Silicon Graphics Security Patches
under construction

Keeping your system secure
    It's very important to make sure you have all the latest relevant security patches on  your Silicon Graphics (SGI) computer.  Security patches usually are vulnerabilities in a system that are discovered after the operating system (in this case IRIX) has been released.  In the case of Silicon Graphics, there have been numerous serious security vulnerabilities found that an unauthorized person could use to gain access to your system, gain root user access, or deny services on your system.  Security patches are easy to install and free from Silicon Graphics.  To find out more about Silicon Graphics security, visit Silicon Graphics Security Headquarters.

    For more information on recent computer security issues, see the Computer Emergency Response Team (CERT) web page.
 

Description
    Silicon Graphics usually provides a security patch to fix one or more vulnerabilities found within their operating system, IRIX.  Sometimes this patch is immediately available, other times there is some delay before a patch is developed and released, and there may be an alternative that can be immediately done.  In some cases, no patch is provided, but an alternative solution is suggested.

    The patches are almost always in inst format, the format SGI ships their software in, and named according to a number.  For example, you can obtain patch1234.tar from the SGI security web site that bundles the files that make up patch 1234.  Sometimes a patch applies to a single IRIX release, e.g. 6.3.  Other times it may cover more than one release.  Silicon Graphics new IRIX 6.5 operating system does not presently take patches.  Instead, frequent updates to 6.5 provide fixes to vulnerabilities.  (As of 3/18/99, the current version of IRIX 6.5 available is 6.5.3.  See OS updates for more info.)  Installing patches requires using the inst or Software Manager program and is usually easy for experienced sysadmins to do.

Obtaining
    Silicon Graphics security patches are available free from SGI via the web at the SGI Security Headquarters or via ftp at sgigate.sgi.com, /~ftp/patches.  For Chemistry Department members, there is a software server that contains all the patches for each os release, ready for installation.  See the Chemistry Computer Facility web page for instructions on how to use the SGI software server.

    Which patches should be obtained?  You can check on the SGI Security Headquarters site to get an up-to-date list of security patches issued by os release.  In the case of IRIX 6.5.x, if there is a security vulnerability, you should see whether the latest version of 6.5 has corrected the vulnerability.  If so, obtain the latest version of IRIX 6.5.  A less reliable method for the pre IRIX 6.5 os releases is to obtain the latest recommended patch set and install this.  See the section on recommended patches.

    After you've determined what patches are needed and downloaded them, you're ready to un-tar them and prepare for installation.  Use "tar xvf patch1234.tar" to de-tar a patch file.  You may have downloaded it in gzip format(as indicated by a .gz suffix).  Use "gunzip patch1234.tar" to g-unzip the file and the preceding command to de-tar it.  You should have several files comprising the inst format files for the patches.  You should probably delete the old tar files, since sometimes these take up a significant amount of space.  I recommend putting the patches for the same OS into a subdirectory, /usr/tmp/patches/6.x.

Installing
 
    There are several steps you need to take before you can install the patches for your system.
Make a full system backup.
Shut down the system to miniroot
Inst installation:

When the inst prompt appears, I recommend the following(there are other ways to do this):
    from /usr/tmp/patches/6.3 (tells inst where the patch files are)
    install A ( selects all installable patches)
    keep S    (prevents already existing patches from being re-installed)
    keep D    (prevents patches that are old from being installed.)
    conflicts    (should be clear of conflicts, else you need to resolve them.)
    go         (starts software installation.)
    exit    (returns to re-start system)
Checking for updated configuration files:
    When the system has returned to multi-user mode, check for any configuration files that may have been altered or any files that have suggested upgrades.  Enter "versions changes".  This is important, because sometimes there are further steps that can be taken to minimize the vulnerability that can't be done with the inst software installation program.  These are usually the configuration file name with .N appended.  Other times, the inst installation will install a new configuration file and rename the old one with a .O suffix.  In order to continue with the proper configuration for your system, you'll need to use "diff"or some other type of program to determine what has changed and whether you need to re-instate this.  

Testing
    This doesn't usually require much time if any.  After any software installation, you should check your system to make sure it's functioning as you need it to.  If a patch was damaged or has damaged something, or something has gone wrong in the course of installing patches, you'll need to either remove the patch or restore from the system backup you had made prior to installation.
 


Next    SGI System Administration    Chemistry Computer Facility

last updated 990318 by Martin McCormick, martinm@sas.upenn.edu