 | ||
 Workarounds for Solaris Installation and Upgrade Issue | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2005-08-13 | |||
| |||
 Workarounds for Solaris Installation and Upgrade Issue Workarounds for Solaris Installation and Upgrade Issue The Problem/Symptoms It is usual practice to apply the latest Recommended Patch Cluster for Solaris when you are building any system, especially a firewall. As of September/October 2004 Sun has fixed a bug in the pkgadd command that prevents Checkpoint software from installing. The request script in Checkpoint's packages assumes it has root privileges when it runs and creates files and runs utilities. According to Sun's Solaris Application Packaging Developer's Guide: "The request script cannot modify any files. It only interacts with administrators installing the package and creates a list of environment variable assignments based upon that interaction. To enforce this restriction, the request script is executed as the non-privileged user install if that user exists; otherwise it is executed as the non-privileged user nobody. The request script does not have superuser authority." So now that Sun has fixed the bug in pkgadd, the request script no longer runs with root privileges and instead runs as the user nobody if the install user doesn't exist. As a result you may see errors such as: Error: "/cp_tmp/CPshrd-R55/install/request: /opt/CPInstLog/install_cpshared_R55.elg: cannot create" during installation or upgrade OR /var/tmp/mdsTake_release_R55_pr22/packages/CPfw1-R55/install/request: /opt/CPshrd-R55/bin/cpprod_util: cannot execute /var/tmp/mdsTake_release_R55_pr22/packages/CPfw1-R55/install/request: /opt/CPshrd-R55/bin/cpprod_util: cannot execute This problem affects many products and versions including Provider-1, VPN-1, FP3, R54, R55. Checkpoint have stated that they will not fix this bug in any of the current releases but that it will be fixed in the next major release (R56?) The Solutions 1. Backout the Patches The Solaris 9 patch 113713 revision 16 and earlier, ie 113713-16, and the Solaris 8 patch 110934-19 and earlier are ok and will not cause any problems when installing any Checkpoint package on Solaris. Checkpoint's work around for this is to backout the patch if it is later than these revisions. 2. Add install User If you are reluctant to backout the patch or are unable to then you can add the install user on your system. 1. Add the install user. # useradd -c "pkgadd install user" -s /bin/false -d / install 2. Remember this number as it is the install user's normal UID. # egrep "^install:" /etc/passwd | cut -d: -f3 12345 3. Before installing/upgrading your checkpoint software Change the "install" user's UID to 0. # usermod -o -u 0 install 4. Install/upgrade checkpoint software as you would normally. 5. Change the install user's UID back to its usual one as we don't want more than one UID 0 user do we! # usermod -o -u 12345 install This workaround lets you install any Checkpoint package on a fully patched Solaris8/9 system and if you need to apply a HotFix? or Upgrade later you can re-enable the install user with UID 0. -- MatthewFlanagan - 30 Dec 2004 FAQForm FAQs.Class: InstallAndUpgradeFAQs, TroubleshootingFAQs FAQs.OS: OsSolaris FAQs.Version:  |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
