6786120 2001-07-23 13:16 -0500 /23 rader/ Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-23 21:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18268>
Ärende: permission probs with Arkeia
------------------------------------------------------------
From: Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
To: <bugtraq@securityfocus.com>
Message-ID: <B781D41F.42C%daniel-wittenberg@uiowa.edu>
While working with the commercial version of Arkeia backup software I
noticed it creates most of it's "database" files with the permissions
of 666. This was version 4.2.8-2 of the server, and I had noticed
this several updates ago, so it's been going on for some time. The
database files are located in /usr/knox/arkeia/dbase. I have tried
resetting the permissions on the files, but they get reset again when
backup runs again. I tried contacting Knox Software but was told
more than once that basically I don't have a support contract so they
wouldn't talk to me - they were warned. I wasn't able to find
anything about this in their documentation.
Dan
=========================
Daniel Wittenberg
System Administrator
University of Iowa
http://dan.its.uiowa.edu
(6786120) /Daniel Wittenberg <daniel-wittenberg@uiowa.edu>/(Ombruten)
Kommentar i text 6787072 av Cheng-Jih Chen <cjc@cjc.org>
Kommentar i text 6790870 av Thomas Broniecki <tb@joslyn.org>
Kommentar i text 6790927 av Phil Stracchino <alaric@babcom.com>
6787072 2001-07-23 15:58 -0400 /26 rader/ Cheng-Jih Chen <cjc@cjc.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-24 02:02 av Brevbäraren
Extern mottagare: Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18281>
Kommentar till text 6786120 av Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Ärende: Re: permission probs with Arkeia
------------------------------------------------------------
From: Cheng-Jih Chen <cjc@cjc.org>
To: Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Cc: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33L2.0107231552190.2752-100000@welles.cjc.org>
On Mon, 23 Jul 2001, Daniel Wittenberg wrote:
> While working with the commercial version of Arkeia backup software I
> noticed it creates most of it's "database" files with the permissions of
> 666. This was version 4.2.8-2 of the server, and I had noticed this several
> updates ago, so it's been going on for some time. The database files are
> located in /usr/knox/arkeia/dbase. I have tried resetting the permissions
> on the files, but they get reset again when backup runs again. I tried
> contacting Knox Software but was told more than once that basically I don't
> have a support contract so they wouldn't talk to me - they were warned. I
> wasn't able to find anything about this in their documentation.
We're running 4.2.7-1 server and we're not seeing this. The files
that are 666 are the zero-length lock files (o3_cpnt.lck), but the
more substansive "database" data files (o3_cpnt) is 644. The Arkeia
change log indicates that the oly difference between 4.2.7 and 4.2.8
is tape library support.
(6787072) /Cheng-Jih Chen <cjc@cjc.org>/--(Ombruten)
6790870 2001-07-23 15:01 -0500 /56 rader/ Thomas Broniecki <tb@joslyn.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-24 21:04 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: tb@joslyn.org
Mottagare: Bugtraq (import) <18302>
Kommentar till text 6786120 av Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Ärende: RE: permission probs with Arkeia
------------------------------------------------------------
From: "Thomas Broniecki" <tb@joslyn.org>
To: <bugtraq@securityfocus.com>
Message-ID: <002201c113b2$4a36db20$0700a8c0@joslyn.org>
I'm running commercial version arkeia-server v4.2.8-2, arkeia-client
v4.2.15-1 on RedHat 6.2 w/ kernel 2.2.19. NLSERVD is run by root and
all my permissions are 755 in the /usr/knox/arkeia/dbase directory. I
have not noticed a permissions issue with my backup server dbase file
sets.
Check to see if NLSERVD is run by root. who is the owner and group of
the directory dbase/?
tb.
-------------------------------------------------
Thomas Broniecki
IT Manager/Network Administrator
Joslyn Art Museum
http://www.joslyn.org
> -----Original Message-----
> From: Daniel Wittenberg [mailto:daniel-wittenberg@uiowa.edu]
> Sent: Monday, July 23, 2001 1:16 PM
> To: bugtraq@securityfocus.com
> Subject: permission probs with Arkeia
>
>
> While working with the commercial version of Arkeia backup software I
> noticed it creates most of it's "database" files with the
> permissions of
> 666. This was version 4.2.8-2 of the server, and I had
> noticed this several
> updates ago, so it's been going on for some time. The
> database files are
> located in /usr/knox/arkeia/dbase. I have tried resetting
> the permissions
> on the files, but they get reset again when backup runs
> again. I tried
> contacting Knox Software but was told more than once that
> basically I don't
> have a support contract so they wouldn't talk to me - they
> were warned. I
> wasn't able to find anything about this in their documentation.
>
> Dan
>
> =========================
> Daniel Wittenberg
> System Administrator
> University of Iowa
> http://dan.its.uiowa.edu
(6790870) /Thomas Broniecki <tb@joslyn.org>/(Ombruten)
Kommentar i text 6796246 av Bryan K. Watson <bwatson@cyberdude.com>
6796246 2001-07-25 10:56 -0700 /28 rader/ Bryan K. Watson <bwatson@cyberdude.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-25 23:07 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: bwatson@cyberdude.com
Mottagare: Bugtraq (import) <18354>
Kommentar till text 6790870 av Thomas Broniecki <tb@joslyn.org>
Ärende: Re: permission probs with Arkeia
------------------------------------------------------------
From: "Bryan K. Watson" <bwatson@cyberdude.com>
To: bugtraq@securityfocus.com
Message-ID: <3B5F0855.DBCCAAED@cyberdude.com>
I have tested this and I can read the contents of all database files
as an unprivileged user in our ARKEIA servers. So if I can get all
directory information from the ARKEIA backup trees, and I can get the
filenames from the database files, then I can launch specific
exploits to grab the files that I am interested in...dangerous,
considering that most cracking takes place from within the company
according to published stats.
-Bryan
Thomas Broniecki wrote:
>
> I'm running commercial version arkeia-server v4.2.8-2, arkeia-client
> v4.2.15-1 on RedHat 6.2 w/ kernel 2.2.19. NLSERVD is run by root and all my
> permissions are 755 in the /usr/knox/arkeia/dbase directory. I have not
> noticed a permissions issue with my backup server dbase file sets.
>
> Check to see if NLSERVD is run by root. who is the owner and group of the
> directory dbase/?
>
> tb.
>
(6796246) /Bryan K. Watson <bwatson@cyberdude.com>/(Ombruten)
Kommentar i text 6802608 av Thomas Broniecki <tb@joslyn.org>
6802608 2001-07-25 16:51 -0500 /44 rader/ Thomas Broniecki <tb@joslyn.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-27 02:15 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: tb@joslyn.org
Mottagare: Bugtraq (import) <18388>
Kommentar till text 6796246 av Bryan K. Watson <bwatson@cyberdude.com>
Ärende: RE: permission probs with Arkeia
------------------------------------------------------------
From: "Thomas Broniecki" <tb@joslyn.org>
To: <bugtraq@securityfocus.com>
Message-ID: <000201c11553$f7af1540$0700a8c0@joslyn.org>
Yup, The /usr/knox/arkeia/dbase is a directory tree structure for all
the backup routines and I too can access files as a non-privileged
user. I have looked for actual file names in the dbase/ directory,
but haven't found any in plain text yet. Although I could view my
directory structures, library information files, DAT pack information
files, and master id number. Scary for sure.
Non the less, if you have active non-privileged users on the backup
server, those permissions stink. There shouldn't be anyone viewing
directory information or anything else for that matter regarding
backups. I don't allow any other user on my backup server, no need
to. Until Knox fixes this, deny non-privileged users on the box if
you can.
At any case, Knox needs to fix this issue. If anything, drastically
limit the access to only root or a privileged backup account.
tb.
> -----Original Message-----
> From: bwatson@www.nettracers.com [mailto:bwatson@www.nettracers.com]On
> Behalf Of Bryan K. Watson
> Sent: Wednesday, July 25, 2001 12:57 PM
> To: bugtraq@securityfocus.com
> Subject: Re: permission probs with Arkeia
>
>
> I have tested this and I can read the contents of all
> database files as
> an unprivileged user in our ARKEIA servers. So if I can get all
> directory information from the ARKEIA backup trees, and I can get the
> filenames from the database files, then I can launch specific exploits
> to grab the files that I am interested in...dangerous,
> considering that
> most cracking takes place from within the company according
> to published
> stats.
>
> -Bryan
(6802608) /Thomas Broniecki <tb@joslyn.org>/(Ombruten)
6790927 2001-07-23 15:00 -0700 /37 rader/ Phil Stracchino <alaric@babcom.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-24 21:19 av Brevbäraren
Extern mottagare: Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Extern kopiemottagare: BugTraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <18305>
Kommentar till text 6786120 av Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Ärende: Re: permission probs with Arkeia
------------------------------------------------------------
From: Phil Stracchino <alaric@babcom.com>
To: Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Cc: BugTraq <bugtraq@securityfocus.com>
Message-ID: <20010723150059.A19413@babylon5.babcom.com>
On Mon, Jul 23, 2001 at 01:16:15PM -0500, Daniel Wittenberg wrote:
> While working with the commercial version of Arkeia backup software I
> noticed it creates most of it's "database" files with the permissions of
> 666. This was version 4.2.8-2 of the server, and I had noticed this several
> updates ago, so it's been going on for some time. The database files are
> located in /usr/knox/arkeia/dbase. I have tried resetting the permissions
> on the files, but they get reset again when backup runs again. I tried
> contacting Knox Software but was told more than once that basically I don't
> have a support contract so they wouldn't talk to me - they were warned. I
> wasn't able to find anything about this in their documentation.
IMHO, this is almost the least of Arkeia's problems, having
repeatedly tried very hard to work with Arkeia in the past and
eventually given up on it in complete disgust.
This particular problem can be, perhaps not eliminated, but at least
ameliorated by setting the ownership and rights of /usr/knox and/or
/usr/knox/arkeia such that only your arkeia administrators have
directory read/execute privileges. If an unprivileged user cannot
browse the directory tree to gain access to the arkeia/dbase tree,
even knowing that the files are there and world-writeable does him
little good.
--
Linux Now! ..........Because friends don't let friends use Microsoft.
phil stracchino -- the renaissance man -- mystic zen biker geek
alaric@babcom.com halmayne@sourceforge.net
2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold)
(6790927) /Phil Stracchino <alaric@babcom.com>/(Ombruten)
6791003 2001-07-23 16:34 -0500 /80 rader/ Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-24 21:48 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18311>
Ärende: Re: permission probs with Arkeia
------------------------------------------------------------
From: Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
To: <bugtraq@securityfocus.com>
Message-ID: <B782029D.6FB%daniel-wittenberg@uiowa.edu>
I have seen this on at least 3 default-installs for arkeia. One person as
over 1/4 million files, some 0 length, some not. This is on RH 6.2, 2.2.17,
2.2.19, and 2.2.16. So you have _no_ files with 666? Have you done a find
for files in the /usr/knox with permissions of at least 666? nlserved is
running as root, and root:root is who owns all the files in /usr/knox/*
Knox finally responded to me and told me they saw it as a known "oversight"
and it would be fixed in 5.0, some day, but they don't know when that will
be released. I wouldn't consider that acceptable for a security patch.
Dan
=========================
Daniel Wittenberg
System Administrator
University of Iowa
http://dan.its.uiowa.edu
> From: "Thomas Broniecki" <tb@joslyn.org>
> Reply-To: <tb@joslyn.org>
> Date: Mon, 23 Jul 2001 14:59:55 -0500
> To: "'Daniel Wittenberg'" <daniel-wittenberg@uiowa.edu>
> Subject: RE: permission probs with Arkeia
>
> I'm running commercial version arkeia-server v4.2.8-2, arkeia-client
> v4.2.15-1 on RedHat 6.2 w/ kernel 2.2.19. NLSERVD is run by root and all my
> permissions are 755 in the /usr/knox/arkeia/dbase directory. I have not
> noticed a permissions issue with my backup server dbase file sets.
>
> Check to see if NLSERVD is run by root. who is the owner and group of the
> directory dbase/?
>
> tb.
>
>
>
> -------------------------------------------------
> Thomas Broniecki
> IT Manager/Network Administrator
> Joslyn Art Museum
> http://www.joslyn.org
>
>
>> -----Original Message-----
>> From: Daniel Wittenberg [mailto:daniel-wittenberg@uiowa.edu]
>> Sent: Monday, July 23, 2001 1:16 PM
>> To: bugtraq@securityfocus.com
>> Subject: permission probs with Arkeia
>>
>>
>> While working with the commercial version of Arkeia backup software I
>> noticed it creates most of it's "database" files with the
>> permissions of
>> 666. This was version 4.2.8-2 of the server, and I had
>> noticed this several
>> updates ago, so it's been going on for some time. The
>> database files are
>> located in /usr/knox/arkeia/dbase. I have tried resetting
>> the permissions
>> on the files, but they get reset again when backup runs
>> again. I tried
>> contacting Knox Software but was told more than once that
>> basically I don't
>> have a support contract so they wouldn't talk to me - they
>> were warned. I
>> wasn't able to find anything about this in their documentation.
>>
>> Dan
>>
>> =========================
>> Daniel Wittenberg
>> System Administrator
>> University of Iowa
>> http://dan.its.uiowa.edu
>
(6791003) /Daniel Wittenberg <daniel-wittenberg@uiowa.edu>/
Kommentar i text 6796019 av Thomas Broniecki <tb@joslyn.org>
6796019 2001-07-24 15:41 -0500 /64 rader/ Thomas Broniecki <tb@joslyn.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-25 22:00 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: tb@joslyn.org
Mottagare: Bugtraq (import) <18346>
Kommentar till text 6791003 av Daniel Wittenberg <daniel-wittenberg@uiowa.edu>
Ärende: RE: permission probs with Arkeia
------------------------------------------------------------
From: "Thomas Broniecki" <tb@joslyn.org>
To: <bugtraq@securityfocus.com>
Message-ID: <001301c1147f$144bd240$0700a8c0@joslyn.org>
Well, I have 644, 755 permissions mainly. Although in the
/usr/knox/arkeia dir there are 13 or so files arkeia_0x.j12 or .lck
that have 666 permissions, many haven't been written to in a long
while. In /usr/knox/arkeia/dbase one file o3master.lck.
Check your user management in the gui interface, make sure it is set
to admin. I've also found that if you hand edit your periodic
backups, they are much more prone to strange issues. I recommend
using the wizard to configure your periodic backups. It sound
strange, but helped me many times in fits of frustration.
I have been running Arkeia for some time and completed many upgrades
(both tar and rpm, I use rpm now), so I can't tell you from a clean
install perspective.
I can tell that from my experience Knox is very slow to release
patches and fixes. In the past I've fought backing up NT 4.0 servers
while loosing network connections from clients during backups and
only with periodic backups, not interactive. That was going on for
over 1/2 year and repeated phone calls and e-mails. The NT 4.0 patch
just came out!
Good luck.
tb.
> -----Original Message-----
> From: Daniel Wittenberg [mailto:daniel-wittenberg@uiowa.edu]
> Sent: Monday, July 23, 2001 4:35 PM
> To: bugtraq@securityfocus.com
> Subject: Re: permission probs with Arkeia
> Importance: Low
>
>
> I have seen this on at least 3 default-installs for arkeia.
> One person as
> over 1/4 million files, some 0 length, some not. This is on
> RH 6.2, 2.2.17,
> 2.2.19, and 2.2.16. So you have _no_ files with 666? Have
> you done a find
> for files in the /usr/knox with permissions of at least 666?
> nlserved is
> running as root, and root:root is who owns all the files in
> /usr/knox/*
> Knox finally responded to me and told me they saw it as a
> known "oversight"
> and it would be fixed in 5.0, some day, but they don't know
> when that will
> be released. I wouldn't consider that acceptable for a
> security patch.
>
> Dan
>
> =========================
> Daniel Wittenberg
> System Administrator
> University of Iowa
> http://dan.its.uiowa.edu
(6796019) /Thomas Broniecki <tb@joslyn.org>/(Ombruten)