Patch-ID# 106473-03 Keywords: security POINT PATCH SNC authenticate failure NIS+ dot printer name Synopsis: SunOS 5.6: POINT PATCH: SNC users unable to log into Solaris 2.6 Date: Oct/15/99 Solaris Release: 2.6 SunOS Release: 5.6 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 106474-03 Topic: SunOS 5.6: POINT PATCH: 4144455 bugfix for /opt/SUNWpcnfs/sbin/rpc.pcnfsd Note: As a point patch, this fix is not currently scheduled nor will necessarily be approved for integration in a future SunOS release. BugId's fixed with this patch: 4144455 4166175 Changes incorporated in this version: 4166175 Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 106271-05 Obsoleted by: Files included with this patch: /opt/SUNWpcnfs/sbin/rpc.pcnfsd Problem Description: 4166175 : Root access could be compromised if rpc.pcnfsd accepts "." as a printer name from an exploit client. (from 106473-01) 4144455 : SNC 3.1.1 user trying to login from pc to a Solaris 2.6 nisplus client is unable to login with an error message- Invalid Login. The NIS+ Client was running the new rpc.pcnfsd from SNC 3.2 and the new /usr/lib/security/pam_unix.so.1 pam fix ...patch 106271-03 and are running in compat mode. The permissions for the passwd table are as such: Object Name : passwd Access Rights : ----rmcdrmcd---- And the passwd column is: [1] Name : passwd Attributes : (TEXTUAL DATA) Access Rights : -----m---------- Keep in mind the nsswitch.conf file passwd is set to compat: passwd: compat passwd_compat: nisplus What happens via a truss with these permissions set rpc.pscnfsd will set the effective uid back to the users ID and the user will not have permission to read the shadow file. eg. 14049/4: seteuid(4912) = 0 14049/4: door_info(4, 0xEF142CE8) = 0 14049/4: door_call(4, 0xEF142CD0) = 0 14049/4: open("/etc/shadow", O_RDONLY) Err#13 EACCES NOTE: it does a seteuid(4912) which is back to the uid of the user then it tries to open /etc/shadow. It can't open /etc/shadow because the permission is 400 and owned by root. This will work if we set the permissions on the shadow file to 444 or change the permissions on the passwd column or put the nis+ client machine in the admin.groups_dir table as an explicite member.But keep in mind all these workarounds defeat the purpose of hidding the encripted passwds of all the users. Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- First apply the NIS+ patch 106271-05 or greater ..then apply this patch. ***NOTE*** ... this rpc.pcnfsd is currently single threaded because at such a security level nss_nisplus.so.1 can only support single threading. And for the above reason this patch is a POINT patch just for people who choose to run NIS+ at such high security level.