Very Computer

We run Solaris 2.8, 2.9 and 2.7. That particular machine runs 2.7.
I've tried to retrofit some missing security patches, but neither patchadd
nor
pkgadd work any more. I get messages like:
107709-20/SUNWsasnm/install/checkinstall: cannot open
pkgadd: ERROR: checkinstall script did not complete successfully

and:

/usr/sbin/patchadd[49]: /var/sadm/patch/106934-04/log: cannot create
One or more patch packages included in
106934-04 are not installed on this system.

Quote:

> > I've also commented out anything we don't actively use, but even ftp
> > and telnet are a risk.

> You let people telnet in?  Wow.  No wonder you're having troubles.

We need telnet and ftp for internal machine-to-machine connections. What
else
can I do?

--
Best regards,
Mark
 --------------------------------------------------------------------
 Mark Sitkowski C.Eng M.I.E.E           ~{D|?To?~}!
 Design Simulation Systems Ltd  ABN: 55-057-527-401
 14 Loddon Street
 Box Hill North, Victoria 3129
 --------------------------------------------------------------------
 Phone: (613-9) 897-1375                ~{?????~}!

 Mobile:     0413-890-777
 Web http://www.angelfire.com/de/designsim
     http://designsim.freeyellow.com
 --------------------------------------------------------------------

If you can't install the security patches, there's something seriously
wrong with the machine, or with your configuration.  I wouldn't use
a machine like that; it'd be asking for trouble.

Quote:> > You let people telnet in?  Wow.  No wonder you're having troubles.

> We need telnet and ftp for internal machine-to-machine connections. What
> else can I do?

If it's a trusted network, you can protect telnet and ftp a bit, by
allowing access only from trusted machines.  This can be done by
several mechanisms, e.g. tcpd(8) (/usr/sfw/sbin/tcpd in Solaris 9,
/opt/sfw/bin/tcpd in Solaris 8, and easily installable from source on
Solaris 7).

If the internal network is not trusted, you can use IPsec or OpenSSH
and use telnet and FTP atop that.

At this point your barn door is open and the horses are in the
pasture.  You should reinstall the OS from scratch and then readd your
applications from trusted sources.  Sorry.

Also, if your internal network and other machines were administered
like this one was, you could well be in deep yogurt.  Quite possibly
your internal network has been penetrated.

Quote:> We need telnet and ftp for internal machine-to-machine connections. What
> else
> can I do?

Have your systems administrator replace the lot with ssh.

-jim

Since the security hole is in Sun's libnsl.so, which is compiled into almost
every
network application, how will this help? I don't know if I even trust a
firewall.
This thing's got me spooked...

--
Best regards,
Mark
 --------------------------------------------------------------------
 Mark Sitkowski C.Eng M.I.E.E           ~{D|?To?~}!
 Design Simulation Systems Ltd  ABN: 55-057-527-401
 14 Loddon Street
 Box Hill North, Victoria 3129
 --------------------------------------------------------------------
 Phone: (613-9) 897-1375                ~{?????~}!

 Mobile:     0413-890-777
 Web http://www.angelfire.com/de/designsim
     http://designsim.freeyellow.com
 --------------------------------------------------------------------

.so's are runtime linked - not compiled in..

Quote:>> neither patchadd nor pkgadd work any more. I get messages like:
>> 107709-20/SUNWsasnm/install/checkinstall: cannot open
>> pkgadd: ERROR: checkinstall script did not complete successfully
> If you can't install the security patches, there's something seriously
> wrong with the machine, or with your configuration.  I wouldn't use
> a machine like that; it'd be asking for trouble.

Well I've run into a similar problem. Turned out that some parts
of the patch installation (running checkinstall might be one of
them, I do not remember exactly) are done as user nobody. So if
root unpacks patches in a directory with closed down permissions,
patch installation will fail with nondescriptive error messages.

Check directory permissions and/or truss -t open,access,stat -f
the patchadd command to see exactly where it fails.

--