[21858] in bugtraq
Re: permission probs with Arkeia
daemon@ATHENA.MIT.EDU (Bryan K. Watson)
Wed Jul 25 15:39:40 2001
Message-ID: <3B5F0855.DBCCAAED@cyberdude.com>
Date: Wed, 25 Jul 2001 10:56:37 -0700
From: "Bryan K. Watson" <bwatson@cyberdude.com>
Reply-To: bwatson@cyberdude.com
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I have tested this and I can read the contents of all database files as
an unprivileged user in our ARKEIA servers. So if I can get all
directory information from the ARKEIA backup trees, and I can get the
filenames from the database files, then I can launch specific exploits
to grab the files that I am interested in...dangerous, considering that
most cracking takes place from within the company according to published
stats.
-Bryan
Thomas Broniecki wrote:
>
> I'm running commercial version arkeia-server v4.2.8-2, arkeia-client
> v4.2.15-1 on RedHat 6.2 w/ kernel 2.2.19. NLSERVD is run by root and all my
> permissions are 755 in the /usr/knox/arkeia/dbase directory. I have not
> noticed a permissions issue with my backup server dbase file sets.
>
> Check to see if NLSERVD is run by root. who is the owner and group of the
> directory dbase/?
>
> tb.
>
