This is a multipart message in MIME format. What you are seeing is now entirely normal and is a result of changes that
were made for the security APAR IY21527.
The platform AIX or Solaris (or Digital or NT) make no difference.
As soon as you apply this APAR e-fix or NetView 6.0.3, you will see the
same results with NetView Version 6.0 that you are seeing in 7.1.
Because it is possible for someone to imbed a command inside a varbind,
and thus cause a command to be issued (with root authority) when you echo
that varbind to a file, some characters are now considered illegal and are
escaped, that is preceded by and escape character, when they appear in a
varbind.
You can either adjust your script accordingly to deal with them or you can
make everything operate as it did before (and leave open the possible
security hole) by setting an environment variable to disable the security
checking. I would advise adjusting the script. For example, wherever you
have $NVATTR_2 , you can replace it with
`echo $NVATTR_2 | sed "s:\\\\\\::g"`
and the sed will remove the escape characters.
The recommended method to disable it all is to create a file called
/usr/OV/bin/netnmrc.pre and in it put the line:
export AdditionalLegalTrapCharacters=disable
Then either reboot or ovstop all the daemons (ovstop nvsecd) and restart
them using /etc/netnmrc (AIX) or /etc/init.d/netnmrc (Solaris).
This is all documented in the e-fix for the APAR. I don't know where that
doc was placed in 7.1 or 6.0.3 off-hand.
James Shanks
Level 3 Support for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
Jorge Jiles <Jorge.Jiles AT ualberta DOT ca>
Sent by: owner-nv-l AT tkg DOT com
11/22/2001 06:28 PM
Please respond to IBM NetView Discussion
To: nv-l AT tkg DOT com
cc:
Subject: [NV-L] actionsrv parse
Netview 7.1 Solaris 8
Any ideas as to why I'm getting these Varbind (\.\) errors from the action
daemon an how I can correct them.
2001/22/11 16:08:00 : 20 :/usr/OV/local/bin/stateInformer $NVG $NVS $NVA
$NVT~2001/22/11 16:05
:50~1.3.6.1.4.1.2.6.3.1~6~58916865~2172652069~0~public~2~condor.ucs.ualberta
.ca~Node Down~~topo_db~3~N~5
2001/22/11 16:08:00 ./nl_Actionsvr.C[790] : Varbind contained an
illegal character.
Issuing sanitized version of the varbind:
2001/22/11 16:08:00 ./nl_Actionsvr.C[791] :
NVATTR_2="condor\.ucs\.ualberta\.ca"
2001/22/11 16:08:00 ./nl_Actionsvr.C[790] : Varbind contained an
illegal character.
Issuing sanitized version of the varbind:
2001/22/11 16:08:00 ./nl_Actionsvr.C[791] : NVATTR_5="topo_db"
/usr/OV/local/bin/StateInformer is an script that get to be executed from
a
correlation wait of 5 minutes (node down/up) If I run the script from the
command line, it works OK; also I have been using this scheme for some
time
on Netview 6 on AIX with no problems. I'm moving from AIX to Solaris
slowly
but surely.
Jorge A Jiles
Network Analyst
Computing & Network Services
University of Alberta
Edmonton, Alberta
Canada
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
What you are seeing is now entirely normal and is a result of changes that were made for the security APAR IY21527.
The platform AIX or Solaris (or Digital or NT) make no difference.
As soon as you apply this APAR e-fix or NetView 6.0.3, you will see the same results with NetView Version 6.0 that you are seeing in 7.1.
Because it is possible for someone to imbed a command inside a varbind, and thus cause a command to be issued (with root authority) when you echo that varbind to a file, some characters are now considered illegal and are escaped, that is preceded by and escape character, when they appear in a varbind.
You can either adjust your script accordingly to deal with them or you can make everything operate as it did before (and leave open the possible security hole) by setting an environment variable to disable the security checking. I would advise adjusting the script. For example, wherever you have $NVATTR_2 , you can replace it with
`echo $NVATTR_2 | sed "s:\\\\\\::g"`
and the sed will remove the escape characters.
The recommended method to disable it all is to create a file called /usr/OV/bin/netnmrc.pre and in it put the line:
export AdditionalLegalTrapCharacters=disable
Then either reboot or ovstop all the daemons (ovstop nvsecd) and restart them using /etc/netnmrc (AIX) or /etc/init.d/netnmrc (Solaris).
This is all documented in the e-fix for the APAR. I don't know where that doc was placed in 7.1 or 6.0.3 off-hand.
James Shanks
Level 3 Support for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
| Jorge Jiles <Jorge.Jiles AT ualberta DOT ca>
Sent by: owner-nv-l AT tkg DOT com
11/22/2001 06:28 PM
Please respond to IBM NetView Discussion
|
To: nv-l AT tkg DOT com
cc:
Subject: [NV-L] actionsrv parse
|
Netview 7.1 Solaris 8
Any ideas as to why I'm getting these Varbind (\.\) errors from the action
daemon an how I can correct them.
2001/22/11 16:08:00 : 20 :/usr/OV/local/bin/stateInformer $NVG $NVS $NVA
$NVT~2001/22/11 16:05
:50~1.3.6.1.4.1.2.6.3.1~6~58916865~2172652069~0~public~2~condor.ucs.ualberta
.ca~Node Down~~topo_db~3~N~5
2001/22/11 16:08:00 ./nl_Actionsvr.C[790] : Varbind contained an
illegal character.
Issuing sanitized version of the varbind:
2001/22/11 16:08:00 ./nl_Actionsvr.C[791] :
NVATTR_2="condor\.ucs\.ualberta\.ca"
2001/22/11 16:08:00 ./nl_Actionsvr.C[790] : Varbind contained an
illegal character.
Issuing sanitized version of the varbind:
2001/22/11 16:08:00 ./nl_Actionsvr.C[791] : NVATTR_5="topo_db"
/usr/OV/local/bin/StateInformer is an script that get to be executed from a
correlation wait of 5 minutes (node down/up) If I run the script from the
command line, it works OK; also I have been using this scheme for some time
on Netview 6 on AIX with no problems. I'm moving from AIX to Solaris slowly
but surely.
Jorge A Jiles
Network Analyst
Computing & Network Services
University of Alberta
Edmonton, Alberta
Canada
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
|