63947: Acronis Cyber Protect Cloud, Acronis Cyber Backup: update permissions for Acronis Agent for Linux files to prevent unprivileged users accessing the files

Last update: Wed, 2020-06-24 10:41

Scenario

We have recently identified a security issue within Agent for Linux installations that may potentially allow unprivileged users to access Agent logs and backup data.

We have identified that these files and directories have excessive read permissions (allowing users who are not functioning as backup operators read the files) and recommend to deny read permissions to all users other than 'acronis' group members to these files:

/var/lib/Acronis/BackupAndRecovery/OnlineBackup/Default/username.crt
/var/lib/Acronis/BackupAndRecovery/MMS/user.config
/var/lib/Acronis/BackupAndRecovery/MMS/AccessVault/raw/*

Solution

To fix the issue, please change permissions to 750 for directories and 640 for files.

Under root user, issue:

chmod 640 /var/lib/Acronis/BackupAndRecovery/OnlineBackup/Default/username.crt
chmod 640 /var/lib/Acronis/BackupAndRecovery/MMS/user.config
chmod 640 /var/lib/Acronis/BackupAndRecovery/MMS/AccessVault/raw/*

chmod 750 /var/lib/Acronis/BackupAndRecovery/OnlineBackup/Default
chmod 750 /var/lib/Acronis/BackupAndRecovery/MMS
chmod 750 /var/lib/Acronis/BackupAndRecovery/MMS/AccessVault/raw

More information

Acronis Cyber Protect Cloud: product design has been updated in version 9.0: 750/640 permissions will be set by default for these directories/files.