SUN MICROSYSTEMS SECURITY BULLETIN: #00102 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. --------------------------------------------------------------------------- These patches are available through your local Sun answer centers worldwide. As well as through anonymous ftp to ftp.uu.net in the ~ftp/sun-dist directory. Please refer to the BugID and PatchID when requesting patches from Sun answer centers. NO README information will be posted in the patch on UUNET. Please refer the the information below for patch installation instructions. ------------------------------------------------------------------------- Sun Bug ID : 1040465 1044204 1040334 1047131 1049585 Synopsis : rpc.pwdauthd can be used to gain remote system knowledge Sun Patch ID : 100201-01 Available for: sun3, sun4 SunOS 4.1, SunOS 4.1_PSR_A, SunOS 4.1.1 Checksum of compressed tarfile on uunet: 100201-01.tar.Z = 07797 118 -------------------------------------------------------------------------- README information follows: Patch-ID# 100201-01 Keywords: login rpc.yppasswdd rpc.pwdauthd Synopsis: SunOS 4.1, SunOS 4.1_PSR_A 4.1.1: c2 jumbo patch Date: 15/Jan/91 SunOS release: 4.1 4.1_PSR_A 4.1.1 Unbundled Product: Unbundled Release: Topic: BugID'd fixed for this patch: 1040465 1044204 1040334 1047131 1049585 Architectures for which this patch is available: sun3(x), sun4(c,490,390) Patches which may conflict with this patch: 100138-02 This patch obsoletes patch 100138-02 Obsoleted by: Sys_V_Rel4 Problem Description: This patch contains the bug fixes to four bugs that were reported in relation to C2 security. login contains the bug fix related to password aging. The bug is due to the fact that the utility in libc that is used to read and parse passwd.adjunct does not parse the age field correctly. It always returns an empty field. login uses this utility to get the age field and does nothing with it. Therefore password aging is disabled. passwd does not have this problem because it reads and parses passwd.adjunct itself and uses the actual age field. rpc.pwdauthd contains the bug fix related to not being able to disable remote use of the daemon. It also allows the daemon to generate audit records using its own pseudo-user. rpc.yppasswdd contains the fix for the daemon mysteriously dying. It also allows the daemon to generate audit records using it's own pseudo-user. Modified binaries: /bin/login /usr/etc/rpc.pwdauthd /usr/etc/rpc.yppasswdd INSTALL: ============================================================================= = IF NIS is being run the new binaries need to be installed on all machines = = in the domain. Additionally yppasswdd needs to be started in /etc/rc.local= = edit /etc/rc.local and add in the following lines after the ypbind = = startup statements: = #This starts yppasswd daemon and tells it to look for the passwd.adjunct file rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m ============================================================================= Generically for all systems: *************************************************************************** * The following pseudo-users must be added to /etc/passwd and * * /etc/security/passwd.adjunct before changing any binaries * * This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur * * * * /etc/passwd additions: * * * AUpwdauthd:##AUpwdauthd:10:10::: AUyppasswdd:##AUyppasswdd:11:10::: * * * * */etc/security/passwd.adjunct additions: * * * AUpwdauthd:*::::: AUyppasswdd:*::::: * * *************************************************************************** As root: First save the FCS distribution versions as a precaution: # cp /bin/login /bin/login.orig # cp /usr/etc/rpc.pwdauthd /usr/etc/rpc.pwdauthd.orig # cp /usr/etc/rpc.yppasswdd /usr/etc/rpc.yppasswdd.orig It is critical that the following steps be completed in single-user mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both disabled while the new versions are installed. # shutdown now The new version of the binaries can now be installed. The 4.1 and 4.1.1 versions are identical except for the library version they are expecting to dynamically link to. Substitute either sun3 or sun4 for {arch} and either 4.1 or 4.1.1 for {OS rev} # cp {arch}/{OS rev}/login /bin/login # chown root /bin/login # chmod 4755 /bin/login # chgrp staff /bin/login # cp {arch}/{OS rev}/rpc.pwdauthd /usr/etc/rpc.pwdauthd # chown root /usr/etc/rpc.pwdauthd # chgrp staff /usr/etc/rpc.pwdauthd # chmod 755 /usr/etc/rpc.pwdauthd # cp {arch}/{OS rev}/rpc.yppasswdd /usr/etc/rpc.yppasswdd # chown root /usr/etc/rpc.yppasswdd # chgrp staff /usr/etc/rpc.yppasswdd # chmod 755 /usr/etc/rpc.yppasswdd Double check permissions of the new files. If the permissions are set wrong, or the wrong architecture type is installed, login will not be able to occur except in single user mode (boot -s) Note the example below does not show the size of the binary as the sun3 and sun4 versions are different size. Doing a "file /bin/login" should tell you that it is a: mc68020 demand paged dynamically linked executable not stripped on a sun3, and a : sparc demand paged set-uid executable not stripped on a sun4 # ls -lg /bin/login -rwsr-xr-x 1 root staff # ls -lg /usr/etc/rpc/rpc.pwdauthd -rwxr-xr-x 1 root staff # ls -lg /usr/etc/rpc.yppasswdd -rwxr-xr-x 1 root staff Now you can either give a ^D (control D) from single user mode or reboot the machine. This finishes the installation. Brad Powell Sun Microsystems Software Security Coordinator.