Patch Name: PHSS_26553 Patch Description: s700_800 11.04 VirtualVault 4.0 auth cumulative(March 2002) Creation Date: 02/03/08 Post Date: 02/04/11 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: VirtualVault A.04.00 Filesets: VaultNES.NES-VAULT,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP VaultTS.VVOS-ADM-RUN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP VaultTS.VV-CORE-CMN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: Yes Status: General Release Critical: No Category Tags: defect_repair general_release Path Name: /hp-ux_patches/s700_800/11.X/PHSS_26553 Symptoms: PHSS_26553: Inside NES server fails to start after installing PHNE_25937. PHSS_24604: 1) The mkacct program does not allow the creation of a user with a null privilege list. 2) The mkacct program allows the creation of a user whose base privileges are not a subset of the kernel authorizations. PHSS_24169: 1) VirtualVault does not have any command or GUI utility available to select or assign an account's privileges. This means that using the mkacct command there is no option to set the u_syspriv and u_basepriv fields of the prpwd file. 2) The mkacct program produces unexpected output under certain conditions. PHSS_23855: 1) VirtualVault account administration supports password aging and other strong password controls, but there is no means to administer it. There are also other strong login and password controls like time of day restrictions supported on the underlying OS, but not by the VirtualVault. 2) VirtualVault administrator accounts cannot be created with a name containing an underscore character. PHSS_23740: 1) A user is not forced to reset his password after another user administratively changes it. 2) There is no way to set password triviality checks via the HTTP VirtualVault Administration Interface. PHSS_20592: 1) Basic authentication failed in server with multiple processors. 2) The user is able to correctly log on the console, using his correct password, but not able to authenticate to the inside administration interface using that same username/password pair. Defect Description: PHSS_26553: Inside NES server fails with an error due to unresolved symbol (inet_ntoa_r) in libvvauth.so. Resolution: The libvvauth has been modified to resolve the sysbol. PHSS_24604: 1) The mkacct program allows the creation of a user with a list of base privileges and kernel authorizations. The program however, does not allow the creation of a user with a null privilege list. 2) The base privileges of a user should be a subset of the kernel authorizations available to the user. But, the mkacct program allows the creation of a user whose base privilege is not a subset of the kernel authorizations. Resolution: 1) The mkacct program has been modified to allow the creation of a user with a null privilege list. 2) A check has been added to the mkacct program to ensure that the base privileges of the user created is a subset of the kernel authorizations. PHSS_24169: 1) The mkacct command does not provide any method to set the u_syspriv and u_basepriv fields of the prpwd file. So, any new user who gets created will always receive the default privileges from the system default file. The only method that is available now to change this is to edit the prpwd file of the newly created account. 2) The function handling the -h option was not allocating enough memory to hold the path string. Resolution: 1) Two new options -k and -b have been added to the mkacct command. The account administrator will now have an option of specifying the kernel authorizations and base privileges for the newly created account. 2) The checkhome() function will now allocate the right amount of memory required to hold the path. PHSS_23855: 1) The underlying OS support for these features was never enabled in the VirtualVault Administration interface. 2) The login name checking code was incorrectly disallowing names that contained a '_' character within them (like "vv_adm"). Resolution: 1) All strong password and login controls supported by the underlying VirtualVault operating system will now be enforced by the application layer. They will also be configurable from the administration interface. 2) The legal_login() function will now accept '_' as a valid character for login names. PHSS_23740: The underlying OS support for these features was never enabled in the VirtualVault administration interface. Resolution: 1) After creating a new user via vaultconfig or the "Create Account" interface, or after changing the password of another user via the "Modify Account" interface, the real user will be forced to reset his password on first login to the VirtualVault administration interface. 2) The "Modify Account Defaults" screen will now be used to manipulate whether password triviality checks are enforced on a systemwide basis. PHSS_20592: Under a multi-processors system, if a user has a password longer than eight characters, the basic authentication will fail to the inside administrative interface. Resolution: The fix is to add a critical region around the call to bigcrypt() and the use of the pointer to the static buffer that it returns. The affected files are init.c (to initialize the critical region) and auth.c (to use it) SR: 8606245961 8606112716 8606186941 8606195040 8606201073 8606204402 8606207013 Patch Files: VaultNES.NES-VAULT,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /etc/auth/system/files.fcdb/25.patches/23855_PHSS.fcdb /opt/vaultTS/lib/libvvauth.so VaultTS.VVOS-ADM-RUN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /sbin/mkacct VaultTS.VV-CORE-CMN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /var/opt/vaultTS/inside/vault/bin/acc-moddefs /var/opt/vaultTS/inside/vault/bin/acc-modpass /var/opt/vaultTS/inside/vault/bin/acc-moduser /var/opt/vaultTS/inside/vault/bin/acc-newuser /var/opt/vaultTS/inside/vault/bin/acc-query /var/opt/vaultTS/inside/vault/loc/C/html/acc-locked.html /var/opt/vaultTS/inside/vault/loc/C/html/acc-moddefs.html /var/opt/vaultTS/inside/vault/loc/C/html/acc-modpass.html /var/opt/vaultTS/inside/vault/loc/C/html/acc-moduser.html /var/opt/vaultTS/inside/vault/loc/C/html/acc-query.html /var/opt/vaultTS/inside/vault/loc/C/include/ acc-userattr.html /usr/lib/nls/msg/C/vvts-admin.cat /opt/vaultTS/lib/vaultconfig/functions/validUserName what(1) Output: VaultNES.NES-VAULT,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /etc/auth/system/files.fcdb/25.patches/23855_PHSS.fcdb: $Source: src/host/etc/auth/system/files.fcdb/25.patc hes/23855_PHSS.fcdb, vaultNES, vaultNES_4.0 $ $Date: 01/04/18 16:47:14 $ $Revision: 1.2 PATCH_11.04 PHSS_23855 $ /opt/vaultTS/lib/libvvauth.so: src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.0 1. 1 06/07/97 $Revision: 1.10 PATCH_11.04 PHSS_23855 $ $Date: 01/04/20 16:29:57 $ $Source: src/misc/nsapi/vvauth/auth.c, vaultNES, vau ltNES_4.0 $ $Revision: 1.3 PATCH_11.04 PHSS_26553 $ $Date: 02/03/08 11:39:28 $ $Source: src/misc/nsapi/vvauth/basic.c, vaultNES, va ultNES_4.0 $ $Revision: 1.2 PATCH_11.04 PHSS_23855 $ $Date: 01/04/17 15:12:14 $ $Source: src/misc/nsapi/vvauth/cert.c, vaultNES, vau ltNES_4.0 $ $Revision: 1.4 PATCH_11.04 PHSS_23855 $ $Date: 01/04/17 15:15:18 $ $Source: src/misc/nsapi/vvauth/init.c, vaultNES, vau ltNES_4.0 $ @(#)26 1.2 src/misc/nsapi/vvauth/log.c, vaultNES, vaultNES_4.0 08/05/99 06:49:18 VVOS 11.04 (d efect 14790) $Revision: 1.4 PATCH_11.04 PHSS_23855 $ $Date: 01/04/17 15:20:28 $ $Source: src/misc/nsapi/vvauth/path.c, vaultNES, vau ltNES_4.0 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.0 1.9 08/14/98 VaultTS.VVOS-ADM-RUN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /sbin/mkacct: $Revision: 1.33.1.11 PATCH_11.04 PHSS_24604 $ $Date: 01/07/10 10:04:27 $ $Source: src/admin/cgi/account/mkacct.c, vaultTS, va ultTS_4.0 $ $Revision: 1.37.1.6 PATCH_11.04 PHSS_24604 $ $Date: 01/07/10 05:20:50 $ $Source: src/admin/cgi/account/swp_mkacct.c, vaultTS , vaultTS_4.0 $ $Revision: 1.55.1.7 PATCH_11.04 PHSS_23855 $ $Date: 01/04/26 15:30:27 $ $Source: src/admin/cgi/account/acc-util.c, vaultTS, vaultTS_4.0 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.0 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.0 1. 1 06/07/97 VaultTS.VV-CORE-CMN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /var/opt/vaultTS/inside/vault/bin/acc-moddefs: HP92453-02A.11.00 HP-UX SYMBOLIC DEBUGGER (END.O ILP 32) $Revision: 75.02 $ $Revision: 1.18.1.3 PATCH_11.04 PHSS_23855 $ $Date: 01/04/06 07:44:12 $ $Source: src/admin/cgi/account/acc-moddefs.c, vaultT S, vaultTS_4.0 $ $Revision: 1.55.1.7 PATCH_11.04 PHSS_23855 $ $Date: 01/04/26 15:30:27 $ $Source: src/admin/cgi/account/acc-util.c, vaultTS, vaultTS_4.0 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.0 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.0 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/bin/acc-modpass: HP92453-02A.11.00 HP-UX SYMBOLIC DEBUGGER (END.O ILP 32) $Revision: 75.02 $ $Revision: 1.22.1.2 PATCH_11.04 PHSS_23855 $ $Date: 01/04/05 11:16:37 $ $Source: src/admin/cgi/account/acc-modpass.c, vaultT S, vaultTS_4.0 $ $Revision: 1.55.1.7 PATCH_11.04 PHSS_23855 $ $Date: 01/04/26 15:30:27 $ $Source: src/admin/cgi/account/acc-util.c, vaultTS, vaultTS_4.0 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.0 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.0 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/bin/acc-moduser: HP92453-02A.11.00 HP-UX SYMBOLIC DEBUGGER (END.O ILP 32) $Revision: 75.02 $ $Revision: 1.44.1.2 PATCH_11.04 PHSS_23855 $ $Date: 01/04/06 07:45:08 $ $Source: src/admin/cgi/account/acc-moduser.c, vaultT S, vaultTS_4.0 $ $Revision: 1.19.2.1 PATCH_11.04 PHSS_23740 $ $Date: 01/04/02 09:33:11 $ $Source: src/admin/cgi/account/swp_chacct.c, vaultTS , vaultTS_4.0 $ $Revision: 1.55.1.7 PATCH_11.04 PHSS_23855 $ $Date: 01/04/26 15:30:27 $ $Source: src/admin/cgi/account/acc-util.c, vaultTS, vaultTS_4.0 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.0 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.0 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/bin/acc-newuser: HP92453-02A.11.00 HP-UX SYMBOLIC DEBUGGER (END.O ILP 32) $Revision: 75.02 $ $Revision: 1.37.1.3 PATCH_11.04 PHSS_23855 $ $Date: 01/04/06 07:45:06 $ $Source: src/admin/cgi/account/acc-newuser.c, vaultT S, vaultTS_4.0 $ $Revision: 1.37.1.4 PATCH_11.04 PHSS_24169 $ $Date: 01/06/05 01:58:21 $ $Source: swp_mkacct.c, vaultTS, vaultTS_4.0 $ $Revision: 1.55.1.7 PATCH_11.04 PHSS_23855 $ $Date: 01/04/26 15:30:27 $ $Source: src/admin/cgi/account/acc-util.c, vaultTS, vaultTS_4.0 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.0 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.0 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/bin/acc-query: HP92453-02A.11.00 HP-UX SYMBOLIC DEBUGGER (END.O ILP 32) $Revision: 75.02 $ $Revision: 1.19.1.3 PATCH_11.04 PHSS_23855 $ $Date: 01/04/06 07:59:28 $ $Source: src/admin/cgi/account/acc-query.c, vaultTS, vaultTS_4.0 $ $Revision: 1.55.1.7 PATCH_11.04 PHSS_23855 $ $Date: 01/04/26 15:30:27 $ $Source: src/admin/cgi/account/acc-util.c, vaultTS, vaultTS_4.0 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.0 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.0 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/loc/C/html/acc-locked.html: $Source: src/admin/html/account/acc-locked.html, vau ltTS, vaultTS_4.0 $ $Revision: 1.3 PATCH_11.04 PHSS_23855 $ $Date: 01/04/18 16:43:09 $ /var/opt/vaultTS/inside/vault/loc/C/html/acc-moddefs.html: $Source: src/admin/html/account/acc-moddefs.html, va ultTS, vaultTS_4.0 $ -- $Date: 01/04/06 07:38:33 $ -- $Revision: 1.11 PATCH_11.04 PHSS_23855 $ -- /var/opt/vaultTS/inside/vault/loc/C/html/acc-modpass.html: $Source: src/admin/html/account/acc-modpass.html, va ultTS, vaultTS_4.0 $ -- $Date: 01/04/02 09:48:00 $ -- $Revision: 1.27 PATCH_11.04 PHSS_23740 $ -- /var/opt/vaultTS/inside/vault/loc/C/html/acc-moduser.html: $Source: src/admin/html/account/acc-moduser.html, va ultTS, vaultTS_4.0 $ -- $Date: 01/04/06 04:27:49 $ -- $Revision: 1.29 PATCH_11.04 PHSS_23855 $ -- /var/opt/vaultTS/inside/vault/loc/C/html/acc-query.html: $Source: src/admin/html/account/acc-query.html, vaul tTS, vaultTS_4.0 $ -- $Date: 01/04/06 07:40:41 $ -- $Revision: 1.32 PATCH_11.04 PHSS_23855 $ -- /var/opt/vaultTS/inside/vault/loc/C/include/ acc-userattr.html: $Source: src/html-inc/acc-userattr.html, vaultTS, va ultTS_4.0 $ -- $Date: 01/04/06 07:39:50 $ -- $Revision: 1.37 PATCH_11.04 PHSS_23855 $ -- /usr/lib/nls/msg/C/vvts-admin.cat: None. /opt/vaultTS/lib/vaultconfig/functions/validUserName: 08 1.3 src/misc/vaultconfig/functions/validUserNam e, vaultTS, vaultTS_4.0 06/05/01 05:56:42, P HSS_24169, Hewlett-Packard Company cksum(1) Output: VaultNES.NES-VAULT,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: 925285244 1033 /etc/auth/system/files.fcdb/25.patches/ 23855_PHSS.fcdb 3471015499 53367 /opt/vaultTS/lib/libvvauth.so VaultTS.VVOS-ADM-RUN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: 1249205974 90326 /sbin/mkacct VaultTS.VV-CORE-CMN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: 754339245 93296 /var/opt/vaultTS/inside/vault/bin/ acc-moddefs 535128667 85096 /var/opt/vaultTS/inside/vault/bin/ acc-modpass 386131574 101488 /var/opt/vaultTS/inside/vault/bin/ acc-moduser 304755514 97392 /var/opt/vaultTS/inside/vault/bin/ acc-newuser 3012971553 85088 /var/opt/vaultTS/inside/vault/bin/acc-query 3063275852 1163 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-locked.html 2675624468 13259 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-moddefs.html 3962254267 7624 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-modpass.html 1219839646 4588 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-moduser.html 2405512952 9038 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-query.html 3316586888 24746 /var/opt/vaultTS/inside/vault/loc/C/ include/acc-userattr.html 1842800166 56965 /usr/lib/nls/msg/C/vvts-admin.cat 2765471586 561 /opt/vaultTS/lib/vaultconfig/functions/ validUserName Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_23740 PHSS_20592 PHSS_23855 PHSS_24169 PHSS_24604 Equivalent Patches: None Patch Package Size: 780 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_26553 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHSS_26553.depot By default swinstall will archive the original software in /var/adm/sw/save/PHSS_26553. If you do not wish to retain a copy of the original software, use the patch_save_files option: swinstall -x autoreboot=true -x patch_match_target=true \ -x patch_save_files=false -s /tmp/PHSS_26553.depot WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHSS_26553.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHSS_26553.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_26553.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: This patch installs the actual code required to implement the changes described herein. Please also obtain and install patch PHSS_23806 or its successor in order to update the electronic version of the VirtualVault Administrator's Guide where the functionality of creating a user or changing his password has changed. The VirtualVault administration server and any outside web servers will be restarted due to the patch's automatic reboot requirement.