IT Services



Bypassing the TSM Security Vulnerability


Contents



1. Introduction

Updated November 2008: The instructions below detail how to reconfigure your TSM Client Scheduler so that it is no longer vulnerable to a known security exploit. These instructions are intended only for users running the TSM Client Backup software on an older operating system for which NO TSM version 5.5.1.0 or later client is available (the only exceptions being TSM 5.4.2.4+ for Mac OS X 10.4.7+).

Platform-specific instructions on how to do this are detailed from the links below.



1.1. Windows 95/98/ME/NT

Please contact us for instructions and assistance.



1.2. Reconfiguring TSM Schedules on Windows 2000

Reconfiguring the TSM Scheduler on Windows 2000 is a two step process:
  1. Remove the old scheduler
  2. Install a new modified scheduler


1.2.1. Remove the old Scheduler

  1. To remove the scheduled backup service first, start cmd.exe using the [Run] option in the [Start] Menu.
  2. At the prompt type:
    c:
    cd \progra*
    cd tivoli
    cd tsm
    cd baclient
    
  3. Run the dsmcutil program to find the old services to be removed:
    dsmcutil list
    
  4. This will usually list two services, one Client Acceptor Service and one Scheduler Service. For each of the services run dsmcutil remove /name:"service_name". Note, the number at the start of each line of the listing produced in the step above is not part of the name. For example:
    dsmcutil list
    
    <... program output ...>
    
    Installed TSM Client Services:
    
       1. TSM Client Acceptor
       2. TSM Scheduler
    
    
    <... program output ...>
    
    dsmcutil remove /name:"TSM Scheduler"
    
    <... program output ...>
    
    Removing TSM Client Service 'TSM Scheduler' ...
    
    <... program output ...>
    
    dsmcutil remove /name:"TSM Client Acceptor"
    
    <... program output ...>
    
    Removing TSM Client Service 'TSM Client Acceptor' ...
    
    <... program output ...>
    
    dsmcutil list
    
    <... program output ...>
    
    No TSM Client Services were located.
    
    <... program output ...>
    


1.2.2. Install a new Scheduler

  1. Next you need to install a new scheduler which does not use the CAD. Again, select [Setup Wizard] from the [Utilities] menu. It should display the following:

    Figure /hfs/schedbkup/win-nt/515/images/mswin-setup-wizard.png []

    Choose the TSM Client Scheduler option only and click Next. A screen similar to below will appear:

  2. Figure /hfs/schedbkup/win-nt/515/images/mswin-new-sched-1.png []

    Ensure that the Install a new or additional scheduler option is highlighted. then click the Next button.

  3. Figure /hfs/schedbkup/win-nt/515/images/mswin-new-sched-2.nocad.png []

    Enter TSM Scheduler as the name given to the scheduler. Ensure that the Local Machine radio button is checked, and DO NOT select the Use the Client Acceptor Daemon (CAD) option. Click Next.

  4. Figure /hfs/schedbkup/win-nt/515/images/mswin-new-sched-4.png []

    This screen prompts for a path to the dsm.opt options file. This should point to the file in the installation directory of the software - by default c:\Program Files\Tivoli\TSM\baclient\dsm.opt. Ensure that this is so and click Next.

  5. Figure /hfs/schedbkup/win-nt/515/images/mswin-new-sched-6.png []

    Check the entry for TSM node name carefully and ensure that it matches the full Nodename under which the machine was registered for OUCS TSM Backup . Typically this will be if the format ABCD.OUCS or ABCD1234-FREETEXT-DEPT. If you are unsure of this, but can connect and run backups manually using the TSM Backup Client, then just use the NODENAME entry from the dsm.opt options file here. Do not forget to enter the TSM password in the second field before proceeding.

  6. Figure /hfs/schedbkup/win-nt/515/images/mswin-new-sched-7.png []

    Ideally, the services should run under the System account. If the Scheduler services are to run under any other account, please read this page before proceeding: backing up in Windows as a non-administrative user. Without the necessary rights, the Scheduler will be unable to backup all the files and objects on the local system. The system account has all the necessary rights for the entire local filestore to be backed up, and TSM advises that the service be installed under this account. You may want to select the Automatically when Windows boots option so that the services start automatically. Clicking the Next button displays the following screen.

  7. Figure /hfs/schedbkup/win-nt/515/images/mswin-new-sched-8.png []

    This screen prompts for the location of the schedule and error logs - by default dsmsched.log and dsmerror.log in the installation directory. OUCS recommends accepting these defaults.

  8. Figure /hfs/schedbkup/win-nt/515/images/mswin-new-sched-9.png []

    This screen offers the possibility of starting the service directly after completion of the setup wizard. This is recommended.

  9. Click Next to display the Completion screen and click the Finish button. You have now finished setting up the TSM Scheduler service and it should now start if the immediate start option was chosen. This can be checked as described in the following section.

If you have any problems please contact us for instructions and assistance.



1.3. Mac OS 8 and 9

No changes are required. The TSM client for Mac OS 8 and 9 is not vulnerable to this problem.



1.4. Mac OS X 10.2

Stop the TSM Scheduler by starting the TSM Backup for Administrators program and from the [Utilities] menu choose the 'Setup Assistant' option and then 'Help me configure the TSM Client Acceptor Daemon and the TSM Client Schedule'. On the next screen, choose the 'Remove' option. This will remove the TSM Client Acceptor Daemon from your machine and thus will bypass the security vulnerability that lies within that program.

Unfortunately, there is no patched client for this version of MacOS X. We therefore advise that you regularly backup manually.



1.5. Linux kernel versions below 2.6

  1. Examine the process table for any running instances of `dsmcad' and shut them down.
    	% ps -ef | grep [d]smcad
    	# if any output
    	% pid=`ps -ef | grep [d]smcad | awk '{print $2}'`
    	% kill -TERM $pid
    
  2. Edit the TSM config file /opt/tivoli/tsm/client/ba/bin/dsm.sys to remove the following line:
    	ManagedServices	Schedule
    
  3. If using the inittab method of launching processes then examine the /etc/inittab file and amend the following line if found, from:
    	dc:2:once:/usr/bin/dsmcad > /dev/null 2>&1
    
    to
    	dc:2:once:/usr/bin/dsmc schedule > /dev/null 2>&1
    
  4. If using init level command files, replace the file dsmcad-init (or dsmcad) in /etc/init.d with the one found ftp://ftp.hfs.ox.ac.uk/adsm/clients/updates/linux/dsmcad-init. Ensure that this script is executable by running 'chmod 755' on it.
  5. To restart the TSM scheduler process run:
    	(/usr/bin/dsmc schedule > /dev/null 2>&1 & ) > /dev/null 2>&1 &
    
  6. Finally, check the file /var/log/dsmsched.log to ensure that a schedule has been picked up.


1.6. Solaris 7 and 8

Please follow the Linux instructions above. If required, the new init level command file for Solaris can be found ftp://ftp.hfs.ox.ac.uk/adsm/clients/updates/solaris/dsmcad-init.



1.7. Netware 4.x, 5.x and 6.0

  1. Unload any currently running dsmcad module.
    	MYSERVER: unload dsmcad
    
  2. Edit the TSM options file dsm.opt and remove one of the following lines if present.
    	MANAGEDSERVICES		Schedule   ## if using TSM version 4.2 or later
    	CADMODE			Schedule   ## if using TSM version 4.1 or later
    
  3. If you start the TSM scheduler automatically at boot time via the autoexec.ncf file, then amend the entry from:
    	load dsmcad
    	to
    	load dsmc schedule
    
  4. To restart the TSM Scheduler immediately run:
    	load dsmc schedule
    
  5. Note that you should periodically restart this process to free up system resources.
  6. Finally, check the latest entries in the dsmsched.log to ensure that a scheduled backup slot has been found.