I have run into this issue several times. The procedure below is
documented on Sun's web site as a way to get around their security patch
cluster which enforces stricter install permissions. I have tested it
both in live environments and in lab several times so I know it works:
The Solaris 9 patch 113713 revision 16 and earlier, ie 113713-16, and
the Solaris 8 patch 110934-19 and earlier are ok and will not cause any
problems when installing any Checkpoint package on Solaris.
Checkpoint's work around for this is to backout the patch if it is later
than these revisions.
If you are reluctant to backout the patch or are unable to then you can
add the install user on your system.
1. Add the install user.
# useradd -c "pkgadd install user" -s /bin/false -d / install
2. Remember this number as it is the install user's normal UID.
# egrep "^install:" /etc/passwd | cut -d: -f3
12345
3. Before installing/upgrading your checkpoint software Change the
"install" user's UID to 0.
# usermod -o -u 0 install
4. Install/upgrade checkpoint software as you would normally.
5. Change the install user's UID back to its usual one as we don't want
more than one UID 0 user do we!
# usermod -o -u 12345 install
This workaround lets you install any Checkpoint package on a fully
patched Solaris8/9 system and if you need to apply a HotFix? or Upgrade
later you can re-enable the install user with UID 0.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Reinoud
Koornstra
Sent: Tuesday, May 09, 2006 6:28 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] NGX/Express FW-1 module doesn't start after HFA-3
Can't you revert the installation of HFA03 and see if your enforcement
comes up afterwards? If you can revert and everything works, make a
snapshot and then install hfa03 again, see what happens.
I encounter occasionally problems after installing an hfa. Having a
backup
before always helps to try again.
I know this isn't the answer you're looking for but i don't have any
other
options which i can think of right now.
Allthough, in your boot sequence it seems that a kernel module won't be
loaded. Can you do a "find / -name fwmod.2.4.21.cp.UNSUPPORTED.o"
See what it brings you?
Bye,
Reinoud.
-----Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> wrote: -----
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
From: "Bachmann, Olaf" <Olaf.Bachmann AT ARXES-BERLIN DOT DE>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
