default permission in /var/sadm/patch

default permission in /var/sadm/patch

Post by Thomas Maier-Komo » Fri, 16 Dec 2005 20:27:16



Hi all,

does anybody know what the reason is that all directories
in /var/sadm/patch have the permission 0754. Like this
it is impossible to grep for the Synopsis of the patches
in the README files as a normal user. Like this you can
only look at the patchids, which give a user who wants
to hack a system enough information about missing
patches that might offer opportunities to attack.

So what is the point not setting the default permission
to either 0750 (including the directory /var/sadm/patch)
or to 0755 and give users the oportunity to read the
README files of the installed patches?

TIA,
Tom

 
 
 

default permission in /var/sadm/patch

Post by Martin Pau » Tue, 20 Dec 2005 18:48:01



Quote:> So what is the point not setting the default permission
> to either 0750 (including the directory /var/sadm/patch)
> or to 0755 and give users the oportunity to read the
> README files of the installed patches?

I guess it's one of the things that were implemented long ago, and
never have been re-thought. I see no technical reason either why the
READMEs shouldn't be accessible to anybody.

On the other hand, I don't really care. pca runs as a regular user,
and (using patchdiag.xref), shows much more information about installed
patches than showrev -p or grepping through the READMEs ever would
reveal:

  % pca -i
  Patch  IR   CR RS Age Synopsis
  ------ -- - -- -- --- --------------------------------------------------------
  111711 14 = 14 R   56 SunOS 5.9: 32-bit Shared library patch for C++
  111712 14 = 14 R   56 SunOS 5.9: 64-Bit Shared library patch for C++
  111722 04 = 04    956 SunOS 5.9: Math Library (libm) patch
  112233 12 = 12 RS 607 SunOS 5.9: Kernel Patch
  112617 02 = 02 RS 999 CDE 1.5: rpc.cmsd patch
  112622 18 < 19    112 SunOS 5.9: M64 Graphics Patch
  ...

It should be noted that /var/sadm/patch won't contain all patch READMEs
anyway if patches have been pre-integrated by Sun, as it is the case for
all update (non-FCS) releases of Solaris.

mp.
--
Systems Administrator | Institute of Scientific Computing | Univ. of Vienna

 
 
 

default permission in /var/sadm/patch

Post by Thomas Maier-Komo » Thu, 22 Dec 2005 18:06:21




>>So what is the point not setting the default permission
>>to either 0750 (including the directory /var/sadm/patch)
>>or to 0755 and give users the oportunity to read the
>>README files of the installed patches?

> I guess it's one of the things that were implemented long ago, and
> never have been re-thought. I see no technical reason either why the
> READMEs shouldn't be accessible to anybody.

> On the other hand, I don't really care. pca runs as a regular user,
> and (using patchdiag.xref), shows much more information about installed
> patches than showrev -p or grepping through the READMEs ever would
> reveal:

>   % pca -i
>   Patch  IR   CR RS Age Synopsis
>   ------ -- - -- -- --- --------------------------------------------------------
>   111711 14 = 14 R   56 SunOS 5.9: 32-bit Shared library patch for C++
>   111712 14 = 14 R   56 SunOS 5.9: 64-Bit Shared library patch for C++
>   111722 04 = 04    956 SunOS 5.9: Math Library (libm) patch
>   112233 12 = 12 RS 607 SunOS 5.9: Kernel Patch
>   112617 02 = 02 RS 999 CDE 1.5: rpc.cmsd patch
>   112622 18 < 19    112 SunOS 5.9: M64 Graphics Patch
>   ...

> It should be noted that /var/sadm/patch won't contain all patch READMEs
> anyway if patches have been pre-integrated by Sun, as it is the case for
> all update (non-FCS) releases of Solaris.

> mp.

Thanks Martin for the hint. I gave it a try and it really shows
everything one needs to know.

But I am wondering why do I get lines like this:
116302 02 > --    999 NOT FOUND IN CROSS REFERENCE FILE!

It occures on n a standard Solaris 10 system. What is the
reason that it shows much more patches that need to be updated
than updatemanager. Are updatemanager and smpatch broken
or is it telling me about updates which really should not
be installed?

Tom

 
 
 

default permission in /var/sadm/patch

Post by Martin Pau » Thu, 22 Dec 2005 19:41:39



Quote:> Thanks Martin for the hint. I gave it a try and it really shows
> everything one needs to know.

> But I am wondering why do I get lines like this:
> 116302 02 > --    999 NOT FOUND IN CROSS REFERENCE FILE!

> It occures on n a standard Solaris 10 system.

This happens when a patch is installed which is not listed in Sun's
patch database (patchdiag.xref). This patch can't be found via the
patchfinder on sunsolve.com either. It's an error on Sun's side.
At the end it's more of a cosmetic issue.

116302-02 is for SUNWxrpcrt (JAX-RPC Runtime, part of the Sun One
Application Server), BTW. You will notice that this patch isn't
listed in /var/sadm/patch either.

Other pre-integrated patches in Solaris 10 3/05 are 113886/113887
for OpenGL, and 116298-08 for Java API for XML Parsing.

Quote:> What is the
> reason that it shows much more patches that need to be updated
> than updatemanager. Are updatemanager and smpatch broken
> or is it telling me about updates which really should not
> be installed?

Judging from the problems people had with updatemanager, "broken"
might be a word that could well be used.

Fact is that there is no clearly documented definition for which patches
updatemanager will show as uninstalled. As far as pca is concerned,
by default it will show all patches which are marked either "Recommended"
or "Security" by Sun, and all patches they depend on. The installation
of all R/S patches is what Sun usually recommended, and what was promoted
with the "Recommended Patch Cluster".

When run as "pca -u" it will show *all* patches that can be applied to an
OS installation.

mp.
--
Systems Administrator | Institute of Scientific Computing | Univ. of Vienna