Patch-ID# 104418-05 Keywords:flush gateways tnetd memory leak spdbm_close TNETDB spdbm errors auto recover Synopsis: Trusted Solaris 1.2: tnetd patch Date: Mar/16/00 Solaris Release: Trusted_Solaris SunOS Release: 1.2 Unbundled Product: Unbundled Release: Relevant Architectures: NOTE: sun4 sun4c sun4m BugId's fixed with this patch: 4301772 4135547 4038931 1257994 Changes incorporated in this version: 4301772 Patches accumulated and obsoleted by this patch: 104418-04 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: README - This file. install_patch - Script to install the appropriate patch components for the machine on which it is run. nis_master..tar.Z - Patches for NIS master machines for each supported architecture. nis_client..tar.Z - Patches for NIS client machines for each supported architecture. diskless..tar.Z - Patches for diskless machines for each supported architecture. Problem Description: THIS PATCH DOES NOT APPLY TO 4.1.1, 4.1.2, 4.1.3, 4.1.3_U1, CMW 1.0, OR TRUSTED SOLARIS 1.1 SYSTEMS. This patch contains a fix for the following bug(s): Bug: 4301772 Desc: A possible infinite loop introduced by patch 104418-04. The code in flushdb was in error and would loop if the caller's retry loop failed as well. Fix by set *open flag to 1 instead of incrementing. Bug: 4135547 Desc: Auto recover from spdbm errors by closing the database and reopening it. This doesn't really fix the problem, but it appears to provide an acceptable work around. Bug: 4038931 Desc: added feature to flush directly attached gateways if listed in "/etc/security/m6.gateways" To active this feature, create an /etc/security/m6.gateways file with a list of host names to be flushed, one host name per line. Comments may be in the file via the # in col 1. This is a work around for the SecureWare architecture flaw where A -> B -> C such that B's tokens are out of date w.r.t. C and C sends a flush host to A rather than B because it doesn't know that B was the intermediary. This feature recognizes that A is not on the same subnet as C and then flushes the gateway hosts listed in /etc/security/m6.gateways rather than A. This does not fix the architecture flaw. It merely provides for an automated way to flush gateways that may be have out of date tokens. Also added feature to manually flush local and remote databases using new options to "tnetd_ctl". Add -H option to cause a remote host to flush its entries for the local host, and -X option to flush the local hosts entries for a given remote host. Bug: 1257994 Fixed memory leak in spdbm_close() when closing multi-exetent TNETDB Note: In the following lists of files, the export/exec path prefix is used to load files into the appropriate places on the machine. For example, export/exec/kvm/ is used to refer to /usr/kvm on a machine where is the native architecture. Files: export/exec/sparc/etc/tnetd export/exec/sparc/etc/tnetd_ctl export/exec/sparc/share/man/man8/tnetd_ctl.8t Patch Installation Instructions: 1. Boot the machine single user, clean the disks, and start a csh(1). > b -s or ok boot -s # fsck -f -p # exec csh # source /.cshrc # source /.login 2. Load this patch in a location that has disk space. This example assumes that /var is a separate partition and that the patch is delivered on tape. # mount /var # cd /var # mkdir -p patches/ # cd patches/ # tar xvf /dev/rst0 3. Install the patch and check the "log" for errors. # ./install_patch |& tee log # vi log 3a. This patch contains changes to the machine's kernel. In order for the changes to take effect, the kernel must be reconfigured. To reconfigure the kernel, follow the procedure in the README file, located in the /export/exec/kvm//sys//conf directory for each architecture. 4. Reboot the machine. # cd / # umount -at cfs # sync; sync; sync; reboot Special Instructions for tnetd patch installation: When the new tnetd is installed, it would be useful to start everything fresh. 1. At single user mode, create an empty token database to start afresh. #/usr/etc/mkdb /etc/security/TNETDB 4096 80; 2. Remove the old tnet log file. #mv /var/adm/TNET_LOG /var/adm/TNET_LOG.old; #touch /var/adm/TNET_LOG; #chmod 644 /var/adm/TNET_LOG; #chown root /var/adm/TNET_LOG; #setlabel "system_high[system_high]" /var/adm/TNET_LOG; 3. Reboot the machine. #sync;sync; reboot