IBM Support

PJ33670: FNLCACHE.EXE CORRUPTS DEFAULTACCESSPERMISSION REGISTRY KEY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as change to accomodate OEM Vendor's code.

Error description

  • ***PLEASE PROVIDE THE FOLLOWING INFORMATION
THIS FIELD IS REQUIRED.***
Description of Problem (full details)
1. regKey: DefaultAccessPermission.reg located at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole is the problem key:
2. SIDS: Associated with the bad key:
  S-1-5-21-946805077-304051526-802096320-167401  -  This is a
dlg for default DCOM access permissions on the web servers
  S-1-5-21-969169982-4228242029-417033615-1015 - This SID
doesnt get resolved and got an error trying to query the name
using psgetsid.exe
3. THE ROOT CAUSE AND TECHNICAL DESCRIPTION OF THE PROBLEM:
  The app that is making the change is basically formatting the
security descriptor it is setting incorrectly. The AccessMask
values are mixed - meaning that there are AccessMask values of
0x1 and at the same time we see other values (0x7 and 0x3).
This  means that the ACL is bad and we are in a potentially bad
state. This wont show any symptoms on WS03 RTM (a SF
Webserver), as it was more lax in how it dealt with this, but
after upgrading to Win2K3 SP1 the  machine will be in the state
youre seeing as SP1 (and WinXP SP2) do not allow the mix of
access masks.

  Here is the MSDN documentation that specifically talks about
why this problem exists:

  http://msdn2.microsoft.com/en-us/library/ms679714.aspx

  To provide backward compatibility, an ACL can exist in the
format used before Windows XP SP2 and Windows Server 2003 SP1,
which uses only the access right COM_RIGHTS_EXECUTE, or it can
exist in the new format used in Windows XP SP2 and Windows
Server 2003 SP1, which uses COM_RIGHTS_EXECUTE together with a
combination of COM_RIGHTS_EXECUTE_LOCAL,
COM_RIGHTS_EXECUTE_REMOTE, COM_RIGHTS_ACTIVATE_LOCAL, and
COM_RIGHTS_ACTIVATE_REMOTE. Note that COM_RIGHTS_EXECUTE must
always be present. The absence of this right generates an
invalid security descriptor. Also note that you must not mix
the old format and the new format within a single ACL. Either
all access control entries (ACEs) must grant only the
COM_RIGHTS_EXECUTE access right, or they all must grant
COM_RIGHTS_EXECUTE together with a combination of
COM_RIGHTS_EXECUTE_LOCAL, COM_RIGHTS_EXECUTE_REMOTE,
COM_RIGHTS_ACTIVATE_LOCAL, and COM_RIGHTS_ACTIVATE_REMOTE. For
more information, see DCOM Security Enhancements in
  Windows XP Service Pack 2 and Windows Server 2003 Service
Pack 1.
How long has the problem been occurring (recent changes)? :
Always, as near as can be determined.
Does this occur on more than one station / server? :
Yes
Is there a workaround? :
No
What is the impact to the customer/system? :
Some MS Apps may generate errors when using the enhanced
security in WS2003 SP1
Can the problem be replicated on an internal system?  Y or N -
N
By Who (L3, Support, etc..)
Steps to Reproduce:
1  Install Web Services 4.0.1 on a WS2003 server with SP1.
2  Run \FileNET\IDM\FnLCache.exe /RegServerDCOM
3 Observe the DefaultAccessPermission registry key located in
HKLM\Software\Microsoft\OLE.
Actual Results:
Registry key is corrupted.
Expected Results:
Should not see corruption.
Are there any similar or related Defects? If Y provide ECMDB#s
N
What logs were collected and where are they located?
NA
Configuration/Environment :
Server OS : WS2003 SP1
Client OS : NA
Database : NA
Network: TCP/IP
App Server : NA
Browser : NA
Note if non US Language: N
Other Product Component Versions: IIS 6.0, FnLCache.exe
400.2005.124.1342
Non Web Environment  Y or N
N

Local fix

  • 



Problem summary


    

  • When using MS Win W2k3 SP1/Win XP SP2 as reported.MS has introdu

    



Problem conclusion


    

  • IDM DT/WS 4.0.2 Patch 3 contains a fix for this defect. The reg
keys in question will now have all 5 permissions granted for the
 'System' and 'Interactive' IDs.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PJ33670
    • 

  • Reported component name
    WEB SERVICES
    • 

  • Reported component ID
    5724S0300
    • 

  • Reported release
    400
    • 

  • Status
    CLOSED  OEM
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2008-05-22
    • 

  • Closed date
    2008-06-13
    • 

  • Last modified date
    2008-06-13
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    

  • R402  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCJTMV","label":"WEB Services"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"400","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            13 June 2008
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback