Bugtraq mailing list archives
RE: permission probs with Arkeia
From: "Thomas Broniecki" <tb () joslyn org>
Date: Wed, 25 Jul 2001 16:51:31 -0500
Yup, The /usr/knox/arkeia/dbase is a directory tree structure for all the backup routines and I too can access files as a non-privileged user. I have looked for actual file names in the dbase/ directory, but haven't found any in plain text yet. Although I could view my directory structures, library information files, DAT pack information files, and master id number. Scary for sure. Non the less, if you have active non-privileged users on the backup server, those permissions stink. There shouldn't be anyone viewing directory information or anything else for that matter regarding backups. I don't allow any other user on my backup server, no need to. Until Knox fixes this, deny non-privileged users on the box if you can. At any case, Knox needs to fix this issue. If anything, drastically limit the access to only root or a privileged backup account. tb.
-----Original Message----- From: bwatson () www nettracers com [mailto:bwatson () www nettracers com]On Behalf Of Bryan K. Watson Sent: Wednesday, July 25, 2001 12:57 PM To: bugtraq () securityfocus com Subject: Re: permission probs with Arkeia I have tested this and I can read the contents of all database files as an unprivileged user in our ARKEIA servers. So if I can get all directory information from the ARKEIA backup trees, and I can get the filenames from the database files, then I can launch specific exploits to grab the files that I am interested in...dangerous, considering that most cracking takes place from within the company according to published stats. -Bryan
Current thread:
- permission probs with Arkeia Daniel Wittenberg (Jul 23)
- Re: permission probs with Arkeia Cheng-Jih Chen (Jul 23)
- RE: permission probs with Arkeia Thomas Broniecki (Jul 24)
- Re: permission probs with Arkeia Bryan K. Watson (Jul 25)
- RE: permission probs with Arkeia Thomas Broniecki (Jul 26)
- Re: permission probs with Arkeia Bryan K. Watson (Jul 25)
- Re: permission probs with Arkeia Phil Stracchino (Jul 24)
- <Possible follow-ups>
- Re: permission probs with Arkeia Daniel Wittenberg (Jul 24)
- RE: permission probs with Arkeia Thomas Broniecki (Jul 25)