HPE Community
Operating System - HP-UX
1825552 Members
2530 Online
109681 Solutions
New Discussion юеВ

tsconvert options

 
SOLVED
Go to solution
Jeff_Traigle
Honored Contributor

тАО05-25-2004 03:05 AM

тАО05-25-2004 03:05 AM

tsconvert options

I've looked around ITRC and newsgroups, but haven't seen the info. I know -r converts back to an untrusted system since that seems to get mentioned all the time as people try to convert back. What do the -c and -p options do?
--
Jeff Traigle
0 Kudos
Reply
10 REPLIES 10
John Poff
Honored Contributor

тАО05-25-2004 03:16 AM

тАО05-25-2004 03:16 AM

Re: tsconvert options

Hi,

Patch PHCO_17218 mentions doing a 'tsconvert -p':



PHCO_17218 cumulative fix for SAM convert/unconvert
If you are already in trusted mode when you install the
patch then execute "/usr/lbin/tsconvert -p"
to pick up any missing entries.



JP
0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО05-25-2004 03:18 AM

тАО05-25-2004 03:18 AM

Re: tsconvert options

-c option is actually is used to convert TO a trusted system as far as I can remember but it has been a while since we are only doing the converts via SAM as suggested by hp for support considerations.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

тАО05-25-2004 03:31 AM

тАО05-25-2004 03:31 AM

Re: tsconvert options

Ok. -c does seem to be "convert", which is the default action if no option is provided.

Interesting though... I tried running tsconvert on a system and it didn't seem to work:

omega# /usr/lbin/tsconvert -c
Creating secure password database...
Directories created.
Making default files.
System default file created...
Terminal default file created...
Device assignment file created...
Moving passwords...
Can't write protected database;
password file unchanged.
--
Jeff Traigle
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО05-25-2004 03:43 AM

тАО05-25-2004 03:43 AM

Re: tsconvert options

Hi Jeff,

I suspect SAM's doing more than just running tsconvert -c.

Why don't you let SAM do a conversion & then check the /var/sam/log/samlog to see just exactly what it did?

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

тАО05-25-2004 03:44 AM

тАО05-25-2004 03:44 AM

Re: tsconvert options

I did. That's all it appears to do and it generates the same output without doing the conversion.
--
Jeff Traigle
0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО05-25-2004 03:45 AM

тАО05-25-2004 03:45 AM

Re: tsconvert options

Jeff beat me to the same suggestion. I second his opinion. :)
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
John Poff
Honored Contributor

тАО05-25-2004 03:48 AM

тАО05-25-2004 03:48 AM

Re: tsconvert options

The protected database gets written to /tcb/files/auth/*/*, so you might poke around that directory tree and see if everything looks ok. Do you have another trusted system to compare it to?

JP
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

тАО05-25-2004 04:00 AM

тАО05-25-2004 04:00 AM

Re: tsconvert options

No, I don't. Was just investigating it for the first time because of new audit requirements that systems in the building use shadow password.

Here's the ownship of /. I can't trust this is the way it should be offhand because so many file permissions have been unwisely modified on these systems over the years before I showed up in January.

omega# ls -ld /
drwxr-xr-x 21 root root 8192 May 25 07:37 /

Definitely no space problems at 20% used and 160MB free.
--
Jeff Traigle
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО05-25-2004 04:15 AM

тАО05-25-2004 04:15 AM

Solution

Re: tsconvert options

Check if there is already a /tcb directory or file. In an untrusted system, this will not exist. tsconvert will create the /tcb directory structure. However, as you mentioned, some sysadmins with Unix For Newbies books have been loose on the system and may have compromised a lot of security features. Check /etc/passwd (should be 644 or 444 owned by root) and /etc/group. Check the syntax in both files with pwck and grpck respectively. Check that /etc is 755 and I would run the following command just to look fo overall problems:

find /etc /sbin /stand -perm -002 -exec ll {} \;

which should produce no entries. If something shows up, the contents of the file or directory cannot be trusted.


Bill Hassell, sysadmin
Reply
Jeff_Traigle
Honored Contributor

тАО05-25-2004 04:26 AM

тАО05-25-2004 04:26 AM

Re: tsconvert options

Bingo! pwck revealed a bogus line with username usr/bin... looks like someone was hacking around with this passwd file at some point and messed up. Good list of things to check.
--
Jeff Traigle
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.