Patch Name: PHNE_24394 Patch Description: s700_800 10.24 (VVOS) telnetd, ftp, ftpd, login cumulative Creation Date: 01/07/10 Post Date: 01/08/09 Hardware Platforms - OS Releases: s700: 10.24 s800: 10.24 Products: N/A Filesets: OS-Core.UX-CORE OS-Core.CORE-ENG-A-MAN VirtualVaultOS.VVOS-AUX-IA InternetSrvcs.INETSVCS-INETD InternetSrvcs.INET-ENG-A-MAN InternetSrvcs.INETSVCS-RUN Automatic Reboot?: Yes Status: General Superseded Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHNE_24394 Symptoms: PHNE_24394: Port portions of base HP-UX patch PHNE_23948 to VVOS 10.24. Note that CR JAGad68257/SR 8606199070 is not supported on VVOS. Port portions of base HP-UX patch PHCO_24267 to VVOS 10.24. Note that SR:8606189604/CR:JAGad58818 is not supported on VVOS. Note that SR:8606152919/CR:JAGad22237 is not supported on VVOS. Based on HP-UX patch PHNE_23948: 1. CR JAGad68308/ SR 8606199121. ftpd does not function properly for some commands. 2. CR JAGad68257/ SR 8606199070. ftpd does not behave as expected in trusted systems. 3. CR JAGad24502/ SR 8606155185. ftpd man page does not have information on -S option. PHNE_22059: Port base HP-UX patch PHNE_22057: Based on HP-UX patch PHNE_22057: 1. CR JAGad12040/SR 8606142685. ftpd does not function properly. 2. CR JAGaa27007/SR 8606160774 ls command fails in an anonymous ftp session. Based on HP-UX patch PHNE_17963: 1. Implement passive mode in 10.20 ftp client. 2. Suppress the printing of machine name in the ftpd banner. 3. 'ftp' client does not work properly. PHNE_15802: Repackaged part of HP-UX patch PHNE_13597 for VVOS. Based on a portion of HP-UX patch PHNE_13597: * ftp: problem with passing files. * FTP Newer command does not work as documented if file does not exist. * FTP:don't get error message if filesystem gets full. * Proxy Get command not working. * ftpd does not allow ports under 1024 even with -p option. * FTP giving error 425:Can't create data socket. * have inbound/outbound transfer logging in ftpd. * FTP Newer command has problem handling dates. PHNE_12984: Users cannot telnet or ftp to a VVOS system. Based on HP-UX patch PHNE_10010: A ftp client could interrupt a data transfer by sending a data close and an ABORT. A timing problem has been observed on the ftpd side. Based on HP-UX patch PHNE_9785: * ftpd returns a 550 after an NLST when the file is not found. * Privileged ports cannot be specified as a part of the PORT command. * An error message "You've GOT to be joking" is displayed when a client specifies a privileged port as a data-port. * The command modtime displays incorrect date and time for some dates. Based on HP-UX patch PHCO_24267: ( SR:8606189604 CR:JAGad58818 ) Login allows certain shell users excessive freedom. ( SR:8606152919 CR:JAGad22237 ) In a cluster of 10.20 and 11.0 systems, an identical password aging metric expires at different times for the same user. Based on HP-UX patch PHCO_13913: - incorret SELF-AUDITING record on a Failed Login Attempt. - login coredumps, users are not allowed to login. Based on HP-UX patch PHCO_10428: trusted passwd expiration warning does not print if applicable to all users. Based on HP-UX patch PHCO_10138: - rlogin TERM is ignored and TERM set to hpterm. - rsh changes to rksh if previous patch exists. Based on HP-UX patch PHCO_9197: - message sh: /usr/bin/quota: The operation is not allowed in a restricted shell. - message in an hpterm window Sorry. Maximum numbers of users already logged in - chroot sublogins do not work properly in trusted mode Defect Description: PHNE_24394: Port base HP-UX patch PHNE_23948 to VVOS 10.24. Note that CR JAGad68257/SR 8606199070 is not supported on VVOS. Port base HP-UX patch PHCO_24267 to VVOS 10.24. Note that SR:8606189604/CR:JAGad58818 is not supported on VVOS. Note that SR:8606152919/CR:JAGad22237 is not supported on VVOS. Based on HP-UX patch PHNE_23948: 1. CR JAGad68308/ SR 8606199121. ftpd does not function properly for some commands. Resolution: * Code changes have been made to fix the problem. 2. CR JAGad68257/ SR 8606199070. ftpd does not behave as expected in trusted systems. Resolution: * Code changes have been made to fix the problem. 3. CR JAGad24502/ SR 8606155185. PHNE_17963, adds a -S option to suppress the hostname and version from the initial banner. However, this option is not documented in the ftpd man page. Resolution: Man page has been updated to include the -S option: -S Suppresses the name and version of the FTP server in the banner output. PHNE_22059: Port base patch PHNE_22057: Based on PHNE_22057: 1. CR JAGad12040/SR 8606142685. ftpd does not function properly. 2. CR JAGaa27007/SR 8606160774 ls command fails in an anonymous ftp session. Based on PHNE_17963: 1. Implement passive mode in 10.20 ftp client. 2. Suppress the printing of machine name in the ftpd banner. 3. 'ftp' client does not work properly. PHNE_15802: Repackaged part of HP-UX patch PHNE_13597 for VVOS. Based on a portion of HP-UX patch PHNE_13597: * ftp: problem with passing files. * FTP Newer command does not work as documented if file does not exist. * FTP:don't get error message if filesystem gets full. * Proxy Get command not working. * ftpd does not allow ports under 1024 even with -p option. * FTP giving error 425:Can't create data socket. * have inbound/outbound transfer logging in ftpd. * FTP Newer command has problem handling dates. PHNE_12984: Single-level telnetd and ftpd has been added to the VVOS supported feature set. Installation of this patch makes the system capable of providing server side services, to the inside network, for telnet and ftp sessions. The patch will allow users from the inside network to telnet and/or ftp into a VirtualVault machine. Please refer to the special installation instructions on how to enable these services. Based on HP-UX patch PHNE_10010: ftpd has been fixed to handle a simultaneous data close and ABORT appropriately. Based on HP-UX patch PHNE_9785: * ftpd returns a 550 after a NLST when a file is not found. The return code was changed to 450 per RFC 959. * An option "-p" has been added. The PORT command can now specify a privileged port as a data-port if this option is set. * The error message "You've GOT to be joking" has been replaced by "Port command failure". * The command modtime now behaves correctly. Based on HP-UX patch PHCO_24267: ( SR:8606189604 CR:JAGad58818 ) Login should be more stringent in which environment variables it allows restricted shell users to set. Resolution: Login now only allows the DISPLAY and TERM variables to be set by restricted shell users unless configured otherwise in the security configuration file. To change the behavior of this patch, the /etc/default/security file must be created if it does not already exist. This file should be world readable and root writeable. To this file, add one of the following three entries: The new default behavior corresponds to a setting of: RSH_SECURITY=2 It is possible to ease the restrictions and allow the setting of any environment variables which are not known to be potentially risky. This is done by specifying: RSH_SECURITY=1 Finally, for compatibility reasons, it is possible to revert to the old, excessively permissive behavior by specifying: RSH_SECURITY=0 ( SR:8606152919 CR:JAGad22237 ) The password aging mechanism changed with the introduction of PAM in 11.0, causing slightly differing expiration dates in environments where PAM and non-PAM systems are mixed. This incompatibility is the result of a change in the way days are rounded into weeks. Resolution: With this patch, an option is made available which can force the login command to use PAM compatible aging. To enable this behavior, the /etc/default/security file must be created if it does not already exist. To this file, the following line can be added: PAM_AGING_COMPAT=1 This flag is valid for the 10.20 release only. It is ignored in later releases, where the default is the PAM behavior. Based on HP-UX patch PHCO_13913: - incorret SELF-AUDITING log on a Failed Login Attempt, The User information is not recorded. - login coredumps, users are not allowed to login Based on HP-UX patch PHCO_10428: trusted passwd expiration warning does not print if applicable to all users. Based on HP-UX patch PHCO_10138: - rlogin TERM variable is lost when exec'ing login internally - previous quota fix was incomplete Based on HP-UX patch PHCO_9197: - quotas are not checked with restricted shells - each hpterm pty is counted as one user - chroot sublogins are allowed in trusted mode SR: 8606142685 8606160774 5003424218 1653296475 4701409938 4701373696 5003369611 1653245845 5003386581 1653245852 1653254193 1653232942 4701346098 5003343970 5003344846 5003322867 4701372359 4701334763 8606147747 1653245845 4701334763 8606199121 8606155185 1653193656 4701379156 1653203067 1653193581 5003343202 1653165837 Patch Files: /sbin/init.d/inetd /usr/bin/login /usr/bin/ftp /usr/lbin/telnetd /usr/lbin/ftpd /usr/lbin/net_daemons/telnetd /usr/lbin/net_daemons/ftpd /usr/share/man/man1m.Z/ftpd.1m /usr/share/man/man1m.Z/telnetd.1m /usr/share/man/man1.Z/login.1 /etc/auth/system/files.fcdb/05.patches/PHNE12984.fcdb /etc/auth/system/files.fcdb/15.patches/PHNE24394.fcdb what(1) Output: /sbin/init.d/inetd: $Revision: Hewlett-Packard ISSL 1.13 services/INETSV CS/scripts/inetd, hpuxinitscripts, vvos_davi s, davis183 $ $Date: 97/10/30 09:20:28 $ /usr/bin/login: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Wed Jul 25 14:50:35 EDT 2001 $ $Revision: 78.6.1.12 $ $Source: cmd/login.c, hpuxcmdcntl, vvos_davis, davis 184 $ $Date: 01/07/25 14:18:46 $ $Revision: 1.27 PATCH_10.24 (PHNE_24394) $ /usr/bin/ftp: Copyright (c) 1985, 1989 Regents of the University o f California. main.c based on 5.13 (Berkeley) 3/14/89 Revision 1.1.212.3 Wed Jul 14 10:27:17 GMT 1999 cmds.c 5.18 (Berkeley) 4/20/89 cmdtab.c 5.9 (Berkeley) 3/21/89 ftp.c 5.28 (Berkeley) 4/20/89 glob.c 5.7 (Berkeley) 12/14/88 ruserpass.c 5.1 (Berkeley) 3/1/89 domacro.c 1.6 (Berkeley) 2/28/89 /usr/lbin/telnetd: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Wed Jul 25 14:50:35 EDT 2001 $ $Source: services/INETSVCS/telnetd/telnetd_wrapper.c , hpuxcmdnet, vvos_davis, davis183 $ $Date: 01/07/25 14:47:27 $ $Revision: 1.3 PATCH_10. 24 (PHNE_12984) $ /usr/lbin/ftpd: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Wed Jul 25 14:50:35 EDT 2001 $ $Source: services/INETSVCS/ftpd/ftpd_wrapper.c, hpux cmdnet, vvos_davis, davis183 $ $Date: 01/07/ 25 14:47:27 $ $Revision: 1.4 PATCH_10.24 (PH NE_12984) $ /usr/lbin/net_daemons/telnetd: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Wed Jul 25 14:50:35 EDT 2001 $ Copyright (c) 1983, 1986 Regents of the University o f California. $Source: services/INETSVCS/telnetd/telnetd.c, hpuxcm dnet, vvos_davis, davis183 $ $Date: 01/07/25 14:43:22 $ $Revision: 1.21.1.4 PATCH_10.24 (PHNE_12984) $ telnetd.c $Revision: 1.27.212.8 $ $Date: 96/05/06 14 :39:32 $ telnetd.c 5.31 (Berkeley) 2/23/89 /usr/lbin/net_daemons/ftpd: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Wed Jul 25 14:50:35 EDT 2001 $ Copyright (c) 1985, 1988 Regents of the University o f California. $Source: services/INETSVCS/ftpd/ftpd.c, hpuxcmdnet, vvos_davis, davis184 $ $Date: 01/07/08 15:35 :29 $ $Revision: 1.19.1.18 PATCH_11.04 (PHNE _24394) $ ftpd.c based on 5.28 (Berkeley) 4/20/89 Revision 1.7.212.5 Wed Jul 25 23:27:12 GMT 2001 ftpcmd.y 5.20 (Berkeley) 2/28/89 glob.c 5.7 (Berkeley) 12/14/88 popen.c 5.7 (Berkeley) 2/14/89 logwtmp.c 5.2 (Berkeley) 9/22/88 /usr/share/man/man1m.Z/ftpd.1m: None /usr/share/man/man1m.Z/telnetd.1m: None /usr/share/man/man1.Z/login.1: None /etc/auth/system/files.fcdb/05.patches/PHNE12984.fcdb: $Revision: Hewlett-Packard ISSL 1.1 /etc/auth/system /files.fcdb/05.patches/PHNE12984.fcdb, files _etc, vvos_davis, davis183 $ $Date: 97/10/29 16:52:02 $ etc/auth/system/files.fcdb/05.patches/PHNE12984.fcdb , files_etc, vvos_davis, davis183 $Date: 01/ 07/25 14:47:27 $ $Revision: 1.1 PATCH_10.24 (PHNE_12984) $ /etc/auth/system/files.fcdb/15.patches/PHNE24394.fcdb: $Revision: Hewlett-Packard ISSL 1.1 etc/auth/system/ files.fcdb/15.patches/PHNE24394.fcdb, files_ etc, vvos_davis, davis184 $ $Date: 01/07/11 17:02:14 $ cksum(1) Output: 1933343378 1574 /sbin/init.d/inetd 1352087310 61440 /usr/bin/login 4105651290 98304 /usr/bin/ftp 3503248342 12288 /usr/lbin/telnetd 2982062876 12288 /usr/lbin/ftpd 220200613 45056 /usr/lbin/net_daemons/telnetd 701589655 86016 /usr/lbin/net_daemons/ftpd 1112697332 8959 /usr/share/man/man1m.Z/ftpd.1m 2422361752 5224 /usr/share/man/man1m.Z/telnetd.1m 1128670498 10494 /usr/share/man/man1.Z/login.1 3074930072 1561 /etc/auth/system/files.fcdb/05.patches/ PHNE12984.fcdb 1171704344 517 /etc/auth/system/files.fcdb/15.patches/ PHNE24394.fcdb Patch Conflicts: None Patch Dependencies: s700: 10.24: PHNE_11306 s800: 10.24: PHNE_11307 Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_12984 PHNE_15802 PHNE_22059 Equivalent Patches: PHNE_23948: s700: 10.20 s800: 10.20 PHCO_24267: s700: 10.20 s800: 10.20 PHNE_23949: s700: 11.00 s800: 11.00 PHNE_24395: s700: 11.04 s800: 11.04 PHNE_24418: s700: 11.04 s800: 11.04 PHNE_23947: s700: 10.01 10.10 s800: 10.01 10.10 Patch Package Size: 420 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_24394 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_24394.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_24394. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_24394.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_24394.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Installation of this patch makes the system capable of providing server side telnet and ftp services to the inside network. To enable these services, which will let users from the inside network telnet and/or ftp into the system, the system administrator will have to perform the following steps - 1. Login as root in a system window. 2. Enable desired service(s) by uncommenting the following lines in /etc/inetd.conf: #ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l #telnet stream tcp nowait root /usr/lbin/telnetd telnetd to read: ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l telnet stream tcp nowait root /usr/lbin/telnetd telnetd 3. Unlock desired pseudo terminals (ttyp0, ttyp1...etc) in the terminal control database. Each tty has two entries. - Make a safe copy of the terminal control database, /etc/auth/system/ttys. - Edit the database (/etc/auth/system/ttys) pty/ttyp0:t_devname=pty/ttyp0:t_lock:chkent: ttyp0:t_devname=ttyp0:chkent: For each set of entries make the following modifications: If a field t_lock exists for the entry, just add an @ sign at the end of the field. (t_lock@) If the field does not exist, add the entire field, t_lock@, to the entry. ( The field separator is a : ) pty/ttyp0:t_devname-pty/ttyp0:t_lock@:chkent: ttyp0:t_devname=ttyp0:t_lock@:chkent: 4. Run "/tcb/bin/authck -t" to check the internal consistency of the Terminal Control database. 5. Run "/tcb/bin/setfiles" to set system file attributes. 6. Run "/usr/sbin/inetd -c" to force the inetd to reread /etc/inetd.conf. NOTE: The patch should be installed after VirtualVault 3.X is installed.