A fix is available
APAR status
Closed as program error.
Error description
When DSMC starts up, the new SSL information in 8.1.2 and 7.1.8 creates several files as world writable in the config directory. World writable files and directories on machines with local untrusted users may cause a denial of service to other users. IBM Spectrum Protect Backup-Archive Client version 7.1.8, 8.1.2, 8.1.4 running on Unix platforms. Note: In 71 release the Backup-Archive Client is a prerequisite to using the Data Protection for VMware. In Data Protection for VMware environments, the Backup-Archive Client is also known as the data mover. This problem also affects IBM Spectrum Protect for Virtual Environments: Data Protection for VMware 8.1.2, 8.1.4 running on Linux x86 platform. If you are using Data Protection for VMware 8.1.2, 8.1.4 running on Linux x86 platform, refer to APAR IT25380
Local fix
Manually change the permissions on the files and directories
Problem summary
**************************************************************** * USERS AFFECTED: * * Backup-archive client versions 7.1.8, 8.1.2, 8.1.4 running * * on Unix platforms * * Data Protection for VMware versions 7.1.8, 8.1.2, 8.1.4 * * running on Linux x86 platform * **************************************************************** * PROBLEM DESCRIPTION: * * see ERROR DESCRIPTION * * For additional information, refer to the security bulletin * * published here: * * https://www.ibm.com/support/docview.wss?uid=ibm10719401 * **************************************************************** * RECOMMENDATION: * * This issue is projected to be fixed in the Backup-Archive * * Client version 7.1.8.3 and 8.1.6 on all Unix platforms. * * Note 1: In 71 release the Backup-Archive Client is a * * prerequisite to using the Data Protection for VMware. * * In Data Protection for VMware environments, the * * Backup-Archive Client is also known as the data mover. * * Note 2: This is subject to change at the discretion of IBM. * ****************************************************************
Problem conclusion
Password database files (.kdb and .idx) are now created with read permissions for everyone but write permissions only for root and the file owner.
Temporary fix
Comments
APAR Information
APAR number
IT23846
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
81L
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-01-25
Closed date
2018-06-04
Last modified date
2018-09-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
R71A PSY
UP
R71H PSY
UP
R71M PSY
UP
R71S PSY
UP
R81A PSY
UP
R81H PSY
UP
R81M PSY
UP
R81S PSY
UP
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81L"}]
Document Information
Modified date:
28 September 2021