Patch Name: PHCO_26826 Patch Description: s700_800 10.26 login(1) cumulative patch Creation Date: 02/04/26 Post Date: 02/04/29 Hardware Platforms - OS Releases: s700: 10.26 s800: 10.26 Products: N/A Filesets: BLS.BLS-CORE Automatic Reboot?: No Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHCO_26826 Symptoms: PHCO_26826: Privilege behavior introduced by the previous patch causes inconvenience to the user PHCO_24454: 1. Partial port of 10.20 patch PHCO_24267 2. Telnet/rlogin commands do not honor max_privs specified in the Remote host database (M6RHDB) (PHCO_24267:) ( SR:8606189604 CR:JAGad58818 ) Login allows certain shell users excessive freedom. PHCO_20372: Login fails with the error: Can not create temporary node Cannot set host sensitivity level. PHCO_17719: Unsuccesful login attempts are not recorded, so lastb(1) returns inaccurate information. Defect Description: PHCO_26826: Privilege behavior introduced by the previous patch, PHCO_24454, causes inconvenience to the user Resolution: Login will set the base privileges of the remote session based on user authentication profile only. PHCO_24454: 1. Partial port of 10.20 patch PHCO_24267 2. Login is not setting the base privileges of the remote users based on the remote host database and user authentication profile Resolution: Login has been modified to set the base privileges of the remote users as the intersection of max_privs for client in M6RHDB and base privileges specified for user in authentication profile (PHCO_24267:) ( SR:8606189604 CR:JAGad58818 ) Login should be more stringent in which environment variables it allows restricted shell users to set. Resolution: Login now only allows the DISPLAY and TERM variables to be set by restricted shell users unless configured otherwise in the security configuration file. To change the behavior of this patch, the /etc/default/security file must be created if it does not already exist. This file should be world readable and root writeable. To this file, add one of the following three entries: The new default behavior corresponds to a setting of: RSH_SECURITY=2 It is possible to ease the restrictions and allow the setting of any environment variables which are not known to be potentially risky. This is done by specifying: RSH_SECURITY=1 Finally, for compatibility reasons, it is possible to revert to the old, excessively permissive behavior by specifying: RSH_SECURITY=0 PHCO_20372: During login, a temporary node is created. If, for some reason, a file already exists with this name, login will generate the above error and exit. PHCO_17719: login(1) does not write to /var/adm/btmp when an unsuccessful login occurs. Resolution: Merge the lastest HP-UX 10.20 login source, which has had this problem resolved. SR: 8606189604 Patch Files: /tcb/lib/login what(1) Output: /tcb/lib/login: 2002/04/19 Hewlett-Packard HP-UX 10.26 TOS [ ic5go - DAV17 ] $Revision: 78.6.1.8 $ 01/08/21 cmd/login.c, hpux, hpux_10.26, ic5go Revisi on 1.8 PATCH_10.26 (PHCO_24454) 02/04/09 cmd/login_sec.c, hpux, hpux_10.26, ic5go Re vision 1.16 PATCH_10.26 (PHCO_26826) cksum(1) Output: 82324370 65536 /tcb/lib/login Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_17719 PHCO_20372 PHCO_24454 Equivalent Patches: None Patch Package Size: 120 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_26826 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_26826.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_26826. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_26826.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_26826.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None