Yup, The /usr/knox/arkeia/dbase is a directory tree structure for all the backup routines and I too can access files as a non-privileged user. I have looked for actual file names in the dbase/ directory, but haven't found any in plain text yet. Although I could view my directory structures, library information files, DAT pack information files, and master id number. Scary for sure. Non the less, if you have active non-privileged users on the backup server, those permissions stink. There shouldn't be anyone viewing directory information or anything else for that matter regarding backups. I don't allow any other user on my backup server, no need to. Until Knox fixes this, deny non-privileged users on the box if you can. At any case, Knox needs to fix this issue. If anything, drastically limit the access to only root or a privileged backup account. tb. > -----Original Message----- > From: bwatsonat_private [mailto:bwatsonat_private]On > Behalf Of Bryan K. Watson > Sent: Wednesday, July 25, 2001 12:57 PM > To: bugtraqat_private > Subject: Re: permission probs with Arkeia > > > I have tested this and I can read the contents of all > database files as > an unprivileged user in our ARKEIA servers. So if I can get all > directory information from the ARKEIA backup trees, and I can get the > filenames from the database files, then I can launch specific exploits > to grab the files that I am interested in...dangerous, > considering that > most cracking takes place from within the company according > to published > stats. > > -Bryan
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 14:36:12 PDT