Startup and Shutdown A typical inittab might look similar to: ap::sysinit:/sbin/autopush -f /etc/iu.ap fs::sysinit:/sbin/rcS >/dev/console 2>&1 /dev/console 2>&1 s0:0:wait:/sbin/rc0 off >/dev/console 2>&1 /dev/console 2>&1 /dev/console 2>&1 /dev/console 2>&1 /dev/console 2>&1 /dev/console 2>&1 /dev/console 2>&1 /dev/console 2>&1 /dev/console 2>&1 rb:6:wait:/sbin/uadmin >/dev/console 2>&1 "unsecure" X ifconfig le0 netmask + broadcast xxx.yyy.zzz.255 reset the netmask and broadcast X route add default xxx.yyy.zzz.1 reset route X X ftp wks.uts.ohio-state.edu under /pub/sunpatches retrieve the patch files needed Contact wks@wks.uts.ohio-state.edu for the current patch list for your version of the OS X X Install patches follow READMEs for the individual patches X X echo "xxx.yyy.zzz.1" > /etc/defaultrouter create /etc/defaultrouter with the IP address of the default router X X vi /etc/rc.local edit /etc/rc.local X mount /tmp to mount /tmp as tmpfs (on swap) and to set the proper permissions on the directory 128.146.0.0 255.255.255.0 chmod 1777 /tmp X chmod g+s /tmp ifconfig le0 broadcast `cat /etc/defaultrouter |sed -n "s/\.[0-9]$/\.255/p"` and to set the proper broadcast vi /etc/fstab add the line to mount /tmp on swap X Generate a new kernel and reboot with it this is required for several of the OS patches X vi /.cshrc /.login /.profile edit to taste and remove "." from path X vipw protect all accounts, even sync X swap /tmp tmp rw 0 X remove +: entry if not using NIS Create necessary accounts we’ll look at how to this in a later Chapter X vi /etc/group remove +: entry if not using NIS X 84 © 1998 University Technology Services, The Ohio State University X UNIX System Administration Post Install Actions Post Install Actions TABLE 7.4 Procedure Purpose SunOS 4.X SunOS 5.X Add tcsh and/or bash to /usr/bin much better than csh or sh for login (the sources can be obtained via anonymous ftp from tesla.ee.cornell.edu in /pub/tcsh and prep.ai.mit.edu in /pub/gnu for tcsh and bash, respectively.) X X cat /etc/shells add entries for all login shells, e.g.: X X chown root /home not caught by patch 100103 X rm -rf /var/spool/uucppublic writable by everyone, so remove if not used X Install resolv+2.1.1 package for DNS, or use NIS, it includes: X /usr/lib/libresolv.a resolver library /usr/lib/libc.so.1.9.1 shared library /usr/lib/libc.sa.1.9.1 shared library Now execute ldconfig to pick up the new libraries /sbin/sh /bin/sh /bin/csh /bin/ksh /bin/bash /bin/tcsh EOF X Then copy the new include files to /usr/include cat /etc/resolv.conf for DNS, domain acs.ohio-state.edu with the IP domain, nameserver 128.146.1.7 up to nameservers, these are nameserver 128.146.48.7 ns1.net and ns2.net search acs.ohio-state.edu magnus.acs.ohiostate.edu cis.ohio-state.edu eng.ohiostate.edu X X and a search path EOF cat /etc/host.conf used by resolv+ order hosts,bind set the host database order to search trim magnus.acs.ohio-state.edu, acs.ohiostate.edu X trim the domains nospoof on alert on EOF UNIX System Administration © 1998 University Technology Services, The Ohio State University 85 Operating System Installation Post Install Actions TABLE 7.4 Procedure SunOS 4.X Purpose vi /etc/nsswitch.conf set name service switch lookups hosts: files dns set the host database order to search vi /etc/syslog.conf define LOGHOST (first line in file), or reference the files locally and remove the SunOS 5.X define(LOGHOST,localhost) X X X "ifdef(’LOGHOST’ " entries, as desired -orvi /etc/hosts www.xxx.yyy.zzz hostname loghost add the alias loghost to your hostname entry, not to the localhost entry chmod o-w /etc/* remove general write permissions X X Set up xntp, including change in /etc/services for udp service Network Time Protocol X X Install any other desired packages, e.g perl, language compilers, etc make the system more usable X X Backup the system so you can reproduce the current state after a catastrophe X X 7.5 Sun Patch List Ohio State University members can usually find the necessary SunOS patches on the patch server, ftp://wks.uts.ohio-state.edu/pub/sunpatches/ If you don’t find what you need there, contact wks@wks.uts.ohio-state.edu Others should contact Sun Microsystems, or their software vendor, for patches 7.5.1 SunOS 4.1.3_U1 (Solaris 1.1.1) 100103-12 101434-03 101436-08 101440-01 101508-14 101558-07 101579-01 101587-01 101592-07 101621-04 trol 101625-02 86 SunOS 4.1.3;4.1.3_U1: set file permissions to more secure mode SunOS 4.1.3_U1: lpr Jumbo Patch SunOS 4.1.3_U1: patch for mail executable SunOS 4.1.3_U1: security problem: methods to exploit login/su SunOS 4.1.3_U1: Sun4m kernel patch SunOS 4.1.3_U1: international libc jumbo patch SunOS 4.1.3_U1: Security problem with expreserve for Solaris 1.1.1 SunOS 4.1.3_U1: security patch for mfree and icmp redirect SunOS 4.1.3_U1: UFS File system Patch SunOS 4.1.3_U1: tty patch CTE zs driver gates reception on CD for hardware flow conSunOS 4.1.3_U1: ftp does not prompt for account information © 1998 University Technology Services, The Ohio State University UNIX System Administration Sun Patch List 101665-07 101679-01 101759-04 101784-04 102060-01 102177-04 100444-76 100448-03 100452-72 100478-01 101435-02 SunOS 4.1.3_U1: sendmail jumbo patch SunOS 4.1.3_U1: Breach of security using modload SunOS 4.1.3_U1: domestic (US only) libc jumbo patch SunOS 4.1.3_U1: rpc.lockd/rpc.statd jumbo patch SunOS 4.1.3_U1: Root access possible via passwd race condition SunOS 4.1.3_U1: NFS Jumbo Patch OpenWindows 3.0: OpenWindows V3.0 Server Patch 3000-124 OpenWindows 3.0: loadmodule Patch OpenWindows 3.0: XView 3.0 Jumbo Patch OpenWindows 3.0: xlock crashes leaving system open SunOS 4.1.3_U1: ypserv and ypxfrd fix 100103-12 102264-02 102394-02 102414-01 102423-04 102436-02 102544-04 102545-04 100444-76 100448-03 100452-72 100478-01 102516-04 7.5.2 SunOS 4.1.4 (Solaris 1.1.2) SunOS 4.1.3;4.1.3_U1: set file permissions to more secure mode SunOS 4.1.4: rpc.lockd patch for assertion failed panic SunOS 4.1.4: NFS Jumbo Patch SunOS 4.1.4: mail jumbo patch Sunos 4.1.4: Sendmail jumbo patch SunOS 4.1.4: Machine soft hangs and hangs on bootup (sun4m) SunOS 4.1.4: domestic (U.S only) libc jumbo patch SunOS 4.1.4: international libc jumbo patch OpenWindows 3.0: OpenWindows V3.0 Server Patch 3000-124 OpenWindows 3.0: loadmodule Patch OpenWindows 3.0: XView 3.0 Jumbo Patch OpenWindows 3.0: xlock crashes leaving system open SunOS 4.1.4: UFS File system Patch Some patches apply only to specific hardware, and 102544 and 102545 are mutually exclusive, as they apply to the domestic and international versions of the libraries, respectively 7.5.3 SunOS 5.4 (Solaris 2.4) 101945-41 101959-07 101973-16 102042-05 SunOS 5.4: kernel patch SunOS 5.4: lp jumbo patch SunOS 5.4: fixes for libnsl and ypbind SunOS 5.4: usr/bin/mail jumbo patch This patch is on the Security list, but not the Recommended list, because it’s assumed to be too application dependent and not relevant to all sites Not actually on the Recommended list for this release, but you will want to check the changes this script makes to be sure that you have similar file permission settings on your system UNIX System Administration © 1998 University Technology Services, The Ohio State University 87 Operating System Installation 102044-01 102066-09 102070-01 102165-03 102216-07 102218-03 102277-02 102437-03 102479-02 102656-01 102664-01 102680-03 102693-03 102704-02 102711-01 102741-01 102756-01 102769-03 102788-02 102922-03 102960-01 103070-01 103270-01 101878-13 102292-02 103290-02 102049-02 102303-05 102336-01 SunOS 5.4: bug in mouse code makes "break root" attack possible SunOS 5.4: sendmail patch SunOS 5.4: Bugfix for rpcbind/portmapper SunOS 5.4: nss_dns.so.1 fixes SunOS 5.4: klmmod and rpcmod patch SunOS 5.4: libbsm fixes SunOS 5.4: nss_nisplus.so.1 fixes SunOS 5.4: /usr/ccs/bin/as has an internal error SunOS 5.4: DNS spoofing is possible per Cern ca-96.02 SunOS 5.4: /dev/qec should protect against being opened directly SunOS 5.4: data fault in scanc() due to bad "cp" argument SunOS 5.4: fixes for ufsdump and wall SunOS 5.4: at and atrm fixes SunOS 5.4: jumbo patch for NIS commands SunOS 5.4: Creation of /tmp/ps_data is security problem SunOS 5.4: libm can hit SEGV in multi-threaded mode SunOS 5.4: expreserve still has security problem SunOS 5.4: statd fixes SunOS 5.4: Jumbo patch for sccs bug fixes SunOS 5.4: inetd fixes SunOS 5.4: vipw has security problem SunOS 5.4: tip will read and print any uucp owned file SunOS 5.4: nissetup default permissions not secure enough OpenWindows 3.4: Xview Patch OpenWindows 3.4: filemgr (ff.core) fixes SPARCstorage Array 2.0: SSA Jumbo patch for Solaris 2.4 11/94, HW395 SunOS 5.4: linker fixes SunOS 5.4: POINT PATCH: linker fixes SunOS 5.4: POINT PATCH: 1091205 - Password aging & NIS+ don't work 7.5.4 SunOS 5.5 (Solaris 2.5) 102971-01 102980-07 103093-03 103169-06 103241-01 SunOS 5.5: vipw fix SunOS 5.5: sendmail patch SunOS 5.5: kernel patch SunOS 5.5: ip driver and ifconfig fixes SunOS 5.5: Undefined symbol in libc.so.1.9 This patch is on the Security list, but not the Recommended list, because it’s assumed to be too application dependent and not relevant to all sites 88 © 1998 University Technology Services, The Ohio State University UNIX System Administration ... 102277-02 102 437 - 03 102479-02 102656-01 102664-01 102680- 03 1026 93- 03 102704-02 102711-01 102741-01 102756-01 102769- 03 102788-02 102922- 03 102960-01 1 030 70-01 1 032 70-01 101878- 13 102292-02 1 032 90-02... 3. 0: OpenWindows V3.0 Server Patch 30 00-124 OpenWindows 3. 0: loadmodule Patch OpenWindows 3. 0: XView 3. 0 Jumbo Patch OpenWindows 3. 0: xlock crashes leaving system open SunOS 4.1.4: UFS File system. .. 4.1 .3_ U1: NFS Jumbo Patch OpenWindows 3. 0: OpenWindows V3.0 Server Patch 30 00-124 OpenWindows 3. 0: loadmodule Patch OpenWindows 3. 0: XView 3. 0 Jumbo Patch OpenWindows 3. 0: xlock crashes leaving system