ptomulik at meil
Aug 10, 2012, 11:00 AM
Post #2 of 2
(360 views)
Permalink
|
|
Re: [SECURITY] Default settings for Xapi on Debian/Ubuntu allow, non-root remote access
[In reply to]
|
|
W dniu 31.07.2012 17:20, Mike McClurg pisze:
> Hi all,
>
> I want to make a security disclosure for all current versions of the
> xcp-xapi package in both Debian and Ubuntu. The default PAM
> authentication settings for xapi allow any valid user account (root or
> non-root) on dom0 to authenticate to xapi remotely, over either port
> 80 or 443. In the rest of this email, I'll quickly describe the two
> methods that xapi uses for authentication, then describe the nature of
> the misconfiguration, and provide a way to manually change the default
> setting.
>
> tl;dr - the attached patch restricts xapi's configuration to only
> allow the root user to issue API commands.
>
> Xapi has an XML-RPC based API over which clients, such as the 'xe'
> tool or XenCenter, communicate with XCP hosts. When a client is
> running on the dom0 itself, for instance the 'xe' command, one of the
> storage managers, or a xapi plugin, that client uses the unix domain
> socket at /var/lib/xcp/xapi (on Debian/Ubuntu). That socket file is
> only writeable by root, so non-root users cannot bind to it.
>
> Clients can also make API calls to xapi remotely, over either port 80
> or 443. For remote authentication, xapi uses PAM to verify user
> accounts. Because xapi was ported from XCP, where we assume that any
> local user is effectively a root, user, xapi has always allowed any
> valid user in dom0 to authenticate and run xapi API commands. This
> means that, assuming you have a user account called guest, with the
> password guest, you can do the following from an unprivileged account:
>
> $ xe vm-list -s localhost -u guest -pw guest
>
> We kept this default behavior when we ported xapi to Debian. While
> this configuration made sense in XCP and XenServer, it doesn't make
> sense for the use cases we were targeting for xapi on Debian and
> Ubuntu. In the next update of the xcp-xapi package on both Debian
> Wheezy and Ubuntu Precise, the default setting will be to only allow
> the root user to make remote API calls.
>
> I have attached a patch (pam-xapi.diff) which causes xapi to only
> allow the root account to issue remote commands. To apply this patch,
> save it to /tmp and do:
>
> # cd /etc/pam.d/
> # patch < /tmp/pam-xapi.diff
>
> You will not have to restart xapi for this to take affect. The patch
> leaves a commented line at the bottom of /etc/pam.d/xapi, which, when
> uncommented, will allow users of the group 'xapi' to issue remote
> commands. You must create this group manually before uncommenting this
> line.
>
> This issue will be resolved in the next update of the xcp-xapi package
> in both Debian Wheezy and Ubuntu Precise. The Debian package should be
> ready very soon. I am working with the Ubuntu Security team to make
> sure the package in Precise gets updated as soon as possible as well.
>
> Mike
>
>
>
Hi,
is it normal, than I'm able to access xapi remotelly
from remote machine as root, without password (or with
wrong password)? For example:
xe -s host vm-list
or
xe -s host -u root vm-list
give me pretty list of my virtual machines, and
xe -s 192.168.128.8 -u guest vm-list
Authentication failed
For usage run: 'xe help'
The same is when using openxenmanager.
It happens in xcp-xapi 1.3.2-10 (debian sid), which seems
to contain this patch. When I revert file to it's previous
version, it doesn't let me in as root without correct password.
Regards!
--
Paweł Tomulik
_______________________________________________
Xen-api mailing list
Xen-api [at] lists
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
|
pam-xapi.diff
