Patch Name: PHSS_28388 Patch Description: s700_800 11.11 HP DCE/9000 1.8 Integrated Login cum. patch Creation Date: 03/02/13 Post Date: 03/04/15 Hardware Platforms - OS Releases: s700: 11.11 s800: 11.11 Products: N/A Filesets: IntegratedLogin.ILOGIN-COMMON,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP IntegratedLogin.ILOGIN-DCE,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: Yes PHSS_28388: ABORT Category Tags: defect_repair general_release critical halts_system Path Name: /hp-ux_patches/s700_800/11.X/PHSS_28388 Symptoms: PHSS_28388: 1. JAGad37693 In the integrated login environment, a user login session responds abnormally when the user is in the /etc/passwd file and not in the DCE registry. 2. JAGad15130 The ilogind process is killed and the following error message is displayed: "Assertion failed: found_present == 1 message" 3. JAGad28191,JAGad50733,JAGad69252 Ilogind dumps core when the "runacct" and "quotacheck" commands are executed. The following error message is logged to the log file: "ilogind: Out of memory" 4. JAGad57471, JAGad63490 The "passwd" command will destroy valid user credentials if interrupted with Ctrl-C. 5. JAGad11213 When a user changes the password using the "passwd" command, no error is reported if the new password fails during syntax validation. 6. JAGad38926 Some files from the IntegratedLogin product are not deleted from the system after the OS has been upgraded from 10.20 to 11.11. These files have a suffix of .auth which are not replaced by any command in 11.11 system. 7. JAGad68492, JAGad68665 An attempt to change password for users listed in the /etc/opt/dce/password_override file does not work and at times dumps core with assertion failure. 8. JAGad96021 setpag() does not work with libdce library. 9. JAGae02578 Bogus error messages are displayed when forwarding DCE credentials. 10. JAGae02045 rlogin -F command does not work with the SIS and Ilogin combination. 11. JAGae38989 The ilogind daemon dumps core during login, if the user entry is available only in the password override file. Defect Description: PHSS_28388: 1. JAGad37693 When the "id" command is invoked with a user account that does not exist in the DCE registry, but exists in the /etc/passwd file, the user login session will hang. This is experienced, as the variable "result" in the getgrbymem() routine is not set to FAILURE when ilogind returns error. Resolution: When an error is returned from ilogind, the result variable is correctly set to FAILURE. 2. JAGad15130 ilogind exits with assertion because it is trying to free up a login context from the cache which it is not able to access. Resolution: Code has been modified to avoid forced freeing of a cache item. Thus, resolving the assertion failure. 3. JAGad28191, JAGad50733, JAGad69252 ilogind receives a SIGSEGV signal and exits when handling information of a group that has a large number of members. This problem was experienced because the total memory allocated to store group information was 10K. With the fix of JAGad28191, ilogind ends up with large number of cache entries if there are many users, and eventually ilogind reaches maxdsiz and core dumps. Resolution: The problem has been resolved where in, instead of allocating memory for all the members, the members are returned only up to the static size. This happens in the case of getgrid/getgrnam calls. When getgrent() request is received, members up to the maximum size are returned in each call. In the subsequent calls, all the members are retrieved by maintaining DCE registry cursor. This is a generic solution which solves memory related issues. Also a new environment variable, ILOGIND_CACHE_LIMIT has been added to fix the cache problem. The default value of this variable is 256. 4. JAGad57471, JAGad63490 "passwd" command establishes communication with the ilogin daemon with the login context. If the "passwd" command ends abruptly, then ilogind would cleanup the credentials. Resolution: The code which handles the login context purge, has been removed for cases where a private socket between ilogind and PAM DCE is left dangling. 5. JAGad11213 The ilogind returned a generic error status, DCE_STATUS_ERROR for all types of errors. Resolution: The problem is fixed with an additional error condition being checked. Also, the zero length verifier password has been fixed and appropriate error messages are displayed. 6. JAGad38926 Some files from the IntegratedLogin product are are not deleted after an OS update from 10.20 to 11.11, as no preinstall/postinstall script was written to remove these files. Resolution: Postinstall script is modified to remove these files. 7. JAGad68492, JAGad68665 For users listed in the /etc/opt/dce/password_override file, there was no mechanism available to update their passwords. Also, for these users a valid network credential was not created. In the case of root, one would obtain the machine credentials but would still cause failure. In the case of other users, they would not obtain any credentials. Resolution: Code has been modified for changing password in override file. 8. JAGad96021 11.11 DCE PAM uses calls setpag/resetpag calls which, need to resolve to actual kernel calls in case of DFS. So far these functions were being resolved to dummy functions which return 0. Resolution: DCE PAM makefile has been changed to remove the references to these dummy routines. The libpam_dce.1 library is already linked with libdce and libdce will resolve setpag/resetpag to actual/dummy routines appropriately. 9. JAGae02578 In case of overridden users, an error message "Unable to obtain DCE credentials" was displayed despite successful logins. However, in case of root (UID=0) this message is inappropriate as the root user inherits the default host credentials (dcecred_ffffffff). Resolution: Change was made in pam_sm_authenticate() to check for the UID=0, to determine whether it is a super-user. Also, the error message is not displayed for other users if KRB5CCNAME is set. 10. JAGae02045 With Ilogin configured, rlogin -F fails with SIS enabled. '*' is put in the password field by DCE when getpw* calls are made. Since '*' is considered as "invalid" account rlogin fails. Resolution: Instead of '*', DCE now places 'D' in password field. This is fixed in ilogind and password_export program. 11. JAGae38989 The gidarray pointer, that holds the group entries of a particular user does not get allocated if this user is not present in the DCE registry. Freeing this uninitialized array causes the ilogin daemon (ilogind) to dump core. Resolution: Initialize the gidarray pointer to NULL. Since the gidarray is not allocated to the user, deallocation of gidarray does not occur as the gidarray pointer is initialized to NULL. Enhancement: No SR: 8606168412 8606158862 8606145794 8606200068 8606194280 8606141859 8606188263 8606181517 8606199304 8606199479 8606226958 8606233354 8606232817 8606169652 8606274912 Patch Files: IntegratedLogin.ILOGIN-COMMON,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/sbin/auth.adm /usr/share/man/man1m.Z/auth.adm.1m IntegratedLogin.ILOGIN-DCE,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /opt/dce/sbin/ilogind /usr/lib/libnss_dce.1 /usr/lib/security/libpam_dce.1 /usr/sbin/auth.adm.dce /opt/dce/newconfig/RelNotes/ILoginRelNote.text /usr/share/man/man1m.Z/ilogind.1m /usr/share/man/man5.Z/pam_dce.5 /usr/lib/nls/msg/C/pam_dce.cat what(1) Output: IntegratedLogin.ILOGIN-COMMON,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/sbin/auth.adm: None /usr/share/man/man1m.Z/auth.adm.1m: None IntegratedLogin.ILOGIN-DCE,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /opt/dce/sbin/ilogind: HP92453-02A.11.00 HP-UX SYMBOLIC DEBUGGER (END.O ILP 32) $Revision: 75.02 $ HP DCE/9000 1.8 PHSS_28386-88 Module: ilogind Date: Jan 7 2003 23:12:43 /usr/lib/libnss_dce.1: HP DCE/9000 1.8 PHSS_28386-88 Module: libnss_dce.1 D ate: Jan 7 2003 23:03:37 /usr/lib/security/libpam_dce.1: HP DCE/9000 1.8 PHSS_28386-88 Module: libpam_dce.1 D ate: Jan 7 2003 23:03:41 $RCSfile: environment.c,v $ $Revision: /main/HPDCE02 /HPDCE_64/1 $ (OSF) $Date: 1997/11/06 19:44 UTC $ /usr/sbin/auth.adm.dce: None /opt/dce/newconfig/RelNotes/ILoginRelNote.text: None /usr/share/man/man1m.Z/ilogind.1m: None /usr/share/man/man5.Z/pam_dce.5: None /usr/lib/nls/msg/C/pam_dce.cat: None cksum(1) Output: IntegratedLogin.ILOGIN-COMMON,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: 823304312 43049 /usr/sbin/auth.adm 3869798760 3986 /usr/share/man/man1m.Z/auth.adm.1m IntegratedLogin.ILOGIN-DCE,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: 761615663 73728 /opt/dce/sbin/ilogind 1938787774 40960 /usr/lib/libnss_dce.1 3281020218 57344 /usr/lib/security/libpam_dce.1 745265640 33402 /usr/sbin/auth.adm.dce 1045998319 2653 /opt/dce/newconfig/RelNotes/ ILoginRelNote.text 4053829653 1744 /usr/share/man/man1m.Z/ilogind.1m 1844378450 2612 /usr/share/man/man5.Z/pam_dce.5 2349741239 1303 /usr/lib/nls/msg/C/pam_dce.cat Patch Conflicts: None Patch Dependencies: s700: 11.11: PHSS_28386 s800: 11.11: PHSS_28386 Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: None Patch Package Size: 300 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_28388 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHSS_28388.depot By default swinstall will archive the original software in /var/adm/sw/save/PHSS_28388. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHSS_28388.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHSS_28388.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_28388.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: For this patch to take effect Stop and Start all DCE daemons and application processes OR reboot the machine after the patch is installed.