IBM Support

AIX Security: World writable .com_ibm_tools_attach files

Troubleshooting


Problem

A security scan tool has reported the following
 World writable file: /tmp/.com_ibm_tools_attach/12452332/attachNotificationSync.
 World writable file: /tmp/.com_ibm_tools_attach/9699604/attachNotificationSync.
 World writable file: /tmp/.com_ibm_tools_attach/_controller.
 World writable file: /tmp/.com_ibm_tools_attach/_notifier.

Cause

The /tmp/.com_ibm_tools_attach directory and its files are created by the Java JVM. 
The Attach API is an extension that provides a mechanism to attach to a Java virtual machine. The API creates files and directories in a common directory. By default, the common directory is /tmp/.com_ibm_tools_attach .
The directory uses the sticky bit. The sticky bit ensures security and isolation, while the writable permissions on the files allow the JVM processes to function without strict ownership restrictions.
This directory contains files such as _attachlock, _master, and _notifier, which are used only for synchronization. These files can be owned by any user, and must have read and write permission. However, you can remove execute permission on these files, if present. The files are empty and will be re-created automatically if deleted.

In summary:
  • The common directory  /tmp/.com_ibm_tools_attach, must have owner, group, and world read, write, and execute permissions, and the sticky bit must be set.
  • The common files _attachlock, _master, and _notifier must have owner, group, and world read and write permissions. 
  • Execute permissions are not required.
Caution: 
Avoid the following actions with the common directory, as they might cause problems.
  • Deleting the directory.
  • Deleting its contents.
  • Changing the permissions of the directory or its contents.
Potential consequences of modifications include:
  • Semaphore leaks: Excessive numbers of unused shared semaphores may remain open.
  • Application failures: Processes relying on these files for synchronization may fail to start or operate correctly.
  • Data corruption: If the coordination between processes is interrupted, this might cause inconsistent or corrupted shared states.

An example of an existing directory with files:
/tmp/.com_ibm_tools_attach # ls -lrt
total 0
-rw-rw-r-- 1 root system 0 Oct 09 2020 _notifier
-rwxrwxr-x 1 root system 0 Oct 09 2020 _master
-rw-rw-rw- 1 root system 0 Oct 09 2020 _attachlock
-rw-rw-rw- 1 root system 0 Sep 09 2022 _controller
drwx--x--t 2 root system 256 Sep 15 2022 9240878
Explanation:
9240878 is a PID of a process that has used the API. If 9240878 is not active, it probably crashed, or was killed and left behind.
If a Java application ends abnormally, such as following a crash or a SIGKILL signal, the process subdirectory is not deleted. The Java VM detects and removes obsolete subdirectories where possible. The subdirectory can also be deleted by the owning user ID. If that PID is not active, you can probably remove this.

Resolving The Problem

You can disable the Attach API if you do not intend to use it. Consult with your Java applications support to determine the correct actions to  disable the API, or remove or change files.
SUPPORT

AIX Support can provide usage support to extend hardening, when customers have specific questions. Some restrictions might prevent applications from running.  In some cases, Role Based Access Control can be used to grant access for particular files or applications. If customers have specific files they want to restrict, they can engage AIX Support to learn about the source and general use of the file. Then, they can then make decisions based on their environment, and requirements for that function.

There are fee-based services available for security analysis or consultation:

Read more about IBM Technology Services (Formerly Systems Lab Services)
 - See more details about AIX, Linux, and Red Hat OpenShift Security Services
           https://www.ibm.com/support/pages/node/6584155
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For more information, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For more information, see: Working with IBM AIX Support: Collecting snap data

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
22 November 2024

UID

ibm17177003

Page Feedback