default permission in /var/sadm/patch - SUN

This is a discussion on default permission in /var/sadm/patch - SUN ; Hi all, does anybody know what the reason is that all directories in /var/sadm/patch have the permission 0754. Like this it is impossible to grep for the Synopsis of the patches in the README files as a normal user. Like ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: default permission in /var/sadm/patch

  1. default permission in /var/sadm/patch

    Hi all,

    does anybody know what the reason is that all directories
    in /var/sadm/patch have the permission 0754. Like this
    it is impossible to grep for the Synopsis of the patches
    in the README files as a normal user. Like this you can
    only look at the patchids, which give a user who wants
    to hack a system enough information about missing
    patches that might offer opportunities to attack.

    So what is the point not setting the default permission
    to either 0750 (including the directory /var/sadm/patch)
    or to 0755 and give users the oportunity to read the
    README files of the installed patches?

    TIA,
    Tom

  2. Re: default permission in /var/sadm/patch

    In comp.sys.sun.admin Thomas Maier-Komor wrote:
    > So what is the point not setting the default permission
    > to either 0750 (including the directory /var/sadm/patch)
    > or to 0755 and give users the oportunity to read the
    > README files of the installed patches?


    I guess it's one of the things that were implemented long ago, and
    never have been re-thought. I see no technical reason either why the
    READMEs shouldn't be accessible to anybody.

    On the other hand, I don't really care. pca runs as a regular user,
    and (using patchdiag.xref), shows much more information about installed
    patches than showrev -p or grepping through the READMEs ever would
    reveal:

    % pca -i
    Patch IR CR RS Age Synopsis
    ------ -- - -- -- --- --------------------------------------------------------
    111711 14 = 14 R 56 SunOS 5.9: 32-bit Shared library patch for C++
    111712 14 = 14 R 56 SunOS 5.9: 64-Bit Shared library patch for C++
    111722 04 = 04 956 SunOS 5.9: Math Library (libm) patch
    112233 12 = 12 RS 607 SunOS 5.9: Kernel Patch
    112617 02 = 02 RS 999 CDE 1.5: rpc.cmsd patch
    112622 18 < 19 112 SunOS 5.9: M64 Graphics Patch
    ...

    It should be noted that /var/sadm/patch won't contain all patch READMEs
    anyway if patches have been pre-integrated by Sun, as it is the case for
    all update (non-FCS) releases of Solaris.

    mp.
    --
    Systems Administrator | Institute of Scientific Computing | Univ. of Vienna

  3. Re: default permission in /var/sadm/patch

    Martin Paul wrote:
    > In comp.sys.sun.admin Thomas Maier-Komor wrote:
    >
    >>So what is the point not setting the default permission
    >>to either 0750 (including the directory /var/sadm/patch)
    >>or to 0755 and give users the oportunity to read the
    >>README files of the installed patches?

    >
    >
    > I guess it's one of the things that were implemented long ago, and
    > never have been re-thought. I see no technical reason either why the
    > READMEs shouldn't be accessible to anybody.
    >
    > On the other hand, I don't really care. pca runs as a regular user,
    > and (using patchdiag.xref), shows much more information about installed
    > patches than showrev -p or grepping through the READMEs ever would
    > reveal:
    >
    > % pca -i
    > Patch IR CR RS Age Synopsis
    > ------ -- - -- -- --- --------------------------------------------------------
    > 111711 14 = 14 R 56 SunOS 5.9: 32-bit Shared library patch for C++
    > 111712 14 = 14 R 56 SunOS 5.9: 64-Bit Shared library patch for C++
    > 111722 04 = 04 956 SunOS 5.9: Math Library (libm) patch
    > 112233 12 = 12 RS 607 SunOS 5.9: Kernel Patch
    > 112617 02 = 02 RS 999 CDE 1.5: rpc.cmsd patch
    > 112622 18 < 19 112 SunOS 5.9: M64 Graphics Patch
    > ...
    >
    > It should be noted that /var/sadm/patch won't contain all patch READMEs
    > anyway if patches have been pre-integrated by Sun, as it is the case for
    > all update (non-FCS) releases of Solaris.
    >
    > mp.


    Thanks Martin for the hint. I gave it a try and it really shows
    everything one needs to know.

    But I am wondering why do I get lines like this:
    116302 02 > -- 999 NOT FOUND IN CROSS REFERENCE FILE!

    It occures on n a standard Solaris 10 system. What is the
    reason that it shows much more patches that need to be updated
    than updatemanager. Are updatemanager and smpatch broken
    or is it telling me about updates which really should not
    be installed?

    Tom

  4. Re: default permission in /var/sadm/patch

    In comp.sys.sun.admin Thomas Maier-Komor wrote:
    > Thanks Martin for the hint. I gave it a try and it really shows
    > everything one needs to know.
    >
    > But I am wondering why do I get lines like this:
    > 116302 02 > -- 999 NOT FOUND IN CROSS REFERENCE FILE!
    >
    > It occures on n a standard Solaris 10 system.


    This happens when a patch is installed which is not listed in Sun's
    patch database (patchdiag.xref). This patch can't be found via the
    patchfinder on sunsolve.com either. It's an error on Sun's side.
    At the end it's more of a cosmetic issue.

    116302-02 is for SUNWxrpcrt (JAX-RPC Runtime, part of the Sun One
    Application Server), BTW. You will notice that this patch isn't
    listed in /var/sadm/patch either.

    Other pre-integrated patches in Solaris 10 3/05 are 113886/113887
    for OpenGL, and 116298-08 for Java API for XML Parsing.

    > What is the
    > reason that it shows much more patches that need to be updated
    > than updatemanager. Are updatemanager and smpatch broken
    > or is it telling me about updates which really should not
    > be installed?


    Judging from the problems people had with updatemanager, "broken"
    might be a word that could well be used.

    Fact is that there is no clearly documented definition for which patches
    updatemanager will show as uninstalled. As far as pca is concerned,
    by default it will show all patches which are marked either "Recommended"
    or "Security" by Sun, and all patches they depend on. The installation
    of all R/S patches is what Sun usually recommended, and what was promoted
    with the "Recommended Patch Cluster".

    When run as "pca -u" it will show *all* patches that can be applied to an
    OS installation.

    mp.
    --
    Systems Administrator | Institute of Scientific Computing | Univ. of Vienna

+ Reply to Thread