Patch-ID# 100564-08 Keywords: C2 rpc.yppasswdd rpc.pwdauthd Synopsis: SunOS 4.1.3: C2 rpc.yppasswdd Jumbo Patch Date: Dec/01/95 Solaris Release: 1.1 SunOS Release: 4.1.3 Unbundled Product: Unbundled Release: NOTE: This patch continues to only support 4.1.3. Patch supports for 4.1.2 is patch 102885. BugId's fixed with this patch: 1173802 1179082 1040334 1043667 1058378 1059261 1063796 1039587 1097292 1006905 1120524 Changes incorporated in this version: 1173802 1179082 Relevant Architectures: sun4 sun4c sun4m Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: rpc.yppasswdd rpc.pwdauthd Problem Description: 1179082: improper locking of passwd.adjunct file with rpc.yppasswdd and C2 1173802: rpc.yppasswdd dumps core 1040334: yppasswd will not allow user to change passwd from client, the daemon dies on server 1043667: rpc.yppasswdd uses an incorrect lock file 1058378: rpc.pwdauthd logs cleartext passwords via auditd 1059261: NIS and C2 Security passwd.adjunct file can get overwritten by passwd 1063796: When running C2 with NIS, yppasswd password changes from client system would take 5 minutes of delay before taking effect. 1039587: rpc.yppasswdd does not accept ":" characters as a valid passwd character when changing an existent passwd entry. 1097292: rpc.pwdauthd's core image contains plaintext passwords and passwd.adjunct ` file 1006905 rpc.yppasswdd sometimes corrupt passwd dbm files 1120524 C2 security/patch 100564-05 fails under SunOS 4.1.3; Application can cause rpc.pwdauthd to die. Patch Installation Instructions: ------------------------------- NOTE: If you do not plan to run C2, but want the fix for rpc.yppasswdd you can just install a new rpc.yppasswdd as given below in the steps for all systems. ============================================================================= Only on the MASTER NIS server ============================================================================= * Add the following lines to the /etc/rc.local file on the NIS master, after * the entry for ypbind startup. Note that the -m option has no arguments, * thus ensuring both passwd and passwd.adjunct maps are built when a passwd * change occurs. # # This starts yppasswd daemon and tells it to look for the passwd.adjunct file # if [ -f /usr/etc/rpc.yppasswdd -a -d /var/yp/`domainname` ]; then rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m; echo rpc.yppasswdd fi * Now follow the step given for all systems. ============================================================================= Only on NIS client machines not running C2 security with a MASTER NIS server converted to running C2 security. ============================================================================= * Normally all machines will be C2 converted within a NIS domain to * achieve C2 classification. These steps are for cases where NIS * clients have not been C2 converted, but the NIS MASTER has been converted. * * Machines with a NIS master using passwd shadowing (passwd.adjunct) need * to run the rpc.pwdauthd to decrypt shadowed passwd's. This daemon will * automatically be started by the default rc.local script if a passwd.adjunct * file exists. Do the following to create this file with a "+" entry in it * to use the NIS passwd.adjunct map. # mkdir /etc/security # chown root.staff /etc/security # chmod 2711 /etc/security # echo "+" > /etc/security/passwd.adjunct # chown root.staff /etc/security/passwd.adjunct # chmod 644 /etc/security/passwd.adjunct * To prevent the auditd process from starting in /etc/rc.local, * modify the /etc/rc.local script for the startup of auditd to: echo -n 'starting local daemons:' if [ -f /usr/etc/auditd -a -d /etc/security/audit ]; then auditd; echo -n ' auditd' fi * Now follow the step given for all systems. ============================================================================= Generically for all systems: =========================================================================== * The following pseudo-users must be added to /etc/passwd and * * /etc/security/passwd.adjunct before changing any binaries * * This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur * * These additions do not need to be done on NIS client machines since * they will pick these changes up from the NIS master. * * * /etc/passwd additions: * AUpwdauthd:##AUpwdauthd:10:10:::/bin/false AUyppasswdd:##AUyppasswdd:11:10:::/bin/false * */etc/security/passwd.adjunct additions: * AUpwdauthd:*::::: * AUyppasswdd:*::::: * =========================================================================== Now, complete the install by loading in the modified binaries. Note that the dynamically linked binaries are incompatible with the use of the US Encryption Kit. If you will be using the US Encryption Kit, load the static versions (rpc.pwdauthd.static and rpc.yppasswdd.static) of the provided binaries. First save the FCS distribution versions as a precaution: # cp /usr/etc/rpc.pwdauthd /usr/etc/rpc.pwdauthd.FCS # cp /usr/etc/rpc.yppasswdd /usr/etc/rpc.yppasswdd.FCS It is critical that the following steps be completed in single-user mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both disabled while the new versions are installed. The new version of the binaries can now be installed. # cp rpc.pwdauthd /usr/etc/rpc.pwdauthd # chown root.staff /usr/etc/rpc.pwdauthd # chmod 755 /usr/etc/rpc.pwdauthd # cp rpc.yppasswdd /usr/etc/rpc.yppasswdd # chown root.staff /usr/etc/rpc.yppasswdd # chmod 755 /usr/etc/rpc.yppasswdd Double check permissions of the new files. If the permissions are set incorrectly, login will not be able to occur except in single user mode (boot -s). Now you can either enter a ^D (control D) from single user mode or reboot the machine. This finishes the installation. Special Install Instructions: ----------------------------- None.