A fix is available
APAR status
Closed as program error.
Error description
The ACL associated with a file or directory object may be lost after an archive/retrieve if all the following conditions are true: . The archive is performed from a source filesystem, and in this filesystem tree there is a symbolic link pointing to another filesystem . The source and target filesystems are of different types (example GPFS and EXT3 ) . The archive is performed with default client option "archsymlinkasfile yes" . At least one object at the target of the link has some special ACL set. During retrieve, the target of the link is retrieved in the source filesystem as directory and files because of the "archsymlinkasfile yes" option, but the ACLs are lost. This does not affect filesystems types which use same system call to access ACL. For example JFS and JFS2. As a result of this issue, when performing an archive and retrieve operation using a symbolic link, the IBM Tivoli Storage Manager client could allow a local user to access files they are otherwise not allowed to access. Tivoli Storage Manager Client Versions Affected: 6.3 , 6.4 , 7.1 on All Unix platforms, Initial Impact: Medium Additional Keywords: TSM archsymlinkasfile ANS2042W
Local fix
- Archive the source filesystem using archsymlinkasfile=no and also archive the target of the link in the same or another archive operation. - During retrieve the two filesystems will need to be retrieved.
Problem summary
**************************************************************** * USERS AFFECTED: * * Tivoli Storage Manager for Client version 6.3, 6.4 and 7.1 * * running on Linux, AIX, HPUX and Solaris * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * * * * For additional details, refer to the security bulletin * * published here: * * http://www.ibm.com/support/docview.wss?uid=swg21985579 * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed in level 7.1.6. * * Note that this information is subject to change at the * * discretion of IBM. * **************************************************************** *
Problem conclusion
The archive operation will save ACL in case the file system border is crossed and the option archsymlinkasfile is set.
Temporary fix
A fix for this problem is currently targeted for interim fix packages 6.4.3.3 and 6.3.2.6. Note that until these interim fixes are actually available, this information is subject to change at the discretion of IBM.
Comments
APAR Information
APAR number
IT13686
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
71A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-02-09
Closed date
2016-07-08
Last modified date
2016-07-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
dsmc
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
R63A PSY
UP
R63H PSY
UP
R63L PSY
UP
R63S PSY
UP
R64A PSY
UP
R64H PSY
UP
R64L PSY
UP
R64S PSY
UP
R71A PSY
UP
R71H PSY
UP
R71L PSY
UP
R71S PSY
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"71A","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
07 December 2021