RE: permission probs with Arkeia

From: Thomas Broniecki (tb@joslyn.org)
Date: 07/25/01


From: "Thomas Broniecki" <tb@joslyn.org>
To: <bugtraq@securityfocus.com>
Subject: RE: permission probs with Arkeia
Date: Wed, 25 Jul 2001 16:51:31 -0500
Message-ID: <000201c11553$f7af1540$0700a8c0@joslyn.org>

Yup, The /usr/knox/arkeia/dbase is a directory tree structure for all the
backup routines and I too can access files as a non-privileged user. I have
looked for actual file names in the dbase/ directory, but haven't found any
in plain text yet. Although I could view my directory structures, library
information files, DAT pack information files, and master id number. Scary
for sure.

Non the less, if you have active non-privileged users on the backup server,
those permissions stink. There shouldn't be anyone viewing directory
information or anything else for that matter regarding backups. I don't
allow any other user on my backup server, no need to. Until Knox fixes this,
deny non-privileged users on the box if you can.

At any case, Knox needs to fix this issue. If anything, drastically limit
the access to only root or a privileged backup account.

tb.

> -----Original Message-----
> From: bwatson@www.nettracers.com [mailto:bwatson@www.nettracers.com]On
> Behalf Of Bryan K. Watson
> Sent: Wednesday, July 25, 2001 12:57 PM
> To: bugtraq@securityfocus.com
> Subject: Re: permission probs with Arkeia
>
>
> I have tested this and I can read the contents of all
> database files as
> an unprivileged user in our ARKEIA servers. So if I can get all
> directory information from the ARKEIA backup trees, and I can get the
> filenames from the database files, then I can launch specific exploits
> to grab the files that I am interested in...dangerous,
> considering that
> most cracking takes place from within the company according
> to published
> stats.
>
> -Bryan



Relevant Pages

  • Re: permission probs with Arkeia
    ... Subject: permission probs with Arkeia ... I have seen this on at least 3 default-installs for arkeia. ... > noticed a permissions issue with my backup server dbase file sets. ... >> While working with the commercial version of Arkeia backup software I ...
    (Bugtraq)
  • [Fwd: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue]
    ... Arkeia annouces the release of Arkeia Network Backup 5.3.5. ... You can get this new version for all client packages trough our ftp ... Deny server functions on a client ...
    (Bugtraq)
  • RE: Prefered backup method?
    ... servers then arkeia is very good utility for linux.. ... On Behalf Of Denham Eva ... Subject: Prefered backup method? ...
    (RedHat)
  • Re: [SLE] Backup software that preserves ACLs in 9.1
    ... |even) that preserves ACLs in 9.1? ... In Arkeia 5.2 there is an option to backup ACLs when under Savepack. ... Click on the Savepack and then choose Advanced Options in the left pane. ...
    (SuSE)
  • Re: backup solution
    ... >>can someone recommend a good backup solution ... Arkeia I evaluated before choosing BRU. ... > backup, backup to hard drives is cheaper, faster, more robust, ...
    (comp.os.linux.misc)