Patch Name: PHCO_27721 Patch Description: s700_800 11.00 login(1) cumulative patch Creation Date: 02/08/14 Post Date: 02/09/26 Hardware Platforms - OS Releases: s700: 11.00 s800: 11.00 Products: N/A Filesets: OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: No Category Tags: defect_repair enhancement general_release Path Name: /hp-ux_patches/s700_800/11.X/PHCO_27721 Symptoms: PHCO_27721: ( SR:8606239815 CR:JAGae08240 ) When the maximum number of logins to the system allowed for each user is specified by the NUMBER_OF_LOGINS_ALLOWED field in the /etc/default/security file, users whose names are longer than 4 bytes are treated as the same user if the first 4 bytes of the user names are identical. PHCO_27004: ( SR:8606139538 CR:JAGad08841 ) If large numbers of simultaneous login sessions are opened, system could appear to hang due to the login(1) performance behavior. PHCO_25590: ( SR:8606222718 CR:JAGad91830 ) Login may exit without printing an appropriate message when an account is expired or disabled. ( SR:8606224513 CR:JAGad93601 ) Login may behave unexpectedly on large terminal imputs. PHCO_24083: ( SR:8606186198 CR:JAGad55403 ) The TERM environment variable is not carried across the session on the first login after an expired password change. ( SR:8606189604 CR:JAGad58818 ) Login allows certain shell users excessive freedom. ( SR:8606170322 CR:JAGad39586 ) Dialup passwd prompts are not always displayed when appropriate. PHCO_19292: - login(1) is using stale password on NIS client - login(1) silently truncates HOME directory paths near supported limit PHCO_18572: - login does not work well when exported homedir does not have permission to root. - Sub-login feature of login(1) (using chroot) dumps core PHCO_16309: - telnet login timeout at about 1 minute. - login allows more than one login per user. - /etc/nologin feature is not implemented. - login without a home dir is allowed. - trusted tty name missing from login error message. - Ilogin fails to get credentials under csh. Defect Description: PHCO_27721: ( SR:8606239815 CR:JAGae08240) Login(1) only compares the first 4 bytes of the user names when the number of the logins by each user is limited by the NUMBER_OF_LOGINS_ALLOWED field in the /etc/default/security file. Resolution: Login(1) now checks the entire user names to correctly count the number of the logins by the same user. PHCO_27004: ( SR:8606139538 CR:JAGad08841 ) Linear scanning of utmp entries causes unacceptable performance problems when large numbers of simultaneous login sessions are initiated. Resolution: If the C library (libc) on the system implements an alternative faster interface to access utmp entries, login will use it for performance. If the new interface is not found in libc, the performance as well as functionality of login remain unchanged. This is an performance enhancement of login(1). Therefore, this patch does not have to be installed unless the abovementioned login performance problem is observed. PHCO_25590: ( SR:8606222718 CR:JAGad91830 ) Login does not correctly handle a return code from PAM indicating that an account is disabled or expired. Resolution: Login now prints out an appropriate message when it receives the expired return code from PAM. ( SR:8606224513 CR:JAGad93601 ) User input to login is not appropriately verified to ensure that it does not overflow an internally allocated buffer. Resolution: A check has been put into place to ensure that user input does not exceed the allowable size. PHCO_24083: ( SR:8606186198 CR:JAGad55403 ) When login exec's itself after a password change, incorrect command line options are passed, causing the setting of the TERM environment variable to be lost. Resolution: Login now correctly re-exec's itself after an expired password change. ( SR:8606189604 CR:JAGad58818 ) Login should be more stringent in which environment variables it allows restricted shell users to set. Resolution: Login now only allows the DISPLAY and TERM variables to be set by restricted shell users unless configured otherwise in the security configuration file. To change the behavior of this patch, an /etc/default/security file must be created if it does not already exist. This file should be world readable and root writeable. To this file, add one of the following three entries: The new default behavior corresponds to a setting of: RSH_SECURITY=2 It is possible to ease the restrictions and allow the setting of any environment variables which are not known to be potentially risky. This is done by specifying: RSH_SECURITY=1 Finally, for compatibility reasons, it is possible to revert to the old, excessively permissive behavior by specifying: RSH_SECURITY=0 ( SR:8606170322 CR:JAGad39586 ) Login presents the user an incorrect number of prompts when dialup passwords are in effect. Resolution: Login now displays the correct number of prompts. PHCO_19292: 1. When password expired for NIS user login uses stale password Resolution: Do a forced flush of cache in yp_match() by dynamic relinking libnsl.1 with login and get the modified password. 2. If home dir is more than 59 chars HOME dir path is truncated to 59 chars Resolution: Increase the homedir local space to accomodate "HOME=". PHCO_18572: 1. PAM problem with login on 11.00 Resolution: Do chdir() again after setting credentials. 2. login dumps core when using chroot with sub-login feature Resolution: Do not free the PAM handler again. PHCO_16309: 1. ER: telnet login timeout is not configurable. Resolution: Configurable using /etc/default/security file 2. ER: the number of logins per user is not configurable. Resolution: Can be configured using /etc/default/security file 3. ER: /etc/nologin feature is not implemented. Resolution: NOLOGIN can be configured using /etc/default/security file 4. ER: login without a home dir is not configurable. Resolution: Can be configured using /etc/default/security file 5. trusted tty name missing from login error message. Resolution: Corrected the error message. 6. Ilogin credentials destroyed by ilogind under csh. Resolution: End the PAM session after the credentials are obtained SR: 5003465468 5003463232 1653297903 1653054304 5003230300 5003325886 1653191825 1653229351 4701396499 8606186198 5003466847 4701425710 8606189604 8606170322 8606224513 8606222718 8606139538 8606239815 Patch Files: OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: /usr/bin/login what(1) Output: OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: /usr/bin/login: $Revision: 82.16.1.16 $ PATCH_11_00: login.o 02/08/14 cksum(1) Output: OS-Core.UX-CORE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP: 3653787228 53248 /usr/bin/login Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: PHCO_27004: Although there are no dependencies, HP-UX 11.00 libc cumulative patch PHCO_25976 or later is also required to fix the performance problem of login. Supersedes: PHCO_16309 PHCO_18572 PHCO_19292 PHCO_24083 PHCO_25590 PHCO_27004 Equivalent Patches: PHCO_25526: s700: 11.11 s800: 11.11 Patch Package Size: 80 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_27721 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHCO_27721.depot By default swinstall will archive the original software in /var/adm/sw/save/PHCO_27721. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHCO_27721.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHCO_27721.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_27721.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None