswd daemon and tells it to look for the passwd.adjunct file
rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m
= Also the NIS master maps should contain the AUpasswdd and AUyppasswdd     =
= as stated below                                                           =
=============================================================================

Generically for all systems:

***************************************************************************
* The following pseudo-users must be added to /etc/passwd and             *
* /etc/security/passwd.adjunct before changing any binaries               *
* This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur  *
*                                                                         *
* /etc/passwd additions:                                                  *
* # Note: for systems not running NIS, the AUyppasswdd can be left out    *
*                                                                         *
*                                                                         *
AUpwdauthd:##AUpwdauthd:10:10:::/bin/false                                *
AUyppasswdd:##AUyppasswdd:11:10:::/bin/false                              *
*                                                                         *
*                                                                         *
*/etc/security/passwd.adjunct additions:                                  *
*                                                                         *
AUpwdauthd:*:::::                                                         *
AUyppasswdd:*:::::                                                        *
*                                                                         *
***************************************************************************

NOTE: If you are not running with C2 but want the fix for rpc.yppasswdd
      (bug id 1043667), you can skip the above passwd file additions and
      all you need is the rpc.yppasswdd binary. Please follow the following
      instruction for restoring rpc.yppasswdd.


 As root:
First save the FCS distribution versions as a precaution:

 # cp /bin/login /bin/login.orig
 # cp /usr/etc/rpc.pwdauthd /usr/etc/rpc.pwdauthd.orig
 # cp /usr/etc/rpc.yppasswdd /usr/etc/rpc.yppasswdd.orig



It is critical that the following steps be completed in single-user
mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both
disabled while the new versions are installed.

# shutdown now

 The new version of the binaries can now be installed. The 4.1 and 4.1.1
versions are identical except for the library version they are expecting
to dynamically link to. 

 Substitute either sun3 or sun4 for {arch} and either 4.1 or 4.1.1 for {OS rev}

# cp {arch}/{OS rev}/login /bin/login
# chown root /bin/login
# chmod 4755 /bin/login
# chgrp staff /bin/login

# cp {arch}/{OS rev}/rpc.pwdauthd /usr/etc/rpc.pwdauthd
# chown root /usr/etc/rpc.pwdauthd
# chgrp staff /usr/etc/rpc.pwdauthd
# chmod 755 /usr/etc/rpc.pwdauthd

# cp {arch}/{OS rev}/rpc.yppasswdd /usr/etc/rpc.yppasswdd 
# chown root /usr/etc/rpc.yppasswdd 
# chgrp staff /usr/etc/rpc.yppasswdd 
# chmod 755 /usr/etc/rpc.yppasswdd 


Double check permissions of the new files.
If the permissions are set wrong, or the wrong architecture type is installed,
login will not be able to occur except in single user mode 
(boot -s)
Note the example below does not show the size of the binary as the sun3 and sun4
versions are different size.

Doing a "file /bin/login" should tell you that it is a:

mc68020 demand paged dynamically linked executable not stripped
on a sun3, and a  :

sparc demand paged set-uid executable not stripped
on a sun4

 # ls -lg /bin/login
-rwsr-xr-x  1 root     staff      
 # ls -lg /usr/etc/rpc/rpc.pwdauthd
-rwxr-xr-x  1 root     staff       
 # ls -lg /usr/etc/rpc.yppasswdd
-rwxr-xr-x  1 root     staff      

Now you can either give a ^D (control D) from single user
mode or reboot the machine. This finishes the installation.