Patch Name: PHNE_5081 Patch Description: s300_400 9.X NIS-DNS fallback, securenets, portmap Creation Date: 94/12/16 Post Date: 95/01/09 Repost: 95/01/26 The patch documentation was updated to include fix information on portmap. Hardware Platforms - OS Releases: s300_400: 9.00 9.03 Products: N/A Filesets: NFS-RUN NFS-MAN Automatic Reboot?: Yes Status: General Release Critical: No Path Name: /hp-ux_patches/s300_400/9.X/PHNE_5081 Symptoms: PHNE_5081: * Fixes problem with PHNE_4230 wherein users other than root were denied access to NIS maps. * portmap would not register itself in the portmap list. * portmap would allow SET/UNSET calls from remote hosts. * portmap would return a port for a service that had died. * portmap would forward mount/nfsd rpc requests. PHNE_4230: * NIS securenets patch * ypserv allows anyone that can guess the domainname to obtain copies of NIS maps. * NIS DNS fallback support. * Allow programs to register with the portmapper if another program died without clearing its own registration. Defect Description: PHNE_5081: * An inappropriate access check denied access to NIS maps to any user other than root. * portmap now registers itself in the portmap list. * portmap refuses SET/UNSET calls from a remote host. * portmap refuses to forward mount/nfsd rpc requests. PHNE_4230: Portmap Re-registration: ------------------------ The portmap process will not allow a program to re-register if that program does not clear out its own registration, with either a svc_unregister or pmap_unset() call. This fix will allow a program to re-register if the registration entry still exists in the portmap registration tables but the network port associated with this old registration is no longer bound to the network. Securenets: ----------- This addresses a problem wherein any NIS server or client who could get or guess your domain name could access your maps. The patch adds a file, /etc/securenets, which lists IP addresses of valid slave servers or clients. A system which is not in the list cannot access your NIS maps. The file is installed in /etc/newconfig. See the configuration information in the sample and the included manpage, securenets.4, if you wish to use it. Without the file in place in the /etc/ directory, the functionality is not activated. This patch should be installed on both NIS clients and servers. As root, copy /etc/newconfig/securenets to /etc. Edit it to the format described in the securenets manpage. DNS Fallback: ------------- With client side confgurability, the client determines in which order the name services will be used. A file located on the client contains the list of name services in the order they are to be consulted. The client could specify that it wants to try NIS, followed by DNS, and finally /etc/hosts. Additionally, the contitions of when to try the next name service can be configured. For example, an administrator can confgure the client to use the next name service if the first one is up and running but cannot provide the requested name resolution. This overrides the default behavior of earlier releases, in which a NOT_FOUND answer was returned and the search terminated. The client side solution has the same configuration file syntax as Solaris 2.0's solution. The client side solution on s300_400 is obtained by with patches PHCO_4853 and PHNE_3690. The second solution is more limited. The NIS server can be configured to try DNS after it does not find an answer in its own NIS hosts map. this solution is only an NIS to DNS solution, and it does not allow any other ordering, change of conditions or the inclusion of /etc/hosts. This solution was orginally introduced by Sun in ONC 4.2. Generally, the NIS server solution is required in environments where there is already an existing usage of this solution, and where there are client systems (e.g. some PC networking packages) that do not provide any mechanism for using multiple name services. The second solution is provided in this patch. To use it, the hosts databases must be rebuilt with the new makedbm option, -b. To avoid overwriting the map when databases are updated in the future, you may wish to alter the /usr/etc/yp/ypmake script.: 1. Find the definition of the hosts() function in the script. In unaltered ypmakes, it starts at line 112. 2. In the function are two invocations of makedbm which look like "$MAKEDBM - $MAPDIR/$MAPNAME1". 3. In each case, insert "-b" before the "-", leaving spaces around the insertion: "$MAKEDBM -b - $MAPDIR..". The patch must be installed on slave servers or the new map key will not be transferred by ypxft. NOTE: If this patch is installed on a 9.0 system, and the system is latered upgraded to 9.03, the patch will be overwritten and have to be reinstalled. SR: 1653105619 5003129684 5003179986 Patch Files: /usr/etc/ypserv /usr/etc/yp/makedbm /usr/etc/yp/ypxfr /etc/ypbind /etc/portmap /usr/man/man1m.Z/makedbm.1m /usr/man/man1m.Z/ypserv.1m /usr/man/man4.Z/securenets.4 /etc/newconfig/securenets what(1) Output: /usr/etc/ypserv: ypserv: $Revision: 1.42.109.5 $ $Date: 94/12/16 09:0 7:04 $ PATCH_9.0: ypserv.o $Revision: 1.42.109.5 $ 94/06/01 PHNE_5081 PATCH_9.0: ypserv_map.o $Revision: 1.26.109.5 $ 94/0 6/01 PHNE_5081 PATCH_9.0: ypsrv_proc.o $Revision: 1.27.109.3 $ 94/0 6/01 PHNE_5081 yp_cache.c: $Revision: 1.3.109.1 $ $Date: 91/11 /19 14:23:30 $ ngethostbyname.c 1.2 92/04/08 4.1NFSSRC /usr/etc/yp/makedbm: makedbm: $Revision: 1.33.109.4 $ $Date: 94/12 /16 09:19:12 $ PATCH_9.0: makedbm.o $Revision: 1.33.109.4 $ 94/06/0 1 PHNE_5081 /usr/etc/yp/ypxfr: ypxfr: $Revision: 1.45.109.3 $ $Date: 94/12/16 09:1 9:38 $ PATCH_9.0: ypxfr.o $Revision: 1.45.109.3 $ 94/06/01 PHNE_5081 /etc/ypbind: ypbind: $Revision: 1.43.109.9 $ $Date: 94/12/16 09:2 3:08 $ PATCH_9.0: ypbind.o $Revision: 1.43.109.9 $ 94/06/02 PHNE_5081 /etc/portmap: PATCH_9.X portmap: $Revision: 1.36.109.7 $ $Date: 94 /12/22 12:03:25 $ PHNE_5081 /usr/man/man1m.Z/makedbm.1m: None /usr/man/man1m.Z/ypserv.1m: None /usr/man/man4.Z/securenets.4: None /etc/newconfig/securenets: None sum(1) Output: 28756 344 /usr/etc/ypserv 11784 27 /usr/etc/yp/makedbm 28518 51 /usr/etc/yp/ypxfr 47969 264 /etc/ypbind 18798 200 /etc/portmap 9350 5 /usr/man/man1m.Z/makedbm.1m 26190 8 /usr/man/man1m.Z/ypserv.1m 43983 3 /usr/man/man4.Z/securenets.4 10373 2 /etc/newconfig/securenets Patch Conflicts: None Patch Dependencies: s300_400: 9.00 9.03: PHCO_4853 PHNE_3690 Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_4230 Equivalent Patches: PHNE_3390: s700: 9.01 9.03 9.05 s800: 9.00 9.04 PHNE_3393: s700: 9.01 9.03 9.05 s800: 9.00 9.04 PHNE_4097: s700: 9.01 9.03 9.05 s800: 9.00 9.04 Patch Package Size: 510 Kbytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Copy the patch to your /tmp directory and unshar it: cd /tmp cp patch_source/PHNE_5081 . sh PHNE_5081 3. Become root and run update: /etc/update 4. Use the cursor keys to select "Change Source or Destination ->" and press [Return]. 5. Select "From Tape Device to Local System ..." in the Change window and 6. Change "Source: /dev/rmt/0m" to "Source: /tmp/PHNE_5081.updt" 7. Press "Done" (f4). 8. Follow the standard directions for update. Update moves the original software to /system/PHNE_5081/orig. Keep this file to recover from any potential problems. You should move the .text file to /system/PHNE_5081 for future reference. To put this patch on a magnetic tape and update from the tape drive, use dd: dd if=PHNE_5081.updt of=/dev/rmt/0m bs=2048 Special Installation Instructions: If this patch is installed on a diskless cluster, then NIS should first be disabled if it is running. Then all /etc/portmap, /etc/ypbind and /etc/ypserv processes should be killed on all Series 300/400 diskless systems. Otherwise this patch will not install correctly. Another option would be to halt all Series 300/400 diskless clients before installing this patch and then reboot them after installing this patch.