topic Re: tsconvert options in Operating System - HP-UX

tsconvert options

Jeff_Traigle — Tue, 25 May 2004 10:05:12 GMT

I've looked around ITRC and newsgroups, but haven't seen the info. I know -r converts back to an untrusted system since that seems to get mentioned all the time as people try to convert back. What do the -c and -p options do?

Re: tsconvert options

John Poff — Tue, 25 May 2004 10:16:34 GMT

Hi,

Patch PHCO_17218 mentions doing a 'tsconvert -p':

PHCO_17218 cumulative fix for SAM convert/unconvert
If you are already in trusted mode when you install the
patch then execute "/usr/lbin/tsconvert -p"
to pick up any missing entries.

JP

Re: tsconvert options

Mel Burslan — Tue, 25 May 2004 10:18:10 GMT

-c option is actually is used to convert TO a trusted system as far as I can remember but it has been a while since we are only doing the converts via SAM as suggested by hp for support considerations.

Re: tsconvert options

Jeff_Traigle — Tue, 25 May 2004 10:31:26 GMT

Ok. -c does seem to be "convert", which is the default action if no option is provided.

Interesting though... I tried running tsconvert on a system and it didn't seem to work:

omega# /usr/lbin/tsconvert -c
Creating secure password database...
Directories created.
Making default files.
System default file created...
Terminal default file created...
Device assignment file created...
Moving passwords...
Can't write protected database;
password file unchanged.

Re: tsconvert options

Jeff Schussele — Tue, 25 May 2004 10:43:17 GMT

Hi Jeff,

I suspect SAM's doing more than just running tsconvert -c.

Why don't you let SAM do a conversion & then check the /var/sam/log/samlog to see just exactly what it did?

My 2 cents,
Jeff

Re: tsconvert options

Jeff_Traigle — Tue, 25 May 2004 10:44:36 GMT

I did. That's all it appears to do and it generates the same output without doing the conversion.

Re: tsconvert options

Mel Burslan — Tue, 25 May 2004 10:45:13 GMT

Jeff beat me to the same suggestion. I second his opinion. :)

Re: tsconvert options

John Poff — Tue, 25 May 2004 10:48:01 GMT

The protected database gets written to /tcb/files/auth/*/*, so you might poke around that directory tree and see if everything looks ok. Do you have another trusted system to compare it to?

JP

Re: tsconvert options

Jeff_Traigle — Tue, 25 May 2004 11:00:28 GMT

No, I don't. Was just investigating it for the first time because of new audit requirements that systems in the building use shadow password.

Here's the ownship of /. I can't trust this is the way it should be offhand because so many file permissions have been unwisely modified on these systems over the years before I showed up in January.

omega# ls -ld /
drwxr-xr-x 21 root root 8192 May 25 07:37 /

Definitely no space problems at 20% used and 160MB free.

Re: tsconvert options

Bill Hassell — Tue, 25 May 2004 11:15:23 GMT

Check if there is already a /tcb directory or file. In an untrusted system, this will not exist. tsconvert will create the /tcb directory structure. However, as you mentioned, some sysadmins with Unix For Newbies books have been loose on the system and may have compromised a lot of security features. Check /etc/passwd (should be 644 or 444 owned by root) and /etc/group. Check the syntax in both files with pwck and grpck respectively. Check that /etc is 755 and I would run the following command just to look fo overall problems:

find /etc /sbin /stand -perm -002 -exec ll {} \;

which should produce no entries. If something shows up, the contents of the file or directory cannot be trusted.

Re: tsconvert options

Jeff_Traigle — Tue, 25 May 2004 11:26:40 GMT

Bingo! pwck revealed a bogus line with username usr/bin... looks like someone was hacking around with this passwd file at some point and messed up. Good list of things to check.