Patch Name: PHCO_17894 Patch Description: s700_800 10.26 tcopy(1m) patch Creation Date: 99/05/25 Post Date: 99/08/23 Hardware Platforms - OS Releases: s700: 10.26 s800: 10.26 Products: N/A Filesets: BLS.BLS-CORE BLS.BLS-ENG-A-MAN Automatic Reboot?: No Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHCO_17894 Symptoms: PHCO_17894: 1. Use of tcopy(1m) could allow one to read above the session clearance. 2. Some tcopy(1m) audit records reported "Failure" upon success. 3. tcopy(1m) does not restore ACLs or file privileges. 4. tcopy(1m) could delete files inappropriately. Defect Description: PHCO_17894: Tcopy(1m) did not properly enforce MAC checking, and authorization checking was auditing all failures, even expected instances. Resolution: 1. tcopy attempts to adjust its level to the level of the file, which will fail if the clearance does not dominate. 2. The command authorization checks audit appropriate success or failure. 3. ACLs and file privileges are restored upon file write and creation. 4. The current directory must be different than that of the target. SR: 0000000000 Patch Files: /tcb/bin/tcopy /etc/auth/system/files.fcdb/05.base/PHCO_17894.fcdb /usr/share/man/man1m.Z/tcopy.1m what(1) Output: /tcb/bin/tcopy: 99/05/14 seccmd/tcopy/tcopy.c, hpux, hpux_10.26, ic5 cj Revision 1.16 PATCH_10.26 (PHCO_17894) 1999/05/22 Hewlett-Packard HP-UX 10.26 TOS [ ic5cj - DAV17 ] /etc/auth/system/files.fcdb/05.base/PHCO_17894.fcdb: 99/05/14 etc/auth/system/files.fcdb/05.base/PHCO_178 94.fcdb, hpux, hpux_10.26, ic5cj Revision 1. 5 PATCH_10.26 (PHCO_17894) /usr/share/man/man1m.Z/tcopy.1m: None cksum(1) Output: 1571473707 20480 /tcb/bin/tcopy 3101237788 430 /etc/auth/system/files.fcdb/05.base/ PHCO_17894.fcdb 1871192983 2202 /usr/share/man/man1m.Z/tcopy.1m Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: None Patch Package Size: 80 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_17894 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_17894.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_17894. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_17894.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_17894.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None