OBSOLETE Patch-ID# 104174-02 Keywords: CERT security license FLEXlm Synopsis: OBSOLETED by 104829 Date: Feb/11/97 Solaris Release: 2.4 2.5 SunOS Release: 5.4 5.5 Unbundled Product: FLEXlm Unbundled Release: 4.1c Relevant Architectures: sparc BugId's fixed with this patch: 1263755 4028378 Changes incorporated in this version: 4028378 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: 104829 on May/13/97 Files included with this patch: Files modified or new to the SUNWlicsw package including: /etc/init.d/lic_mgr /etc/opt/licenses/lic_srvr_start /etc/opt/licenses/adjust_flexlm_owner Files modified or new to the SUNWlit package including: SUNWste/license_tools/config_template Problem Description: (Rev 2) 4028378 Fixes problem encountered when installing the patch on Solaris 2.4 systems. Only SUNWlicsw has been modified for Rev 2. (Rev 1) 1263755 Prior to the patch, root was used to start and own the license daemon, lmgrd.ste, and the license managing software. This patch enables a valid non-privileged username to start the license server daemon, lmgrd.ste, and use the utilities of the license managing software. If root is used, there is a potential security risk that can be abused on UNIX systems. This has been pointed out in a CERT security advisory. Patch Installation Instructions: -------------------------------- Refer to the Install.info file for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below as special instructions. Special Install Instructions: ----------------------------- If you have patch 104174-01 installed, you must manually remove it before installing patch 104174-02. To remove patch 104174-01, become root on the target machine and issue the commands: # cd /var/sadm/patch # 104174-01/backoutpatch 104174-01 Version 4.2 of the SUNWlicsw package must first be installed on the license server. To verify the version of SUNWlicsw on Solaris 2.x, issue the pkginfo command. The following example is for a license server which has had two different versions of the SUNWlicsw package installed and no versions of the SUNWlicsw package removed. % pkginfo | grep SUNWlicsw application SUNWlicsw FlexLM License System application SUNWlicsw.2 FlexLM License System Invoke pkginfo again using the latest (highest package number) installed version of SUNWlicsw and look at the value in the VERSION field. % pkginfo -l SUNWlicsw.2 PKGINST: SUNWlicsw NAME: FlexLM License System CATEGORY: application ARCH: sparc VERSION: 4.2 ... If you do not have version 4.2 of the SUNWlicsw package, it is available from the Sun WorkShop CD labelled "Sun WorkShop for Solaris 2.x Volume 5,Number 1" or from the Sun WorkShop TryandBuy Web page at http://www.sun.com/workshop/ . When installpatch is run, it will look for the file, /etc/opt/licenses/flexlm_owner. If this file is not found, installpatch will fail. Error messages will be generated both on the display and in the log indicating the pkgadd for SUNWlicsw failed because the file could not be found. For installpatch to succeed, this file must be present and contain a valid username. To create the file, /etc/opt/licenses/flexlm_owner, use any editor and create the file to contain a single valid non-privileged username that will be used by root when starting the license daemon. There should only be a single line in this file containing the username. Do not include any leading or trailing blank spaces. A valid non-privileged username is requested for use in starting the license server daemon, lmgrd.ste. As in the past, root may still be used but it is highly discouraged. If root is used, there is a potential security risk that can be abused on UNIX systems. Once a valid username is entered, the group that the license manager software belongs to will be updated with that of the group that username belongs to. The permissions on these files will also be updated to allow group read and execute privileges so that "username" can use them. The license manager startup script, /etc/rc2.d/S85lmgrd, will be modified to start the license daemon as "username" even though S85lmgrd is still executed as root. If you wish to limit access to the license manager daemon, you can set up a non-privileged account specifically for this purpose. For example the account "flexlm" can be created. If you want to use a username such as "flexlm" that currently does not exist you must first create the user before running installpatch because the username entered in the file will be checked to ensure that it is a valid username on your system. After this patch has been correctly installed, there will be a new script in /etc/opt/licenses called adjust_flexlm_owner. This script can be run anytime by root to change the username used to start the licensing daemon. The script provides online help. NOTE: The script will run non-interactively if the file /etc/opt/licenses/flexlm_owner exists. To run the script interactively, first delete the flexlm_owner file.