Patch 4038 : IRISconsole 2.0 docs and security fix :
[IRIX 6.5.9m 6.5.9f 6.5.8m 6.5.8f 6.5.7m 6.5.7f 6.5.6m 6.5.6f 6.5.5m
6.5.5f 6.5.4m 6.5.4f 6.5.3m 6.5.3f 6.5.2m 6.5.2f 6.5.1 6.5 6.3 6.2]
INDEX
RELATIONS
RELEASE NOTES
1. Patch SG0004038 Release Note This release note describes patch SG0004038 to IRIX 6.5.x, 6.3 and 6.2.1.1 Supported Hardware Platforms This patch contains bug fixes for IP22, IP30, and IP32. The software should not be installed on other configurations.1.2 Supported Software Platforms This patch contains bug fixes for IRISconsole (2.0) on a system running all versions of 6.5.x, 6.3 and 6.2. The software should not be installed on other configurations.1.3 Bugs Fixed by Patch SG0004038 This patch contains fixes for the following bugs in IRIX 6.5.x, 6.3 and 6.2. Bug numbers from Silicon Graphics bug tracking system are included for reference. Bug #801250-IRIXConsole 2.0 does not recognize EL-8P terminal server Patch 3943: Fixes: Bug #784455-devices not being made during inst Bug #786838-icallow and icdeny do not work per man page Bug #787405-does not support ST-1616B with new vendorid Bug #788664-incorrect permissions on iclogin command Bug #789183-iclogin does not handle "NA" as syscon port Bug #792335-icadmins logging in with wrong passwords Replaces and rolls up: Patch 3716, which fixes: Bug #753214-ic fails on ST-1600 and Indy Bug #758765-'icpass' core dumps Bug #763990-icallow has wrong directory path Bug #765150-connection 'idle' time is incorrect Bug #765901-iclogin does not have new icallow/icdeny feature1.4 Subsystems Included in Patch SG0004038 This patch release includes these subsystems: o patchSG0004038.IRISconsole_sw1.5 Installation Instructions Because you want to install only the patches for problems you have encountered, patch software is not installed by default. After reading the descriptions of the bugs fixed in this patch (see Section 1.3), determine the patches that meet your specific needs. If, after reading Sections 1.1 and 1.2 of these release notes, you are unsure whether your hardware and software meet the requirements for installing a particular patch, run inst. The inst program does not allow you to install patches that are incompatible with your hardware or software. Patch software is installed like any other Silicon Graphics software product. Follow the instructions in your Software Installation Administrator's Guide to bring up the miniroot form of the software installation tools. Follow these steps to select a patch for installation: 1. At the Inst> prompt, type install patchSGxxxxxxx where xxxxxxx is the patch number. 2. Initiate the installation sequence. Type Inst> go 3. You may find that two patches have been marked as incompatible. (The installation tools reject an installation request if an incompatibility is detected.) If this occurs, you must deselect one of the patches. Inst> keep patchSGxxxxxxx where xxxxxxx is the patch number. 4. After completing the installation process, exit the inst program by typing Inst> quit1.6 Patch Removal Instructions To remove a patch, use the versions remove command as you would for any other software subsystem. The removal process reinstates the original version of software unless you have specifically removed the patch history from your system. versions remove patchSGxxxxxxx where xxxxxxx is the patch number. To keep a patch but increase your disk space, use the versions removehist command to remove the patch history. versions removehist patchSGxxxxxxx where xxxxxxx is the patch number.1.7 Known Problems 2. Installation_Information The IRISconsole 2.0 product contains software for managing groups of Challenge/Onyx, Origin 200/2000 installations. Please refer to the IRISconsole Administrator's Guide book for help in customizing the software for individual sites. The IRISconsole software should be installed on IRIX operating system release 6.5 (or later). 2.1 IRISconsole_2.0_Subsystems IRISconsole contains the following subsystems: IRISconsole.sw.base IRISconsole Base Software, including the tcl/motif Graphical User Interface. IRISconsole.sw.remoteaccess Remote Access Capabilities based on telnet IRISconsole.sw.tcllink IRISconsole Tcl software IRISconsole.man.man Manual pages for IRISconsole IRISconsole.man.relnotes Release Notes for IRISconsole 2.0 IRISconsole.books.IRISconsole_AG Online IRISconsole Administrator's Guide IRISconsole.books.MUX_IG The IRISconsole Multiplexer Installation Guide It is necessary to install at least sgitcl_eoe.sw.base and sgitcl_eoe.sw.tm for IRIX 6.5 from the sgitcl software included on the CD. IRISconsole also requires sts.sw and/or el_serial.sw. If installing both multiplexers you must install the el_serial.sw before installing the sts.sw. 2.2 Customization_and_Files 2.2.1 Access_Control IRISconsole is equipped with a simple but effective access control mechanism. It recognizes two types of users, icadmins (administrators) and icusers (regular non-admin users). Before starting /usr/sbin/ic it is necessary to configure these into the IRISconsole password database. At the very least, you must add at least one administrator by using /usr/sbin/icpass -add icadmin. This is because security is switched on by default, and you will not be able to add sites and systems to configure the IRISconsole without an icadmin login and password. Only root can add icadmins, and only icadmins can add/delete icusers. Only icadmins can delete another icadmin entry. The base IRISconsole requires no configuration files such as /etc/uucp/* entries to connect to the attached systems. For serial communication through SCSI or Ethernet Multiplexer, IRISconsole uses a direct connect protocol that requires no preconfiguration. IRISconsole uses files to either allow or deny access to particular systems within a site. These files are icallow and icdeny. They are located in the /usr/IRISconsole/adm directory. Each entry in these file has the following format: <user_id> : <site_name> : <system_name> [, <system_name> ] The icallow and icdeny files work like the allow and deny functionality of the cron command. If the entry is in the icallow file, user user_id is allowed access to the system site_name : system_name. If the entry is in the icdeny file, that user is denied access to that system. If both the icallow and icdeny files contain entries, then only the entry in the icallow file is used. 2.2.2 Remote_Access_Installation IRISconsole remote access is a telnet(1C) based facility that lets users perform a subset of the functionalities available through the IRISconsole main GUI remotely over a network. It includes ictelnet(1), that helps users connect to a known port on the IRISconsole host. It depends on an ictelnetd service running on the host workstation (OCTANE, O2, or Indy) listening on the specific port. The port number should be the port number value for ictelnet services in the /etc/services file. For the port number, use any number between 5000 and 5063; the number 5000 is recommended for the status port. Once successfully connected, ictelnetd invokes IRISconsole's iclogin subsystem to verify user's 'IRISconsole Login:' and password. To configure a port on the IRISconsole system so that ictelnet communicates directly to the IRISconsole application, edit the file /etc/services on that system to include the following line, which specifies the port on which the service is available: ictelnet 5000/tcp # IRISconsole Remote Access Edit the file /etc/inetd.conf on the IRISconsole system to include this line: ictelnet stream tcp nowait root /usr/IRISconsole/bin/ictelnetd ictelnetd Then, tell inetd to reread the file with the command: /etc/killall -HUP inetd Note To connect to port 5000 of the IRISconsole machine you may use standard telnet or /usr/sbin/ictelnet which is an alias for /usr/bsd/telnet -l $USER. 2.2.3 IRISconsole_Conversion_Script The IRISconsole 2.0 release uses a database introduced in the IRISconsole 1.3 release to store site and system information. The icdbcnvrt command is run by installation software to convert site and system information from the IRISconsole 1.2 or 1.3 release to the IRISconsole 2.0 release. 2.2.4 IRISconsole_Partitioned_System_Support If you plan to use the Partitoned System functions within IRISconsole please contact your nearest SGI representative. 2.2.5 IRISconsole_and_SGI_Electronic_Services For customers who have purchased escall through the Support Advantage Electronic Services package in North America, IRISconsole can be used to forward requests to SGI and to update their requests from SGI. escall uses the environment variable CALLSVR to forward messages to SGI. If it is not set, escall uses "localhost" as the callsvr. All requests require the serial number of the machine. The machine must have been registered with Electronics Services. For additional information, please contact your nearest SGI representative. 3. Known_Problems_and_Workarounds This chapter discusses known problems in IRISconsole 2.0, and ways to work around them. o If your site has purchased a new ST-1616 multiplexer, you must check the version number of the firmware to determine whether the multiplexer requires new SCSI drivers from Digi International, Inc. Enter the following command: cdscanbus Look at the right most field of the output entry that shows the ST-1616 multiplexer. If the version is anything greater than 'V7.0', you will need the new SCSI drivers from Digi International, Inc., at the following Web page: http://support.digi.com/support/drivers/irix/index.html#SCSI Once at this page, click on the *.sis (currently 4002072A.sis) and follow the directions to install the new SCSI driver images. o Devices are not made when loading IRISconsole software. If you install IRISconsole software and then attempt to configure your system and use IRISconsole and do not run the cdmknods command, you may receive an error message similar to the following: /dev/ttyd055 no such device If you encounter this problem, run the following commands: rm -f /dev/tty[mfd]??? then cdmknods The rm command removes any existing device nodes. The cdmknods command is run to make the device nodes associated with your system. The cdmknods simplifies and automates the process of making device nodes for Digi International scsiTerminalServer and EtherLite(R) Terminal Server products. It may be used to make single nodes with specific features, to generate all the necessary nodes for a particular product, or to make nodes for all scsiTerminal Server products found on a particular system. See the cdmknods(1) man page for more information. o The cdscanbus binary located in /sbin directory and installed on IRIX 6.5.x systems does not have its permissions set correctly for IRISconsole to operate normally. When IRISconsole is installed with the inst command along with other images, you must manually change the permissions on the cdscanbus binary to 4555 using the following command: chmod 4555 /sbin/cdscanbus If you do not change the permissions to 4555, non-root users of the ic command will not be able to bring up IRISconsole with multiplexers attached. o Console activity gets logged only as long as the device is left connected or the syslogd remote logging is enabled on the server. See "Storing System Log Information" in the IRISconsole Administrator's Guide, 007-2872-004, for more information on syslogd remote logging. o IRISconsole 2.0 does not contain a mechanism to automatically detect system failures outside of what is detected and triggered by Hardware Status Monitor and its alarm thresholds. o Similar to standard login(1), IRISconsole logs unsuccessful login attempts to a 'badlogins' file. This file resides in /var/IRISconsole/adm/badlogin/ badlogins, and is configured to log after three failed attempts. It is important that all files and directories in the path /var/IRISconsole/adm/* be owned by root and kept under 0600 permissions. However, these badlogins are done only in the case of remote access via telnet. When using icpass(1C), badlogins file is not updated. Similar to login(1), no badlogin will be done unless the file /var/IRISconsole/ adm/badlogin/badlogins exists. o IRISconsole does not distinguish when a connected system is at its system prom. Since hardware flow control is disabled at the system prom, to avoid confusion, IRISconsole 2.0 does not use hardware flow control at all. o When adding logins and passwords to the IRISconsole password database, users are not prompted to enter their new password twice. This can create problems if the password was mistyped. If you realize that the password was mistyped, an icadmin password holder can delete your entry from the password database o All options under Monitor in the site window require networking between IRISconsole host and the managed system. Since IRISconsole executes rsh commands it is also possible to flood the SYSLOG of the managed system with messages if it logs all rsh requests. o Show Syslog lets users view syslog using /usr/sbin/sysmon, but the Update button of sysmon does not work. that is, it doesn't get the latest version of syslog from the managed system. It is necessary to quit sysmon and reselect Show Syslog each time, unless the syslogd remote logging is enabled on the server. o All the customization of styles done in Hardware Status Monitor are non-persistent; they'll last only as long as the particular graph does. o In the Hardware Status Monitor, when the alarms log is present, deleting and adding graphs may alter the sizes of existing graphs. It may be necessary to readjust their sizes manually. o Some sub-applications that are spawned (for example, Console windows) do not exit when the user quits the application. They have to be exitted manually; in the case of a telnet session, use the ESC sequence Ctrl-] Ctrl-\. o While it is possible to use utilities like cu(1C) to communicate over the serial line, it is discouraged. IRISconsole can interoperate with cu as far as locking is concerned, but it is not possible to find other information like the idle time on a device if cu is used. However, the simple direct connect protocol used by IRISconsole does not have commands to send or receive files over a serial line. o The Spy Console xwsh window does not exit itself when the line that it is spying on gets disconnected. Users have to kill it manually using Ctrl-C. o The log files in /var/IRISconsole/logs can eventually occupy a significant amount of space. They should periodically be compressed and archived. o The IRISconsole Administrator's Guide makes several references to the ST-1600 Multiplexer. The ST-1616, ST-1620, and ST-1032 Multiplexers are interchangeable with the ST-1600 throughout the book. o IRISconsole recognizes ST-1600/1616/1620/1032 multiplexers on all SCSI busses. You may pick any bus when installing multiplexer(s). INST SUBSYSTEM REQUIREMENTS No Requirements Information Available. INST SUBSYSTEM CHECKSUMS These checksums help to provide a 'signature' for the patch inst image which can be used to authenticate other inst images. You can obtain this kind of output by running sum -r on the image (from the command line): 27613 34 patch/README.patch.4038 44486 4 patchSG0004038.idb 24783 2 patchSG0004038 INST SUBSYSTEM FILE LISTINGS The following lists the files which get installed from each subsystem in the patch:
DOWNLOAD PATCH
|
||||||||||||||||||||||||||||||||||||
Document Id: 20021117075908-IRIXPatch-1414
|