Patch-ID# 101329-10 Keywords: rpc automountd jumbo NIS+ hostname security loopback Synopsis: SunOS 5.3: Jumbo NIS+ patch, automountd security, autofs and loopback mounts Date: Mar/25/94 Solaris Release: 2.3 SunOS release: 5.3 Unbundled Product: Unbundled Release: Topic: SunOS 5.3: Jumbo NIS+ patch, automountd security, autofs and loopback mounts BugId's fixed with this patch: 1145573 1140610 1145129 1139765 1144962 1142583 1147964 1145542 1150596 1136034 1149774 1150491 1157062 1160379 Changes incorporated in this version: 1160379 Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: 101315-01 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/init.d/rpc /usr/lib/nis/nisserver /usr/sbin/rpc.nisd /usr/lib/libnsl.so.1 /usr/lib/libnsl.a /usr/lib/autofs/automountd /usr/bin/nischmod /usr/lib/nis/nisaddent /usr/bin/nisgrpadm /usr/bin/nisaddcred /usr/lib/fs/autofs/automount Problem Description: 1160379 Major security hole in automount. Fixes Security hole in the automounter (5.3 is the only affected release). (from 101329-09) 1157062 autofs and loopback mounts in direct hieracrhical maps broken This patch allows automountd to correctly remount loopback file systems after it determines that at least one member of the hierarchy was busy and therefore could not be remounted. automountd needs to format the mount options before it passes them to /usr/lib/fs/lofs/mount. (from 101329-08) 1150491 cron dies with SIGSEGV in __nis_core_lookup Cron dumps core when the NIS+ environment is unstable. (from 101329-07) 1149774 remote users can override the way NFS filesystems are mounted to gain root acces Closes hole left by previous fix to automounter's security. Fixes options security hole in automounter when using wildcards. (from 101329-06) 1149774 remote users can override the way NFS filesystems are mounted to gain root access: security (from 101329-05) 1136034 NIS+ creates invalid hostname NIS+ does not work correctly if the hostname in /etc/hosts file is fully qualified. (from 101329-04) 1150596 patch 101329-03 disables RPC threading. The patch 101329-03 created a problem with MT RPC. When running Multi Threaded and using RPC you get the error: Assertion failed: RW_READ_HELD(&rpcaddr_cache_lock), file rpc/rpcb_clnt.c, line 127 Which means the routine check_cache() is being called without a Read Lock being held. This is because of this patch. This will be seen by anyone who tries to run a program that is MT while using RPC. (from 101329-03) nisaddcred creates LOCAL entries with the wrong group ID when invoked by a non-root user who is a member of the NIS+ group for the credential table. (from 101329-02) 1139765 Data corruption in NIS+ cache manager 1144962 rpc.nisd dumps core (while undergoing update from YP maps via nisaddent -my) 1142583 NIS+ command(s) fail to use master server 1147964 NIS+ servers start repeatedly doing FULL RESYNCS because stdio runs out of fd's These set of fixes and work arounds fix a number of problems found at a major NIS+ customer. A very large customer using only NIS+ for their name service. The fixes consists of a number of memory leaks discovered by Purify, a real important fix to __nis_core_lookup() (one copy in the NIS+ server and one libnsl) and a fix/workaround to a running out of open file descriptor problem causes by a combination of heavy load (shift changes at Fingerhut) and the fact that stdio only allows 256 of the 1024 file descriptors to be used causing stdio opens to fail leading to the NIS+ servers constantly doing FULL resyncs. The workaround bumps up TCP connection above 256 to allow stdio to use the lower numbered file descriptors for itself. (from 101329-01) 1145573 CADDS software package fails with rpc error Servers using librpcsoc (source compatiblity) library for service creation do not respond to client requests. This is not a problem in previous releases. (from 101315-01) 1140610 autofs does not work with cachefs file system type 1145129 automountd doesn't follow NIS+ table paths This patch fixes the following problems: 1. autofs will fail to mount entries from the hosts map which specify the cachefs filesystem option, such is the case of /net when the cachefs option is specified. 2. autofs mounts which trigger hierarchical mounts will fail when automountd remounts members of a hierarchy which have previously been unmounted due to an inactive filesystem unmount request. This only occurs when using cachefs. 3. autofs wrongly assumes that the backfstype option is placed last in the list of options. 4. automountd will not follow NIS+ table paths when the auto_* tables are pathed to tables in another domain. Patch Installation Instructions: -------------------------------- Generic 'installpatch' and 'backoutpatch' scripts are provided within each patch package with instructions appended to this section. Other specific or unique installation instructions may also be necessary and should be described below. Special Install Instructions: ----------------------------- The running automountd needs to be stopped with: sh /etc/init.d/autofs stop after the patch is installed, the new automountd has to be started with: sh /etc/init.d/autofs start The user may also reboot the system after installation and achieve the same effect. Instructions to install patch using "installpatch" -------------------------------------------------- 1. Become super-user. 2. Apply the patch by typing:
.
See /tmp/log. for reason for failure.
Explanation and recommended action: The installation of one of
patch packages failed. Any previously installed packages
in the patch should have been removed. See the log file
for the reason for failure. Correct the problem and
re-apply the patch.
Patch Installation Messages:
---------------------------
Note: the messages listed below are not necessarily considered errors
as indicated in the explanations given. These messages are, however,
recorded in the patch installation log for diagnostic reference.
Message:
Package not patched:
PKG=SUNxxxx
Original package not installed
Explanation: One of the components of the patch would have patched a
package that is not installed on your system. This is not
necessarily an error. A Patch may fix a related bug for several
packages. Example: suppose a patch fixes a bug in both the
online-backup and fddi packages. If you had online-backup installed
but didn't have fddi installed, you would get the message
Package not patched:
PKG=SUNWbf
Original package not installed
This message only indicates an error if you thought the package
was installed on your system. If this is the case, take the
necessary action to install the package, backout the patch (if
it installed other packages) and re-install the patch.
Message:
Package not patched:
PKG=SUNxxx
ARCH=xxxxxxx
VERSION=xxxxxxx
Architecture mismatch
Explanation: One of the components of the patch would have patched a
package for an architecture different from your system. This is not
necessarily an error. Any patch to one of the architecture specific
packages may contain one element for each of the possible
architectures. For example, Assume you are running on a sun4m. If
you were to install a patch to package SUNWcar, you would see the
following (or similar) messages:
Package not patched:
PKG=SUNWcar
ARCH=sparc.sun4c
VERSION=11.5.0,REV=2.0.18
Architecture mismatch
Package not patched:
PKG=SUNWcar
ARCH=sparc.sun4d
VERSION=11.5.0,REV=2.0.18
Architecture mismatch
Package not patched:
PKG=SUNWcar
ARCH=sparc.sun4e
VERSION=11.5.0,REV=2.0.18
Architecture mismatch
Package not patched:
PKG=SUNWcar
ARCH=sparc.sun4
VERSION=11.5.0,REV=2.0.18
Architecture mismatch
The only time these messages indicate an error condition
is if installpatch does not correctly recognize your architecture.
Message:
Package not patched:
PKG=SUNxxxx
ARCH=xxxx
VERSION=xxxxxxx
Version mismatch
Explanation: The version of software to which the patch is applied is
not installed on your system. For example, if you were running Solaris
5.3, and you tried to install a patch against Solaris 5.2, you would
see the following (or similar) message:
Package not patched:
PKG=SUNWcsu
ARCH=sparc
VERSION=10.0.2
Version mismatch
This message does not necessarily indicate an error. If
the version mismatch was for a package you needed patched, either
get the correct patch version or install the correct package version.
Then backout the patch (if necessary) and re-apply.
Patch Backout Errors:
---------------------
Error message:
Patch has not been successfully applied to this system.
Explanation and recommended action: The user has attempted to back
out a patch that was never applied to this system. It is
possible that the patch was applied, but that the patch
directory /var/sadm/patch/ was deleted somehow.
If this is the case, the patch cannot be backed out. The
user may have to restore the original files from the
initial installation CD.
Error message:
This patch was obsoleted by patch $1.
Patches must be backed out in the order in
which they were installed. Patch backout aborted.
Explanation and recommended action: The obsoleted contents of an
older patch rev that apparently still exists under /var/sadm/patch
should never be restored out of sequence. This could undermine
the integrity of the more current patch rev installed and the
restoration of the files it has saved.
Error message:
Patch was installed without backing up the original
files. It cannot be backed out.
Explanation and recommended action: Either the -d option of
installpatch was set when the patch was applied, or the save
area of the patch was deleted to regain space. As a result, the
original files are not saved and backoutpatch cannot be used. The
original files can only be recovered from the original
installation CD.
Error message:
pkgrm of package failed return code .
See /var/sadm/patch//log for reason for failure.
Explanation and recommended action: The removal of one of
patch packages failed. See the log file for the reason for
failure. Correct the problem and run the backout script again.
Error message:
Restore of old files failed.
Explanation and recommended action: The backout script uses the
cpio command to restore the previous versions of the files
that were patched. The output of the cpio command should
have preceded this message. The user should take the
appropriate action to correct the cpio failure.
KNOWN PROBLEMS:
On client server machines the patch package is NOT applied
to existing clients or to the client root template space.
Therefore, when appropriate, ALL CLIENT MACHINES WILL NEED
THE PATCH APPLIED DIRECTLY USING THIS SAME INSTALLPATCH
METHOD ON THE CLIENT. See instructions above for
applying patches to a client.
A bug affecting a package utility (eg. pkgadd, pkgrm, pkgchk)
could affect the reliability of installpatch or backoutpatch
which uses package utilities to install and backout the patch
package. It is recommended that any patch that fixes package
utility problems be reviewed and, if necessary, applied before
other patches are applied. Such existing patches are:
100901 Solaris 2.1
101122 Solaris 2.2
101331 Solaris 2.3
SEE ALSO
pkgadd, pkgchk, pkgrm, pkginfo, showrev