Obsolete Patch-ID# 100138-02 Keywords: client..da, passwd, out, time, failed, RPC, dies, client, serve Keywords: CTE, security, passwd, -e, c2, aging, passwd.adj, command Synopsis: OBSOLETED by 100201 Date: 29-Aug-90 SunOS release: 4.1 Unbundled Product: Unbundled Release: Topic: BugId's fixed with this patch: 1040334, 1040465 Architectures for which this patch is available: sun3, sun4, sun4c Obsoleted by: 100201 Problem Description: *** OBSOLETE *** This patch is INCOMPATIBLE with systems running US encryption since they each change libc. Problem Description 1040334: The rpc.yppasswdd was core dumping when used with C2 installed. This was caused by the library routine getauditflags.c. It was doing a store of 0 to an array with a -1 index and clobbering the runtime stack. This occured if there were no audit flags in the passwd.adjunct entry being updated by rpc.yppasswdd. Modified sources: /usr/src/lib/libc/gen/common/getauditflags.c Modified files: /lib/libc.a /lib/libc.sa.XXX /lib/libc.so.XXX /lib/libc_p.a Note: the command line arguments to rpc.yppasswdd must be set properly or or bad and mysterious things will happen. The fragment below illustrates how it should be evoked in /etc/rc.local. # if [ -f /usr/etc/rpc.yppasswdd -a -d /var/yp/`domainname` ] ; then if [ -f /etc/security/passwd.adjunct ]; then /usr/etc/rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m \ passwd fi fi # If the paramaters are incorrect, it is possible to trick the daemon into # updating /etc/passwd with the adjunct file. Problem Description 1040465: The changes for passwd aging fall into two areas: getpwaent.c and passwd.c. lib/libc/gen/common/getpwanet.c was not parsing the aging information properly. The pointer to the string that was susposed to contain the age data was being being left pointing at the NULL at the end of the password string. There were 2 problems in passwd.c. 1) /etc/passwd was always being used even though the aging data was in the adjunct file. 2) The current data was not being encoded with the age data when the initial aging data was set. 3) The granularity of time for password aging is a week. Thus days are converted into weeks. This is not indicated in the documentation. To fix the aging problem, new versions of libc.a are require. This includes the shared libraries. Two utilities are effected: passwd and login. Login itself does not need changed, it is fixed in the library change, but it's functionality changes due to this library change thus it is listed here as being effected. Modified sources: /usr/src/lib/libc/gen/common/getpwaent.c /usr/src/bin/passwd.c Modified files: /bin/passwd /lib/libc.a /lib/libc.sa.XXX /lib/libc.so.XXX /lib/libc_p.a INSTALLATION: THIS PATCH MUST BE APPLIED TO ALL MACHINES. BOTH NIS SERVER AND CLIENT. Since the daemon is making rpc calls to a remote machine's library, both local and remote libraries must have the patched version for the function to succeed. It is important to use the files from the appropriate architecture (sun3 or sun4) save your current working version of /usr/lib/libc.a, /usr/lib/libc.sa.1.5, /usr/lib/libc.so.1.5, /usr/lib/libc_p.a, and /bin/passwd AS ROOT # shutdown +10 (bring the machine down to single user mode. Failure to do so can cause system hangs!) # mv /usr/lib/libc.a /usr/lib/libc.a.orig # mv /usr/lib/libc.sa.1.5 /usr/lib/libc.sa.1.5.orig # mv /usr/lib/libc.so.1.5 /usr/lib/libc.so.1.5.orig # mv /usr/lib/libc_p.a /usr/lib/libc_p.a.orig # mv /bin/passwd /bin/passwd.orig Making sure you use the correct archetecture (sun3,sun3x,sun4) files, copy the new versions to /usr/lib and /bin EXAMPLE is for sun4: # mv sun4/libc.a /usr/lib/libc.a # mv sun4/libc.sa.1.5 /usr/lib/libc.sa.1.5 # mv sun4/libc.so.1.5 /usr/lib/libc.so.1.5 # mv sun4/libc_p.a /usr/lib/libc_p.a # mv sun4/passwd /bin/passwd Change the mode on the new versions (still as root) # chmod 4755 /bin/passwd # chmod 644 /usr/libc* # chmod 755 /usr/lib/libc.so.1.5 # sync;sync;sync; reboot