For more information on recent computer security
issues, see the Computer Emergency Response
Team (CERT) web page.
Description
Silicon Graphics usually provides a security patch
to fix one or more vulnerabilities found within their operating system,
IRIX. Sometimes this patch is immediately available, other times
there is some delay before a patch is developed and released, and there
may be an alternative that can be immediately done. In some cases,
no patch is provided, but an alternative solution is suggested.
The patches are almost always in inst format, the format SGI ships their software in, and named according to a number. For example, you can obtain patch1234.tar from the SGI security web site that bundles the files that make up patch 1234. Sometimes a patch applies to a single IRIX release, e.g. 6.3. Other times it may cover more than one release. Silicon Graphics new IRIX 6.5 operating system does not presently take patches. Instead, frequent updates to 6.5 provide fixes to vulnerabilities. (As of 3/18/99, the current version of IRIX 6.5 available is 6.5.3. See OS updates for more info.) Installing patches requires using the inst or Software Manager program and is usually easy for experienced sysadmins to do.
Obtaining
Silicon Graphics security patches are available
free from SGI via the web at the SGI Security Headquarters or via ftp at
sgigate.sgi.com, /~ftp/patches. For Chemistry Department members,
there is a software server that contains all the patches for each os release,
ready for installation. See the Chemistry Computer Facility web page
for instructions on how to use the SGI software server.
Which patches should be obtained? You can check on the SGI Security Headquarters site to get an up-to-date list of security patches issued by os release. In the case of IRIX 6.5.x, if there is a security vulnerability, you should see whether the latest version of 6.5 has corrected the vulnerability. If so, obtain the latest version of IRIX 6.5. A less reliable method for the pre IRIX 6.5 os releases is to obtain the latest recommended patch set and install this. See the section on recommended patches.
After you've determined what patches are needed and downloaded them, you're ready to un-tar them and prepare for installation. Use "tar xvf patch1234.tar" to de-tar a patch file. You may have downloaded it in gzip format(as indicated by a .gz suffix). Use "gunzip patch1234.tar" to g-unzip the file and the preceding command to de-tar it. You should have several files comprising the inst format files for the patches. You should probably delete the old tar files, since sometimes these take up a significant amount of space. I recommend putting the patches for the same OS into a subdirectory, /usr/tmp/patches/6.x.
Installing
There are several steps you need to take
before you can install the patches for your system.
Make a full system backup.
Shut down the system to miniroot
Inst installation:
When the inst prompt appears, I recommend the following(there are other ways to do this):Checking for updated configuration files:from /usr/tmp/patches/6.3 (tells inst where the patch files are)
install A ( selects all installable patches)
keep S (prevents already existing patches from being re-installed)
keep D (prevents patches that are old from being installed.)
conflicts (should be clear of conflicts, else you need to resolve them.)
go (starts software installation.)
exit (returns to re-start system)
Testing
This doesn't usually require much time if any.
After any software installation, you should check your system to make sure
it's functioning as you need it to. If a patch was damaged or has
damaged something, or something has gone wrong in the course of installing
patches, you'll need to either remove the patch or restore from the system
backup you had made prior to installation.
last updated 990318 by Martin McCormick, martinm@sas.upenn.edu