tsm Command

Edit online

Purpose

Provides terminal state management.

Syntax

tsm Port

Description

The tsm command invokes the terminal state manager, which controls the ports used in the trusted path. The functions are:

  • Establishing line communication modes and discipline - functions performed by the getty command.
  • Verifying the user's account and identity, and setting the initial process credentials and environment - functions performed by the login command.
  • Performing trusted path management if the secure attention key (SAK) is enabled for the port and the system login program is used.
    Note: The tsm command is not entered on the command line.

Trusted path management occurs in two phases:

Item Description
login This phase is in effect if a user has not successfully logged in. If the secure attention key (SAK) signal is detected, the system restarts getty-login type processing. The next login puts the user into the trusted state, if the port and the user support the trusted state.
shell This phase occurs after successful user authentication. The command functions according to the user's tpath attribute. The following values are valid:
on
Provides standard trusted path management. When the secure attention key (SAK) signal is detected, all processes that access the port, except the tsm process and its siblings (including the trusted shell), are terminated the next time an attempt is made to access the port. The port is reset to its initial state and is marked as trusted, and the trusted shell command (the tsh command) is executed.
notsh
The user session terminates when the secure attention key (SAK) signal is detected.
always
The user is not allowed off the trusted path. The user's shell will always be the trusted shell, tsh.
nosak
The secure attention key (SAK) is disabled for the terminal, and the user's initial program runs.

You can configure the tsm command to create your home directory at your login if you do not have a home directory already. The tsm command calls the mkuser.sys command to create the home directory and customize the account. To enable this capability, set the mkhomeatlogin attribute of the usw stanza in the /etc/security/login.cfg file to true.

Security

Access Control: This command should grant execute (x) permission to any user. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:
Mode File
r /etc/objrepos/CuAt
r /usr/lib/objrepos/PdAt
r /etc/security/login.cfg
r /etc/security/user
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

To provide terminal state management on tty0, add the following line to the /etc/inittab file: 

tty0:2:respawn:/usr/sbin/tsm /dev/tty0

This initializes the port /dev/tty0 and sets up the characteristics of the port.

Files

Item Description
/usr/sbin/tsm Contains the tsm command.
/etc/security/login.cfg Contains configuration information.
/etc/security/user Contains extended user attributes.