Patch Name: PHCO_25893 Patch Description: s700_800 11.04 (VVOS) login(1) cumulative patch Creation Date: 01/12/07 Post Date: 01/12/17 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: N/A Filesets: OS-Core.UX-CORE,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: No Category Tags: defect_repair general_release Path Name: /hp-ux_patches/s700_800/11.X/PHCO_25893 Symptoms: PHCO_25893: Ported HP-UX patch PHCO_25590 to VVOS Based on HP-UX patch PHCO_25590: ( SR:8606222718 CR:JAGad91830 ) Login may exit without printing an appropriate message when an account is expired or disabled. ( SR:8606224513 CR:JAGad93601 ) Login may behave unexpectedly on large terminal imputs. PHCO_24418: Ported HP-UX patch PHCO_24083 to VVOS Based on HP-UX patch PHCO_24083: ( SR:8606186198 CR:JAGad55403 ) The TERM environment variable is not carried across the session on the first login after an expired password change. ( SR:8606189604 CR:JAGad58818 ) Login allows certain shell users excessive freedom. ( SR:8606170322 CR:JAGad39586 ) Dialup passwd prompts are not always displayed when appropriate. Based on HP-UX patch PHCO_19292: - login(1) is using stale password on NIS client - login(1) silently truncates HOME directory paths near supported limit Based on HP-UX patch PHCO_18572: - login does not work well when exported homedir does not have permission to root. - Sub-login feature of login(1) (using chroot) dumps core Based on HP-UX patch PHCO_16309: - telnet login timeout at about 1 minute. - login allows more than one login per user. - /etc/nologin feature is not implemented. - login without a home dir is allowed. - trusted tty name missing from login error message. - Ilogin fails to get credentials under csh. Defect Description: PHCO_25893: Ported HP-UX patch PHCO_25590 to VVOS Based on HP-UX patch PHCO_25590: ( SR:8606222718 CR:JAGad91830 ) Login does not correctly handle a return code from PAM indicating that an account is disabled or expired. Resolution: Login now prints out an appropriate message when it receives the expired return code from PAM. ( SR:8606224513 CR:JAGad93601 ) User input to login is not appropriately verified to ensure that it does not overflow an internally allocated buffer. Resolution: A check has been put into place to ensure that user input does not exceed the allowable size. PHCO_24418: Ported HP-UX patch PHCO_24083 to VVOS Based on HP-UX patch PHCO_24083: ( SR:8606186198 CR:JAGad55403 ) When login exec's itself after a password change, incorrect command line options are passed, causing the setting of the TERM environment variable to be lost. Resolution: Login now correctly re-exec's itself after an expired password change. ( SR:8606189604 CR:JAGad58818 ) Login should be more stringent in which environment variables it allows restricted shell users to set. Resolution: Login now only allows the DISPLAY and TERM variables to be set by restricted shell users unless configured otherwise in the security configuration file. To change the behavior of this patch, an /etc/default/security file must be created if it does not already exist. This file should be world readable and root writeable. To this file, add one of the following three entries: The new default behavior corresponds to a setting of: RSH_SECURITY=2 It is possible to ease the restrictions and allow the setting of any environment variables which are not known to be potentially risky. This is done by specifying: RSH_SECURITY=1 Finally, for compatibility reasons, it is possible to revert to the old, excessively permissive behavior by specifying: RSH_SECURITY=0 ( SR:8606170322 CR:JAGad39586 ) Login presents the user an incorrect number of prompts when dialup passwords are in effect. Resolution: Login now displays the correct number of prompts. Based on HP-UX patch PHCO_19292: 1. When password expired for NIS user login uses stale password Resolution: Do a forced flush of cache in yp_match() by dynamic relinking libnsl.1 with login and get the modified password. 2. If home dir is more than 59 chars HOME dir path is truncated to 59 chars Resolution: Increase the homedir local space to accomodate "HOME=". Based on HP-UX patch PHCO_18572: 1. PAM problem with login on 11.00 Resolution: Do chdir() again after setting credentials. 2. login dumps core when using chroot with sub-login feature Resolution: Do not free the PAM handler again. Based on HP-UX patch PHCO_16309: 1. ER: telnet login timeout is not configurable. Resolution: Configurable using /etc/default/security file 2. ER: the number of logins per user is not configurable. Resolution: Can be configured using /etc/default/security file 3. ER: /etc/nologin feature is not implemented. Resolution: NOLOGIN can be configured using /etc/default/security file 4. ER: login without a home dir is not configurable. Resolution: Can be configured using /etc/default/security file 5. trusted tty name missing from login error message. Resolution: Corrected the error message. 6. Ilogin credentials destroyed by ilogind under csh. Resolution: End the PAM session after the credentials are obtained SR: 5003465468 5003463232 1653297903 1653054304 5003230300 5003325886 1653191825 1653229351 4701396499 8606186198 5003466847 4701425710 8606189604 8606170322 8606224513 8606222718 Patch Files: OS-Core.UX-CORE,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/bin/login what(1) Output: OS-Core.UX-CORE,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/bin/login: $Revision: Hewlett-Packard ISSL Level vvos_rose42 $ $Header: Hewlett-Packard ISSL Release vvos_r ose $ $Date: Wed Dec 12 16:47:16 EST 2001 $ $Revision: 82.16.1.9 $ $Source: cmd/login.c, hpuxcmdcntl, vvos_rose, rose02 60 $ $Date: 01/12/11 11:27:54 $ $Revision: 1 .21.1.12 PATCH_11.04 (PHCO_25893) $ cksum(1) Output: OS-Core.UX-CORE,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: 2610959930 53248 /usr/bin/login Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_24418 Equivalent Patches: PHCO_22590: s700: 11.00 s800: 11.00 PHCO_25526: s700: 11.11 s800: 11.11 Patch Package Size: 80 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_25893 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHCO_25893.depot By default swinstall will archive the original software in /var/adm/sw/save/PHCO_25893. If you do not wish to retain a copy of the original software, use the patch_save_files option: swinstall -x autoreboot=true -x patch_match_target=true \ -x patch_save_files=false -s /tmp/PHCO_25893.depot WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHCO_25893.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHCO_25893.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_25893.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None