This patch replaces the following patches:

2092

This patch has no known incompatiblities with other patches.

This patch fixes the following bugs:

437585 - login command tries to chdir before doing setuid, fails for 700 files
491422 - security issue with LOCKOUT parameter in /etc/default/login
494134 - login/scheme has buffer overrun security issue
506487 - Login LOCKOUT - another security issue

1. Patch SG0002181 Release Note

       This release note describes patch SG0002181 to IRIX 6.2.

       This patch contains bug fixes for all hardware platforms.

       This patch contains bug fixes for IRIX 6.2.

       This patch contains fixes for the following bugs in IRIX
       6.2.  Bug numbers from Silicon Graphics bug tracking system
       are included for reference.

          o The login/scheme program has a buffer overrun issue
            which results in an exploitable security vulnerability
            (Bug #494134).

          o A security issue has been discovered with the LOCKOUT
            parameter in /etc/default/login (Bug #491422). This
            incident resulted in CERT advisory CA-97.15 and AUSCERT
            advisory AA-97.12.

            Part of the fix for this problem is a new
            /etc/default/login option, LOCKOUTEXEMPT. The file
            /etc/default/login must be updated with the
            LOCKOUTEXEMPT option from /etc/default/login.N before
            this feature can be used.

            Description follows:

            If LOCKOUT is greater than zero, the users listed as
            LOCKOUTEXEMPT will NOT be subject to the LOCKOUT
            option. Usernames are separated by spaces, the list
            must be terminated by end-of-line, maximum list length
            is 240 characters. LOCKOUTEXEMPT is ignored unless
            LOCKOUT is enabled, and the list is not empty.
            Including privileged accounts (such as root) in the
            LOCKOUTEXEMPT list is not recommended, as it allows an
            indefinite number of attacks on the exempt accounts.
            Also, if LOCKOUTEXEMPT is enabled, the
            /etc/default/login file should be protected at mode 400
            or 600 to prevent unauthorized viewing and/or tampering
            with the LOCKOUTEXEMPT list.

            LOCKOUTEXEMPT=oper1 niteop


          o A security issue has been discovered with the LOCKOUT
            parameter in /etc/default/login (Bug #506487).

          o This patch is based on an earlier patch (2092) which
            addressed SGI bug #437585 where login fails with
            "unable to change directory"/"Connection closed"
            message when the permission mode of the NFS mounted
            home directory is 700 (Bug #437585).

       This patch release includes these subsystems:

          o patchSG0002181.eoe_sw.unix

          o patchSG0002181.eoe_man

       Because you want to install only the patches for problems
       you have encountered, patch software is not installed by
       default.  After reading the descriptions of the bugs fixed
       in this patch (see Section 1.3), determine the patches that
       meet your specific needs.

       If, after reading Sections 1.1 and 1.2 of these release
       notes, you are unsure whether your hardware and software
       meet the requirements for installing a particular patch, run
       inst.  The inst program does not allow you to install
       patches that are incompatible with your hardware or
       software.

       Patch software is installed like any other Silicon Graphics
       software product.  Follow the instructions in your Software
       Installation Administrator's Guide to bring up the miniroot
       form of the software installation tools.

       Follow these steps to select a patch for installation:

         1.  At the Inst> prompt, type

             install patchSGxxxxxxx

             where xxxxxxx is the patch number.

         2.  Initiate the installation sequence. Type

             Inst> go


         3.  You may find that two patches have been marked as
             incompatible.  (The installation tools reject an
             installation request if an incompatibility is
             detected.)  If this occurs, you must deselect one of
             the patches.

             Inst> keep patchSGxxxxxxx

             where xxxxxxx is the patch number.

         4.  After completing the installation process, exit the
             inst program by typing

             Inst> quit

       To remove a patch, use the versions remove command as you
       would for any other software subsystem.  The removal process
       reinstates the original version of software unless you have
       specifically removed the patch history from your system.

       versions remove patchSGxxxxxxx

       where xxxxxxx is the patch number.

       To keep a patch but increase your disk space, use the
       versions removehist command to remove the patch history.

       versions removehist patchSGxxxxxxx

       where xxxxxxx is the patch number.

No Requirements Information Available.

These checksums help to provide a 'signature' for the patch inst image which can be used to authenticate other inst images. You can obtain this kind of output by running sum -r on the image (from the command line):

40880      2   patchSG0002181
12558     35   patchSG0002181.eoe_man
24729     73   patchSG0002181.eoe_sw
19924      2   patchSG0002181.idb

The following lists the files which get installed from each subsystem in the patch:

patchSG0002181.eoe_man.unix

usr/share/catman/u_man/cat1/login.z

patchSG0002181.eoe_sw.unix

etc/default/login
usr/lib/iaf/scheme
usr/relnotes/patchSG0002181/TC
usr/relnotes/patchSG0002181/ch1.z

Download Server	File Name	Date Added	Size	Download
download.sgi.com	patchSG0002181.tar	30-Jul-1997	70 K	FTP	HTTP
download.sgi.com	patchSG0002181.tardist	30-Jul-1997	70 K	FTP	HTTP
FTP = download using FTP protocol HTTP = download using HTTP protocol = store in your basket for downloading later