IBM Support

IJ45647: TRUSTCHK ERRORS MIGHT OCCUR AFTER CHOWN OR CHMOD APPLIES TO AIX 7300-02

 

APAR status

  • Closed as program error.

Error description

  • If owner, mode or group attributes are changed to values
other than the values in tsd.dat, trustchk might need to
be turned off, then on again to reset flags.

For example:

# trustchk -q /usr/bin/ls

  /usr/bin/ls:
        owner = bin
        group = bin
        mode = 555

# trustchk -p TE=OFF

Change the mode to a different value:

# chmod 755 /usr/bin/ls

Re-enable TE:

# trustchk -p TE=ON

# ls /tmp/file
  ksh: ls: cannot execute

This is expected behavior.
However, correcting the value does not cause the flags
to be reset:

Change the mode to match tsd.dat:

# chmod 555 /usr/bin/ls

# ls /tmp/file
  ksh: ls: cannot execute

Disable TE:

# trustchk -p TE=OFF

# ls /tmp/file
  /tmp/file

Re-enable TE:

# trustchk -p TE=ON

# ls /tmp/file
  /tmp/file

Note: the setkst command does not resolve this issue,
because the tsd.dat file was not updated.

Local fix

  • Disable, then re-enable TE
# trustchk -p TE=OFF
# trustchk -p TE=ON

Problem summary

  • If owner, mode or group attributes are changed to values
other than the values in tsd.dat, trustchk might need to
be turned off, then on again to reset flags.

For example:

# trustchk -q /usr/bin/ls

  /usr/bin/ls:
        owner = bin
        group = bin
        mode = 555

# trustchk -p TE=OFF

Change the mode to a different value:

# chmod 755 /usr/bin/ls

Re-enable TE:

# trustchk -p TE=ON

# ls /tmp/file
  ksh: ls: cannot execute

This is expected behavior.
However, correcting the value does not cause the flags
to be reset:

Change the mode to match tsd.dat:

# chmod 555 /usr/bin/ls

# ls /tmp/file
  ksh: ls: cannot execute

Disable TE:

# trustchk -p TE=OFF

# ls /tmp/file
  /tmp/file

Re-enable TE:

# trustchk -p TE=ON

# ls /tmp/file
  /tmp/file

Note: the setkst command does not resolve this issue,
because the tsd.dat file was not updated.

Problem conclusion

  • File ownership is no longer inappropriately cached by AIX's
Trusted Execution.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ45647
    • 

  • Reported component name
    AIX V7.3
    • 

  • Reported component ID
    5765CD300
    • 

  • Reported release
    730
    • 

  • Status
    CLOSED  PER
    • 

  • HIPER
    NoHIPER
    • 

  • Submitted date
    2023-03-01
    • 

  • Closed date
    2023-03-01
    • 

  • Last modified date
    2023-11-13
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
IJ44152
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    AIX V7.3
    • 

  • Fixed component ID
    5765CD300
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SG11T","label":"AIX 7.3 HIPERS- APARs and Fixes"},"Platform":[{"code":"PF053","label":"Power Systems"}],"Version":"730","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 November 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback