Patch Name: PHCO_24267 Patch Description: s700_800 10.20 login(1) cumulative patch Creation Date: 01/06/07 Post Date: 01/06/26 Hardware Platforms - OS Releases: s700: 10.20 s800: 10.20 Products: N/A Filesets: OS-Core.UX-CORE Automatic Reboot?: No Status: General Superseded Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHCO_24267 Symptoms: PHCO_24267: ( SR:8606189604 CR:JAGad58818 ) Login allows certain shell users excessive freedom. ( SR:8606152919 CR:JAGad22237 ) In a cluster of 10.20 and 11.0 systems, an identical password aging metric expires at different times for the same user. PHCO_13913: - incorret SELF-AUDITING record on a Failed Login Attempt. - login coredumps, users are not allowed to login. PHCO_10428: trusted passwd expiration warning does not print if applicable to all users. PHCO_10138: - rlogin TERM is ignored and TERM set to hpterm. - rsh changes to rksh if previous patch exists. PHCO_9197: - message sh: /usr/bin/quota: The operation is not allowed in a restricted shell. - message in an hpterm window Sorry. Maximum numbers of users already logged in - chroot sublogins do not work properly in trusted mode Defect Description: PHCO_24267: ( SR:8606189604 CR:JAGad58818 ) Login should be more stringent in which environment variables it allows restricted shell users to set. Resolution: Login now only allows the DISPLAY and TERM variables to be set by restricted shell users unless configured otherwise in the security configuration file. To change the behavior of this patch, the /etc/default/security file must be created if it does not already exist. This file should be world readable and root writeable. To this file, add one of the following three entries: The new default behavior corresponds to a setting of: RSH_SECURITY=2 It is possible to ease the restrictions and allow the setting of any environment variables which are not known to be potentially risky. This is done by specifying: RSH_SECURITY=1 Finally, for compatibility reasons, it is possible to revert to the old, excessively permissive behavior by specifying: RSH_SECURITY=0 ( SR:8606152919 CR:JAGad22237 ) The password aging mechanism changed with the introduction of PAM in 11.0, causing slightly differing expiration dates in environments where PAM and non-PAM systems are mixed. This incompatibility is the result of a change in the way days are rounded into weeks. Resolution: With this patch, an option is made available which can force the login command to use PAM compatible aging. To enable this behavior, the /etc/default/security file must be created if it does not already exist. To this file, the following line can be added: PAM_AGING_COMPAT=1 This flag is valid for the 10.20 release only. It is ignored in later releases, where the default is the PAM behavior. PHCO_13913: - incorret SELF-AUDITING log on a Failed Login Attempt, The User information is not recorded. - login coredumps, users are not allowed to login PHCO_10428: trusted passwd expiration warning does not print if applicable to all users. PHCO_10138: - rlogin TERM variable is lost when exec'ing login internally - previous quota fix was incomplete PHCO_9197: - quotas are not checked with restricted shells - each hpterm pty is counted as one user - chroot sublogins are allowed in trusted mode SR: 1653193656 4701379156 1653203067 1653193581 5003343202 1653165837 8606189604 8606152919 Patch Files: /usr/bin/login what(1) Output: /usr/bin/login: $Revision: 78.6.1.12 $ publickey.c 1.3 90/07/19 4.1NFSSRC Copyr 1990 Sun Mi cro PATCH_10_20: login.o 01/06/07 cksum(1) Output: 3096672998 77824 /usr/bin/login Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_9197 PHCO_10138 PHCO_10428 PHCO_13913 Equivalent Patches: None Patch Package Size: 130 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_24267 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_24267.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_24267. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_24267.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_24267.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None