Notification
Risk classification
HIPER (High Impact and/or Pervasive)
Risk categories
Data Access Loss
Abstract
IBM has identified a data access problem in IBM Storage Scale 5.2.3.0 and 5.2.3.1 regarding the SMB protocol and acccess control lists (ACLs).
The problem occurs with the use of inherited ACLs on directories or files that are created or modified through the SMB protocol.
The problem occurs with the use of inherited ACLs on directories or files that are created or modified through the SMB protocol.
Description
With folders (directories) that include inherited ACL entries, files created in the folder are defined with the default ACL entries rather than the entries that are defined in the inherited ACL from the folder. The problem was introduced due to a regression in the SMB protocol code shipped with IBM Storage Scale 5.2.3.0 and 5.2.3.1. Files that are impacted by this problem cannot be determined in an automated fashion, but must be found to manually correct their ACL. Here is an example of the scenario that exposes the problem. Consider a directory with the following ACL:
Example where a directory is prepared with inheritance:
| # mmgetacl .
| #NFSv4 ACL
| #owner:<user>
| #group:<group>
| special:owner@:rwxc:allow:FileInherit:DirInherit:Inherited
| (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
| (X)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:group@:rwxc:allow:FileInherit:DirInherit:Inherited
| (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
| (X)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:everyone@:----:allow:FileInherit:DirInherit:Inherited
| (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED
| (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
In that directory, a Windows (SMB) client creates a file with a very simple command, like dir > dir.txt.
Example of the ACL for the file created in that directory:
| # mmgetacl dir.txt
| #NFSv4 ACL
| #owner:<user>
| #group:<group>
| #ACL flags:
| # NULL_DACL
| # NULL_SACL
| special:owner@:rwxc:allow:Inherited
| (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
| (X)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:group@:r--c:allow:Inherited
| (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
| (X)DELETE (X)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:everyone@:r---:allow:Inherited
| (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED
| (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
Example of the the ACL that the file should have:
| #NFSv4 ACL
| #owner:<user>
| #group:<group>
| special:owner@:rwxc:allow:Inherited
| (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
| (X)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:group@:rwxc:allow:Inherited
| (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
| (X)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
|
| special:everyone@:----:allow:Inherited
| (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED
| (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
Problem Determination
The problem can be determined by verifying the SMB protocol code.
The problem can be determined by verifying the SMB protocol code.
The rpm name contains one of the following versions:
- samba-4.20.7-gpfs-6-IBM
- samba-4.20.8-gpfs-7-IBM
To detect the files affected, use the policy rule mentioned below.
Users Affected
- These issues affects customers that use the SMB protocol. Users may not know if ACL inheritance is in use, but it commonly is.
- A non-default permission mode of the fileset in use can prevent the issue: SetAclOnly.
- IBM Storage Scale Container Native(CNSA) clusters are not affected and can remain on CNSA 5.2.3.0 or CNSA 5.2.3.1 levels. However, a remotely mounted storage cluster is affected if CES SMB is in use and running the affected SMB versions. If this is the case, you must follow the recommended action that is described in this notification.
Recommended Action
IBM Storage Scale customers that are affected are strongly encouraged to upgrade to Storage Scale 5.2.3.2:
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.2.3&platform=All&function=all
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.2.3&platform=All&function=all
IBM Storage Scale customers that are affected and can not upgrade to Storage Scale 5.2.3.2 need to contact support to ask for an interim fix (e-fix) for 5.2.3.0 or 5.2.3.1.
- 5.2.3.0: APAR IJ55167
- 5.2.3.1: APAR IJ55167
This interim fix will contain a lower version of the gpfs-smb package ("downgrade").
Until the fix is applied:
Users may prevent most of the problem by activating a fileset permission mode that prevents chmod, like in this example for the root fileset of file system gpfs0:
mmchfileset gpfs0 root --allow-permission-change setAclOnly
any ACLs generated with the problematic version will need to be verified.
Here's a policy rule to list all potentially affected files.
This will generate a file /tmp/my.list.Files.
# cat policy_acl
/* note that all timestamp is UTC time
* 'CREATED' and 'MODIFIED' are variable to be specified when mmapplypolicy is invoked
* format is: YYYY-mm-dd [HH:MM]
*/
RULE EXTERNAL LIST 'Files'
RULE LIST 'Files' DIRECTORIES_PLUS
SHOW (PATH_NAME || ' ' || varchar(CREATION_TIME) || ' ' || varchar(MODIFICATION_TIME) || ' ' || MISC_ATTRIBUTES)
WHERE ((CREATION_TIME >= TIMESTAMP('CREATED')) OR (MODIFICATION_TIME >= TIMESTAMP('MODIFIED'))) AND (MISC_ATTRIBUTES like '%+%')
# mmapplypolicy /gpfs/fs2/ACLTEST -M CREATED="2025-07-01" -M MODIFIED="2025-07-01" -P policy_acl -I defer -f /tmp/my
This will generate a file /tmp/my.list.Files.
# cat /tmp/my.list.Files
265139 600944238 0 /gpfs/fs2/ACLTEST/ACLDIR/acl2 2025-07-01 14:43:01.611415 2025-07-01 14:43:01.612228 FdA+u -- /gpfs/fs2/ACLTEST/ACLDIR/acl2
265323 1504043104 0 /gpfs/fs2/ACLTEST/ACLDIR 2025-07-01 14:39:42.064006 2025-07-01 14:43:01.611415 Dd+u -- /gpfs/fs2/ACLTEST/ACLDIR
Reference ID
351782 351592
Date first published
02 July 2025
[{"Risk Classification":"HIPER","Line of Business":{"code":"LOB69","label":"Storage TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"STXKQY","label":"IBM Storage Scale"},"ARM Category":[{"code":"a8m3p000000hAjyAAE","label":"CES"},{"code":"a8m3p000000hAkYAAU","label":"GPFS"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
11 July 2025
UID
ibm17238672