Patch Name: PHCO_18360 Patch Description: s700_800 10.26 login and yppasswd checks are different Creation Date: 99/06/16 Post Date: 99/11/01 Hardware Platforms - OS Releases: s700: 10.26 s800: 10.26 Products: N/A Filesets: BLS.BLS-CORE OS-Core.UX-CORE Automatic Reboot?: No Status: General Superseded Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHCO_18360 Symptoms: PHCO_18360: the passwd and yppasswd user commands and the trusted path password option did not enforce the constraints uniformly PHCO_17602: 1. When a user with non-default clearance changes his own password with passwd(1), the clearance information is lost. 2. When passwd(1) is invoked by user with "password" authorization, it incorrectly checks the minimum time between password changes. Defect Description: PHCO_18360: The different means of changing passwords were not consistent. Resolution: The correct behavior was determined in accordance with the man pages and then the password verifiers were modified to match this specification. PHCO_17602: 1. passwd(1) does not have cvtlabel in its potential privilege set, which prevents it from dealing with clearance properly. 2. An incorrect check was being executed. Resolution: 1. Add cvtlabel to the fcdb. 2. Skip the time check if the invoker has "password". SR: 0000000000 Patch Files: /sbin/passwd /usr/bin/passwd /opt/tosSmartCard/passwd_sec.o what(1) Output: /sbin/passwd: 99/06/03 lib/libc/core/gen/ctime.c, hpux, hpux_10.26 , ic5co Revision 1.2 PATCH_10.26 (PHCO_17823 ) UNMODIFIED 1999/06/03 Hewlett-Packard HP-UX 10.26 TOS [ ic5co - DAV17 ] 99/06/03 cmd/passwd_sec.c, hpux, hpux_10.26, ic5co R evision 1.12 PATCH_10.26 (PHCO_18360) 99/05/21 lib/libsecurity/getprpwent.c, hpux, hpux_10 .26, ic5co Revision 1.25 PATCH_10.26 (PHCO_1 8502) 99/06/03 lib/libsecurity/mandlib.c, hpux, hpux_10.26 , ic5co Revision 1.5 PATCH_10.26 (PHCO_17760 ) $ 99/05/21 lib/libsecurity/authcap.c, hpux, hpux_10.26 , ic5co Revision 1.5 PATCH_10.26 (PHCO_18502 ) 99/05/21 lib/libsecurity/map_ids.c, hpux, hpux_10.26 , ic5co Revision 1.12 PATCH_10.26 (PHCO_1850 2) ic5ae_DAV17 lib/libc/archive_pa1/libc.a_01 Jun 3 1999 21:24:50 /usr/bin/passwd: 1999/06/03 Hewlett-Packard HP-UX 10.26 TOS [ ic5co - DAV17 ] 99/06/03 cmd/passwd_sec.c, hpux, hpux_10.26, ic5co R evision 1.12 PATCH_10.26 (PHCO_18360) /opt/tosSmartCard/passwd_sec.o: 99/06/03 cmd/passwd_sec.c, hpux, hpux_10.26, ic5co R evision 1.12 PATCH_10.26 (PHCO_18360) cksum(1) Output: 4028133222 466944 /sbin/passwd 2481966644 28672 /usr/bin/passwd 3169311196 18952 /opt/tosSmartCard/passwd_sec.o Patch Conflicts: None Patch Dependencies: s700: 10.26: PHNE_18756 s800: 10.26: PHNE_18756 Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_17602 Equivalent Patches: None Patch Package Size: 560 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_18360 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_18360.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_18360. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_18360.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_18360.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: If login hooks are enabled, you must recompile your login hooks commands in /opt/tosSmartCard after installing this patch.