Patch-ID# 104830-02 Keywords: y2000 security CERT FLEXlm license lit lit_tty checksum PC DC Synopsis: FLEXlm 4.1c_x86: Patch for FLEXlm 4.1c and lit/lit_tty Date: Dec/24/99 Solaris Release: 2.4_x86 2.5_x86 2.5.1_x86 2.6_x86 7_x86 SunOS Release: 5.4_x86 5.5_x86 5.5.1_x86 5.6_x86 5.7_x86 Unbundled Product: FLEXlm Unbundled Release: 4.1c Relevant Architectures: i386 BugId's fixed with this patch: 1263755 4028378 4010037 4012897 4042585 4037251 4032016 1246151 4217374 4217394 Changes incorporated in this version: 1246151 4217374 4217394 Patches accumulated and obsoleted by this patch: 104186-02 105296-01 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/init.d/lic_mgr /etc/opt/licenses/adjust_flexlm_owner /etc/opt/licenses/lic_srvr_start /SUNWste/license_tools/config_template /SUNWste/license_tools/lic.SUNW /SUNWste/license_tools/lit /SUNWste/license_tools/lit_tty /SUNWste/license_tools/lmdiag /SUNWste/license_tools/lmdown /SUNWste/license_tools/lmgrd.ste /SUNWste/license_tools/lmhostid /SUNWste/license_tools/lmremove /SUNWste/license_tools/lmreread /SUNWste/license_tools/lmstat /SUNWste/license_tools/lmutil /SUNWste/license_tools/lmver /SUNWste/license_tools/suntechd /SUNWste/license_tools/License_Request_Form Problem Description: 1246151 P1247 license manager dies with "Vendor daemon can't talk to lmgrd" 4217374 /usr/tmp/license_log lists Jan 1 2000 as "01/01/100". 4217394 License Request Form doesn't support Try and Buy, ScholarPASS, or GoldPass. (from 104830-01) 4010037 i386 Server License tool SUNWlit Informational message is wider than screen 4012897 lit window can not display Japanese cahracters on OpenWindows 4042585 [Intel] lit cannot open the message catalog files correctly 4037251 Help doesn't work, or it even dumps core, for lit: Choose License Information (from 105296-01) 4032016 Password Checksum and Data Checksum don't match even on valid license. (from 104186-02) 4028378 Patch 104174-01 does not install on 2.4 correctly (from 104186-01) 1263755 flexlm security problems Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch." For Solaris 7 release, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/106326-01 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- After installing this patch, you must stop and start FLEXlm in order for the fixes in the patch to become effective. To stop and start FLEXlm, do the following: # cd /etc/opt/licenses # ./lmdown -c licenses_combined # /etc/rc2.d/S85lmgrd If you have one or more of patches 104830-01, 104186-02, or 104186-01 installed, you must remove it (them), remove FLEXlm 4.1c, and reinstall FLEXlm 4.1c before installing this patch 104830-02. To find out if you have patch 104830-01 or 104186-02 or -01 installed, use showrev -p (Solaris 2.4, 2.5, 2.5.1) or patchadd -p (Solaris 2.6, 7): # showrev -p | grep 104830-01 # showrev -p | grep 104186 or # patchadd -p | grep 104830-01 # patchadd -p | grep 104186 To remove patch 104830-01 or 104186-02 or -01, use backoutpatch (Solaris 2.4, 2.5, 2.5.1) or patchrm (Solaris 2.6, 7): # cd /var/sadm/patch # 104830-01/backoutpatch 104830-01 # 104186-02/backoutpatch 104186-02 # 104186-01/backoutpatch 104186-01 or # patchrm 104830-01 # patchrm 104186-02 # patchrm 104186-01 To find out if you have FLEXlm 4.1c installed, use the /etc/opt/licenses/lmver command. If lmver returns output similar to the following, you have FLEXlm 4.1c installed. Remember that you only need to remove FLEXlm 4.1c if you have installed any of the patches mentioned above - if you never installed any of the patches listed above on your license server, you do not need to remove and reinstall FLEXlm. # cd /etc/opt/licenses # ./lmver lmgrd.ste lmver - Copyright (C) 1989-1994 Globetrotter Software, Inc. FLEXlm Copyright 1988-1994, Globetrotter Software, Inc. FLEXlm 4.1c (liblmgr_s.a), Copyright (C) 1988, 1996 Globetrotter Software, Inc. To remove FLEXlm 4.1c, use pkgrm: # pkgrm SUNWlicsw SUNWlit To reinstall FLEXlm 4.1c, mount your WorkShop 4.2 (Volume 5 Number 1) CD in your CD-ROM drive, change directory to the top level of the CD, and do a pkgadd: # cd /devpro_v5n1_intel # pkgadd -d . SUNWlicsw SUNWlit After SUNWlicsw and SUNWlit have been reinstalled, install this patch. After installing this patch 104830-02, start FLEXlm: # /etc/rc2.d/S85lmgrd With this patch applied, the default is to run the license daemons as owned by the user "nobody". This corrects the security risk from running these daemons as owned by "root". This default is safe and will be fine for the needs of most users. Should you wish to change the default, the instructions to do so follow. When installpatch or patchadd is run, scripts in SUNWlicsw will look for the file /etc/opt/licenses/flexlm_owner. If this file is not found, the license server daemon, installed with SUNWlicsw, will be configured to run owned by the username nobody. After the patch is installed, this configuration can be changed at anytime by using the script, adjust_flexlm_owner (see below). To create the file, /etc/opt/licenses/flexlm_owner, use any editor and create the file to contain a single valid non-privileged username that will be used by root when starting the license daemon. There should only be a single line in this file containing the username. Do not include any leading or trailing blank spaces. A valid non-privileged username is requested for use in starting the license server daemon, lmgrd.ste. As in the past, root may still be used but it is highly discouraged. If root is used, there is a potential security risk that can be abused on UNIX systems. Once a valid username is entered, the group that the license manager software belongs to will be updated with that of the group that username belongs to. The permissions on these files will also be updated to allow group read and execute privileges so that "username" can use them. The license manager startup script, /etc/rc2.d/S85lmgrd, will be modified to start the license daemon as "username" even though S85lmgrd is still executed as root. If you wish to limit access to the license manager daemon, you can set up a non-privileged account specifically for this purpose. For example the account "flexlm" can be created. If you want to use a username such as "flexlm" that currently does not exist you must first create the user before running installpatch or patchadd because the username entered in the file will be checked to ensure that it is a valid username on your system. After this patch has been correctly installed, there will be a new script in /etc/opt/licenses called adjust_flexlm_owner. This script can be run anytime by root to change the username used to start the licensing daemon. The script provides online help. NOTE: The script will run non-interactively if the file /etc/opt/licenses/flexlm_owner exists. To run the script interactively, first delete the flexlm_owner file.