 |
≫ |
|
|
|
パッチ名: PHCO_36479
パッチ摘要: 11.31 rbac累積パッチ
作成日: 07/05/22
公開日: 07/06/13
ハードウェアプラットフォームおよびOSリリース:
11.31
現象:
PHCO_36479:
1.(SR:8606447411 CR:JAGag04752)
このパッチは、オプションのHP-UX AccessControlバンドル、バージョン
B.11.31.04を使用可能にするために必要な一連のパッチの1つです。
AccessControlバンドルをインストールすると、HP-UX RBACExt製品B.11.31.04
の機能を使用可能にするために必要な一連のパッチ(このパッチも含む)がすべ
てインストールされます。
2.(SR:8606455522 CR:JAGag12035)
authadmがデータベース/etc/rbac/role_authを壊すことがあります。
問題点の説明:
PHCO_36479:
1.(SR:8606447411 CR:JAGag04752)
このパッチには、HP-UX RBACExt製品の機能をサポートする拡張機能が含まれ
ています。HP-UX RBACExt製品がインストールされていない場合、このパッチ
はcmd_privデータベースにエントリを追加するだけです。これらの変更が有効
になるのは、インストール後データベースがカスタマイズされていない場合だ
けです。これらの変更が有効になると、適切に認可されたユーザーは、
iobind(1m)/iofind(1m)/io_redirect_dsf(1m)/scsimgr(1m)/userdbget(1m)/
userdbset(1m)/userdbck(1m)/userstat(1m)コマンドにアクセスできます。
解決方法:
HP-UX RBACExt製品がインストールされていれば、このモジュールはRBAC関連
コマンドに新たなセキュリティ機能を組み込みます。
2.(SR:8606455522 CR:JAGag12035)
authadmは、データベース/etc/rbac/role_authを壊すことがありました。
ロールが定義されている同じ行上の最後の権限を取り消す場合、そのロールの
権限がまだ次の行にも定義されているのに、"authadm revoke"はそのロールを
取り消していました。そして、それらの権限を不正に、/etc/rbac/role_auth
内の前の行で定義されているロールに割り当てていました。
解決方法:
データベース/etc/rbac/role_authを正しく更新するようにauthadmを修正しま
した。
-----------------------------------------------------------------------------
Patch Name: PHCO_36479
Patch Description: 11.31 rbac cumulative patch
Creation Date: 07/05/22
Post Date: 07/06/13
Hardware Platforms - OS Releases:
11.31
Products: N/A
Filesets:
RBAC.RBAC-CONF,fr=B.11.31,fa=HP-UX_B.11.31_IA/PA,v=HP
RBAC.RBAC-ENG-A-MAN,fr=B.11.31,fa=HP-UX_B.11.31_IA/PA,v=HP
RBAC.RBAC-RUN,fr=B.11.31,fa=HP-UX_B.11.31_IA,v=HP
RBAC.RBAC-RUN,fr=B.11.31,fa=HP-UX_B.11.31_PA,v=HP
Automatic Reboot?: No
Status: General Release
Critical:
Yes
PHCO_36479: CORRUPTION
The authadm(1M) can corrupt the /etc/rbac/role_auth
database in certain situations.
Category Tags:
defect_repair enhancement general_release critical
corruption
Path Name: /hp-ux_patches/11.X/PHCO_36479
Symptoms:
PHCO_36479:
( SR:8606447411 CR:JAGag04752 )
This patch is a member of a set needed to enable the
optional HP-UX AccessControl bundle, version B.11.31.04.
Upon installation, the AccessControl bundle will install
the full set of patches (including this one) required to
enable the HP-UX RBACExt product B.11.31.04 features.
( SR:8606455522 CR:JAGag12035 )
authadm can corrupt the /etc/rbac/role_auth database.
Defect Description:
PHCO_36479:
( SR:8606447411 CR:JAGag04752 )
This patch contains enhancements that support the
features included in the HP-UX RBACExt product. If the HP-UX
RBACExt product is not installed, the only impact this
patch will have on your system is the addition of entries to
the cmd_priv database. These changes will only take effect
if the database has not been customized since installation.
These changes, once in place, will enable an appropriately
authorized user to access the iobind(1m), iofind(1m),
io_redirect_dsf(1m), scsimgr(1m), userdbget(1m),
userdbset(1m), userdbck(1m), and the userstat(1m) commands.
Resolution:
When the HP-UX RBACExt product is installed, this module
implements new security features in the RBAC commands.
( SR:8606455522 CR:JAGag12035 )
Under certain circumstances, authadm can corrupt the
/etc/rbac/role_auth database. When "authadm revoke" revokes
the last authorization that is on the same line on which the
role is defined, it revokes the role even when there are
more authorizations for that role defined on the next line.
These authorizations will then be incorrectly assigned to
the role that is defined on the previous line in the
/etc/rbac/role_auth database.
Resolution:
authadm now correctly updates the /etc/rbac/role_auth
database.
Enhancement:
Yes
PHCO_36479:
Support added for the HP-UX Role-Based Access
Control Extensions (RBACExt) product, version
B.11.31.04.
SR:
8606447411 8606455522
Patch Files:
RBAC.RBAC-CONF,fr=B.11.31,fa=HP-UX_B.11.31_IA/PA,v=HP:
/usr/newconfig/etc/rbac/auths
/usr/newconfig/etc/rbac/cmd_priv
RBAC.RBAC-ENG-A-MAN,fr=B.11.31,fa=HP-UX_B.11.31_IA/PA,v=HP:
/usr/share/man/man1m.Z/authadm.1m
/usr/share/man/man1m.Z/privedit.1m
RBAC.RBAC-RUN,fr=B.11.31,fa=HP-UX_B.11.31_IA,v=HP:
/usr/lib/hpux32/librbac.so
/usr/lib/hpux64/librbac.so
/usr/lib/hpux32/librbac.so.1
/usr/sbin/authadm
/usr/sbin/cmdprivadm
/usr/bin/privrun
/usr/bin/privedit
/usr/sbin/rbacdbchk
/usr/sbin/roleadm
/usr/lib/hpux64/librbac.so.1
RBAC.RBAC-RUN,fr=B.11.31,fa=HP-UX_B.11.31_PA,v=HP:
/usr/lib/librbac.sl
/usr/lib/pa20_64/librbac.sl
/usr/lib/librbac.1
/usr/sbin/authadm
/usr/sbin/cmdprivadm
/usr/bin/privrun
/usr/bin/privedit
/usr/sbin/rbacdbchk
/usr/sbin/roleadm
/usr/lib/pa20_64/librbac.1
what(1) Output:
RBAC.RBAC-CONF,fr=B.11.31,fa=HP-UX_B.11.31_IA/PA,v=HP:
/usr/newconfig/etc/rbac/auths:
None
/usr/newconfig/etc/rbac/cmd_priv:
None
RBAC.RBAC-ENG-A-MAN,fr=B.11.31,fa=HP-UX_B.11.31_IA/PA,v=HP:
/usr/share/man/man1m.Z/authadm.1m:
None
/usr/share/man/man1m.Z/privedit.1m:
None
RBAC.RBAC-RUN,fr=B.11.31,fa=HP-UX_B.11.31_IA,v=HP:
/usr/lib/hpux32/librbac.so:
$Revision: @(#) librbac R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/lib/hpux64/librbac.so:
$Revision: @(#) librbac R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/lib/hpux32/librbac.so.1:
$Revision: @(#) librbac R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/sbin/authadm:
$Revision: @(#) authadm R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/sbin/cmdprivadm:
$Revision: @(#) cmdprivadm R11.31_BL2007_0522_2 PATC
H_11.31 PHCO_36479
/usr/bin/privrun:
$Revision: @(#) privrun R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/bin/privedit:
$Revision: @(#) privrun R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/sbin/rbacdbchk:
$Revision: @(#) rbacdbchk R11.31_BL2007_0522_2 PATCH
_11.31 PHCO_36479
/usr/sbin/roleadm:
$Revision: @(#) roleadm R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/lib/hpux64/librbac.so.1:
$Revision: @(#) librbac R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
RBAC.RBAC-RUN,fr=B.11.31,fa=HP-UX_B.11.31_PA,v=HP:
/usr/lib/librbac.sl:
$Revision: @(#) librbac R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/lib/pa20_64/librbac.sl:
$Revision: @(#) librbac R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/lib/librbac.1:
$Revision: @(#) librbac R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/sbin/authadm:
$Revision: 92453-07 linker linker crt0.o B.11.16.01
030415 $
$Revision: @(#) authadm R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/sbin/cmdprivadm:
$Revision: 92453-07 linker linker crt0.o B.11.16.01
030415 $
$Revision: @(#) cmdprivadm R11.31_BL2007_0522_2 PATC
H_11.31 PHCO_36479
/usr/bin/privrun:
$Revision: 92453-07 linker linker crt0.o B.11.16.01
030415 $
$Revision: @(#) privrun R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/bin/privedit:
$Revision: 92453-07 linker linker crt0.o B.11.16.01
030415 $
$Revision: @(#) privrun R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/sbin/rbacdbchk:
$Revision: 92453-07 linker linker crt0.o B.11.16.01
030415 $
$Revision: @(#) rbacdbchk R11.31_BL2007_0522_2 PATCH
_11.31 PHCO_36479
/usr/sbin/roleadm:
$Revision: 92453-07 linker linker crt0.o B.11.16.01
030415 $
$Revision: @(#) roleadm R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
/usr/lib/pa20_64/librbac.1:
$Revision: @(#) librbac R11.31_BL2007_0522_2 PATCH_1
1.31 PHCO_36479
cksum(1) Output:
RBAC.RBAC-CONF,fr=B.11.31,fa=HP-UX_B.11.31_IA/PA,v=HP:
3744646272 4666 /usr/newconfig/etc/rbac/auths
3073651703 18546 /usr/newconfig/etc/rbac/cmd_priv
RBAC.RBAC-ENG-A-MAN,fr=B.11.31,fa=HP-UX_B.11.31_IA/PA,v=HP:
2608717018 5436 /usr/share/man/man1m.Z/authadm.1m
1674427699 5284 /usr/share/man/man1m.Z/privedit.1m
RBAC.RBAC-RUN,fr=B.11.31,fa=HP-UX_B.11.31_IA,v=HP:
1861930250 269004 /usr/lib/hpux32/librbac.so
4118383461 275824 /usr/lib/hpux64/librbac.so
1861930250 269004 /usr/lib/hpux32/librbac.so.1
1239129407 76600 /usr/sbin/authadm
418641545 75884 /usr/sbin/cmdprivadm
1938663693 151072 /usr/bin/privrun
1938663693 151072 /usr/bin/privedit
3157841164 76896 /usr/sbin/rbacdbchk
406932292 76044 /usr/sbin/roleadm
4118383461 275824 /usr/lib/hpux64/librbac.so.1
RBAC.RBAC-RUN,fr=B.11.31,fa=HP-UX_B.11.31_PA,v=HP:
1869045895 106496 /usr/lib/librbac.sl
1597566854 117784 /usr/lib/pa20_64/librbac.sl
1869045895 106496 /usr/lib/librbac.1
3882203435 36864 /usr/sbin/authadm
1896419993 32768 /usr/sbin/cmdprivadm
3376443557 65536 /usr/bin/privrun
3376443557 65536 /usr/bin/privedit
306332536 40960 /usr/sbin/rbacdbchk
876928344 36864 /usr/sbin/roleadm
1597566854 117784 /usr/lib/pa20_64/librbac.1
Patch Conflicts: None
Patch Dependencies: None
Hardware Dependencies: None
Other Dependencies: None
Supersedes: None
Equivalent Patches: None
Patch Package Size: 530 KBytes
Installation Instructions:
Please review all instructions and the Hewlett-Packard
SupportLine User Guide or your Hewlett-Packard support terms
and conditions for precautions, scope of license,
restrictions, and, limitation of liability and warranties,
before installing this patch.
------------------------------------------------------------
1. Back up your system before installing a patch.
2. Login as root.
3. Copy the patch to the /tmp directory.
4. Move to the /tmp directory and unshar the patch:
cd /tmp
sh PHCO_36479
5. Run swinstall to install the patch:
swinstall -x autoreboot=true -x patch_match_target=true \
-s /tmp/PHCO_36479.depot
By default swinstall will archive the original software in
/var/adm/sw/save/PHCO_36479. If you do not wish to retain a
copy of the original software, include the patch_save_files
option in the swinstall command above:
-x patch_save_files=false
WARNING: If patch_save_files is false when a patch is installed,
the patch cannot be deinstalled. Please be careful
when using this feature.
For future reference, the contents of the PHCO_36479.text file is
available in the product readme:
swlist -l product -a readme -d @ /tmp/PHCO_36479.depot
To put this patch on a magnetic tape and install from the
tape drive, use the command:
dd if=/tmp/PHCO_36479.depot of=/dev/rmt/0m bs=2k
Special Installation Instructions: None
|
