Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Lotus Notes Local Replicated Database Problem

From: bram () E-WARENESS BE (bram () E-WARENESS BE)
Date: Wed, 26 Jan 2000 09:40:58 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


In Lotus Notes it brings up a password dialog box as usual, but by

accident i

pressed esc, on it....  Now this came up saying it was wrong and try

again.

well i pressed esc again and it brought up an error stating that

Lotus Notes

had, had an internal error.  and to my surprise it allowed me to view

my email

without the use of a password.  But, every now and then it brings up

the

password dialog box, but each and everytime you can just press Esc

until an

error occurs again and you can view it again, this can take up to 5 -

6 Esc

pressing sequences.


You are accessing your maildatabase locally (you just replicated it).
Notes does not need a password to open a database locally, and the
philosophy behind it is very simple: if you can view the contents of
that specific database -which is just a file- with a text/hex editor,
why bother to require a password?  If a password would be required,
the user felt he would be safe without actually being safe.

How can this be changed?

In the Access Control List for the database, click on Advanced and
select 'Enforce Consistent ACL'... This means that a password is
required for opening it... But remember: it's still a local file, and
this kind of 'security' can easily be circumvented.
Better yet: go to the Database Properties of the local copy of your
maildatabase, and click on 'Encryption'. There you can choose to
encrypt the database locally for your User ID. This way, the database
will only be accessible by you, if you have your userID and your
password... Lose your user.id file, and the contents of your
maildatabase are lost.  Most of the time your notes admins have safely
stored backups of ID-files, but you wouldn't be the first to delete
your idfile, to find out that there is no backup left.


Like I say it might be a known problem, but i have copied Lotus on

it, and am

awaiting there reply.


This is how the software works. This is not a problem.

Ask your Notes support people on how to encrypt local databases -
which should be done if you have a laptop. Notes/Domino has one of the
best security systems/philosopies I have seen yet. It takes however
some knowledge to set it up properly on the serverside, and just a
littlebit training for the end user.

Bram
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>

iQA/AwUBOI6kuzMB44xYPakpEQKtEwCgjbNcT0dbkud5bEDJG4HQll6mGdgAn0rf
tcrBg4Udkd40GCrtd70eDv41
=2+Mi
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: