I have tested this and I can read the contents of all database files as
an unprivileged user in our ARKEIA servers. So if I can get all
directory information from the ARKEIA backup trees, and I can get the
filenames from the database files, then I can launch specific exploits
to grab the files that I am interested in...dangerous, considering that
most cracking takes place from within the company according to published
stats.
-Bryan
Thomas Broniecki wrote:
>
> I'm running commercial version arkeia-server v4.2.8-2, arkeia-client
> v4.2.15-1 on RedHat 6.2 w/ kernel 2.2.19. NLSERVD is run by root and all my
> permissions are 755 in the /usr/knox/arkeia/dbase directory. I have not
> noticed a permissions issue with my backup server dbase file sets.
>
> Check to see if NLSERVD is run by root. who is the owner and group of the
> directory dbase/?
>
> tb.
>
