Re: Arkeia Possible remote root & information leakage

[Joe Glass <joe () glass cl msu edu>]

More importantly, you could run a command as root on any box that is
backed up by Arkeia.  (I'm sure you already know this, but it wasn't
completely clear in this e-mail).  I forwarded your e-mail to the Arkeia
userlist.  It seems as though the moderators at Knox don't let these
e-mails show up on their userlist though.  I forwarded the last security
issue that was talked about on bugtrack to the userlist serveral times,
but it never appeared.  Which doesn't make sense to me.

> ##Implications
> the password (effectively a root password) once you have access through
> the gui, you have the possibility of running a command from the gui
> before and after the backup job. This command is run as root and can be
> anything. Therefore you have full access to the box to do with as you
> please.

-- 
Joe Glass
Technical Support Services, Michigan State University
phone:  517-355-4500 x240
e-mail: joe () glass cl msu edu