General
cancel
Showing results for 
Search instead for 
Did you mean: 

SUlog is advising that users are accessing when they are not

Managed Services
Frequent Advisor

SUlog is advising that users are accessing when they are not

I appear to be getting corruptions within the users database in that the /usr/adm/sulog file is reporting that users have successfully attempted to login as root, even though these users do not have any such access. When I had this problem some time ago, I cleared the user database files down and the problem did not occur. It has since returned. Could anyone advise why this incorrect information is occuring. Many Thanks
3 REPLIES
Jeff Schussele
Honored Contributor

Re: SUlog is advising that users are accessing when they are not

Hi,

We had the same problem & it was due to telnetd corrupting the utmpx file. You will most likely need PHNE_24829. Here's the descrip doc on it:

===========================================================================================================================
Patch Name: PHNE_24829

Patch Description: s700_800 11.11 telnet kernel, telnetd(1M), telnet(1) patch

Creation Date: 02/09/26

Post Date: 02/11/28

Hardware Platforms - OS Releases:
s700: 11.11
s800: 11.11

Products: N/A

Filesets:
Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP
Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP
InternetSrvcs.INETSVCS-RUN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP
InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP

Automatic Reboot?: Yes

Status: General Release

Critical:
Yes
PHNE_24829: MEMORY_LEAK
PHNE_24131: MEMORY_LEAK
Memory leak in telnetd

Category Tags:
defect_repair enhancement general_release critical
memory_leak manual_dependencies

Path Name: /hp-ux_patches/s700_800/11.X/PHNE_24829

Symptoms:
PHNE_24829:
SR 8606212875 / CR JAGad82062
1. Buffer handling in telnetd needs to be enhanced.

SR 8606212874 / CR JAGad82061
2. Telnetd has a service issue.

SR 8606220839 / CR JAGad89975
3. Incorrect records might be written into /etc/utmpx
by telnetd when it exits.

SR 8606230839 / CR JAGae00077
4. Credential forwarding to telnetd fails in DCE
environment.

SR 8606238651 / CR JAGae07675
5. If telnet is invoked with the "-f" or "-F" option or
using the TACACS mechanism, the TERM environment variable
may not be set.

SR 8606232804 / CR JAGae02032
6. Provide a command line option in telnetd to close the
telnet connection when "stty 0" command is executed.

SR 8606231734 / CR JAGae00970
7. IPv6 connection might be closed by telnetd(1M).

SR 8606236626 / CR JAGae05679
8. Memory leak in telnet multiplexor.

SR 8606261511 / CR JAGae25830
9. Use of malloc(3C) in telnetd signal handler.

PHNE_24131:
SR 8606182980 / CR JAGad52196
1. telnetd does not close the connection when stty 0 is
executed.

SR 8606176054 / CR JAGad45294
2. Memory leak as telnetd does not manage telnet queues
properly.

SR 8606157405 / CR JAGad26736
3. telnet daemon sets the pty speed to 0 if the telnet
client speed is > 38400

SR 8606114446 / CR JAGac29210
4. telnet hangs with "Reflection1", a terminal emulation
software used by Windows telnet client when displaying
large files.

SR 8606188928 / CR JAGad58144
5. While transferring huge amount of data at
high speed, telnetd adds extra null characters to the
byte stream thereby breaking the application.

SR 8606174421 / CR JAGad43667
6. Enhancement to telnet to work in IPv6 environment.

Defect Description:
PHNE_24829:
SR 8606212875 / CR JAGad82062
1. Description: Buffer handling in telnetd needs to be
enhanced.
Resolution:
Code changes have been made to fix it.

SR 8606212874 / CR JAGad82061
2. Description: Telnetd has a service issue.
Resolution:
Code changes have been made to fix it.

SR 8606220839 / CR JAGad89975
3. Description: telnetd might write a duplicate record
into /etc/utmpx when the _pututline() API is interrupted
by a signal.
Resolution:
Signals are blocked before calling _pututline() and
enabled after it returns.

SR 8606230839 / CR JAGae00077
4. Description: k5dcelogin expects the environment variable
KRB5CCNAME to be set by telnetd. But telnetd passes the
KRB5CCNAME variable only in the argument list of the
execl(2) and not in the environment list.
Resolution: KRB5CCNAME is now passed in the environment
list, in addition to the argument list, thereby
forwarding the credentials properly.

SR 8606238651 / CR JAGae07675
5. Description: telnetd execs login with improperly ordered
arguments due to which the TERM environment variable, if
present, is ignored by login.
Resolution: The arguments are now passed in the correct
order.

SR 8606232804 / CR JAGae02032:
6. Description: Provide a command line option in telnetd to
close the telnet connection when "stty 0" command is
executed.
Resolution: A command line option, "-y", has been provided
in telnetd to close the telnet connection when "stty 0"
command is executed. Refer to man page telnetd(1M) for
more information.

SR 8606231734 / CR JAGae00970
7. Description: IPv6 enabled telnetd closes the connection
if the IPv6 client negotiates for environment option.
Resolution: Now it would not close the connection, but
flash an appropriate error message.

SR 8606236626 / CR JAGae05679:
8. Description: Only the first message block of the STREAMS
message was freed in telnet multiplexor. The remaining
message blocks in the STREAMS message cause a memory
leak.
Resolution: All the message blocks of the STREAMS message
are now freed.

SR 8606261511 / CR JAGae25830
9. Description: malloc(3C) is called inside a signal
handler in telnetd.
Resolution: Calls to malloc(3C) have been removed from the
signal handler.

PHNE_24131:
SR 8606182980 / CR JAGad52196
1. Setting stty 0 results in zero byte msgblk which was
ignored.
Resolution:
stty 0 results in zero byte msgblk which is now processed
to close the telnet connection.

SR 8606176054 / CR JAGad45294
2. If the connection is closed while telnet is doing option
negotiation, memory is not freed.
Resolution:
Code has been modified to free memory whenever connection
is closed.

SR 8606157405 / CR JAGad26736
3. If any telnet client requests for baud rate > 38400,
the telnet daemon resets the baud rate value to zero.
Resolution:
If any request for Baud rate is received, which is
greater than the maximum, i.e 38400, then the telnet
daemon resets the Baud rate value to the default value
instead of setting it to zero.

SR 8606114446 / CR JAGac29210
4. While displaying large files using "Reflection1",
a terminal emulation software, the telnet connection
hangs.
Resolution:
Flow control has been properly enabled which solved
this problem.

SR 8606188928 / CR JAGad58144
5. While transferring the byte stream at a high speed,
the character 0x0d which is not followed by 0x0a is
appended with multiple 0x0 characters.
Resolution:
Handling of flow control has been modified to
solve this problem.

SR 8606174421 / CR JAGad43667
6. Enhancements to telnet to work in the IPv6
environment.
Resolution:
telnetd and telnet code has been enhanced so that
they will work in the IPv6 environment.

Enhancement:
No (superseded patches contained enhancements)
PHNE_24131:
This patch contains IPv6 enhancements for telnet and
telnetd.

SR:
8606182980 8606176054 8606157405 8606114446 8606188928
8606174421 8606212875 8606212874 8606220839 8606230839
8606238651 8606232804 8606231734 8606236626 8606261511

Patch Files:

Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP:
/usr/conf/lib/libtelnet.a

Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP:
/usr/conf/lib/libtelnet.a

InternetSrvcs.INETSVCS-RUN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
/usr/lbin/telnetd
/usr/bin/telnet

InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
/usr/share/man/man1m.Z/telnetd.1m
/usr/share/man/man1.Z/telnet.1

what(1) Output:

Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP:
/usr/conf/lib/libtelnet.a:
str_telnet.c: PHNE_24829

Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP:
/usr/conf/lib/libtelnet.a:
str_telnet.c: PHNE_24829

InternetSrvcs.INETSVCS-RUN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
/usr/lbin/telnetd:
Copyright (c) 1983, 1986 Regents of the University o
f California.
Patch ID: PHNE_24829

InternetSrvcs.INETSVCS-RUN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
/usr/bin/telnet:
Revision 1.1.214.1 PHNE_24131 Mon Jul 2 10:48:01 GM
T 2001
Copyright (c) 1988 Regents of the University of Cali
fornia.

InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
/usr/share/man/man1m.Z/telnetd.1m:
None

InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
/usr/share/man/man1.Z/telnet.1:
None

cksum(1) Output:

Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP:
3196843899 35224 /usr/conf/lib/libtelnet.a

Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP:
566962880 65018 /usr/conf/lib/libtelnet.a

InternetSrvcs.INETSVCS-RUN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
1362827565 94208 /usr/lbin/telnetd

InternetSrvcs.INETSVCS-RUN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
2088995601 110592 /usr/bin/telnet

InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
3902604971 6175 /usr/share/man/man1m.Z/telnetd.1m

InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11,
fa=HP-UX_B.11.11_32/64,v=HP:
3778045746 8700 /usr/share/man/man1.Z/telnet.1

Patch Conflicts: None

Patch Dependencies: None

Hardware Dependencies: None

Other Dependencies:
The solution to SR 8606174421 / CR JAGad43667 will
work only when IPv6 stack is installed.

Supersedes:
PHNE_24131

Equivalent Patches: None

Patch Package Size: 360 KBytes

Installation Instructions:
Please review all instructions and the Hewlett-Packard
SupportLine User Guide or your Hewlett-Packard support terms
and conditions for precautions, scope of license,
restrictions, and, limitation of liability and warranties,
before installing this patch.
------------------------------------------------------------
1. Back up your system before installing a patch.

2. Login as root.

3. Copy the patch to the /tmp directory.

4. Move to the /tmp directory and unshar the patch:

cd /tmp
sh PHNE_24829

5. Run swinstall to install the patch:

swinstall -x autoreboot=true -x patch_match_target=true \
-s /tmp/PHNE_24829.depot

By default swinstall will archive the original software in
/var/adm/sw/save/PHNE_24829. If you do not wish to retain a
copy of the original software, include the patch_save_files
option in the swinstall command above:

-x patch_save_files=false

WARNING: If patch_save_files is false when a patch is installed,
the patch cannot be deinstalled. Please be careful
when using this feature.

For future reference, the contents of the PHNE_24829.text file is
available in the product readme:

swlist -l product -a readme -d @ /tmp/PHNE_24829.depot

To put this patch on a magnetic tape and install from the
tape drive, use the command:

dd if=/tmp/PHNE_24829.depot of=/dev/rmt/0m bs=2k

Special Installation Instructions:
PHNE_24829 contains a fix for the telnetd code defect
described in SR: 8606220839 (JAGad89975) - telnetd writes
to the wrong entry in /etc/utmpx on logout.

Although the SR: 8606220839 (JAGad89975) fix will prevent
any further corruption of /etc/utmpx(4), installing
PHNE_24829 will not correct any existing corruption in the
/etc/utmp(4) or /etc/utmpx(4) files.

Therefore if you are installing PHNE_24829 to fix the SR:
8606220839 (JAGad89975) defect, to completely resolve the
problem you must also ensure that the /etc/utmp and
/etc/utmpx files are cleared of any previous corruption
caused by this defect.

The /etc/utmp and /etc/utmpx files may be cleared using the
following procedure:

Before installing PHNE_24829 insert two lines into the
/etc/inittab(4) file as follows, then save /etc/inittab and
continue the PHNE_24829 patch installation.

init:3:initdefault:
utm1::sysinit:> /etc/utmp # clear current logon \
accounting files
utm2::sysinit:> /etc/utmpx # clear current login \
accounting files

After PHNE_24829 is installed and the system rebooted, you
may delete the above two entries from /etc/inittab or retain
them. In the latter case, /etc/utmp and /etc/utmpx will be
cleared every time the system is rebooted.

NOTE: The above steps are only required if the problem
described in SR: 8606220839 (JAGad89975) exists on
the system where PHNE_24829 is being installed.


NOTE The special instructions & make sure you follow them or the problem is likely to reoccur.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Managed Services
Frequent Advisor

Re: SUlog is advising that users are accessing when they are not

Many thanks for that!!!
I'll have a test and get back.
Thanks again
T G Manikandan
Honored Contributor

Re: SUlog is advising that users are accessing when they are not

su gets the information from
utmpx file

The /etc/utmpx file is corrupt,so it returns an invalid entry.
Just empty the file.That should resolve this.
cat /dev/null > /etc/utmpx
cat /dev/null > /etc/utmp

To fix this permanently install the patch as suggested above.The patch is for OS version 11i.