ptomulik at meil
Aug 10, 2012, 11:00 AM
Post #2 of 2
W dniu 31.07.2012 17:20, Mike McClurg pisze:
Re: [SECURITY] Default settings for Xapi on Debian/Ubuntu allow, non-root remote access
[In reply to]
> Hi all,
> I want to make a security disclosure for all current versions of the
> xcp-xapi package in both Debian and Ubuntu. The default PAM
> authentication settings for xapi allow any valid user account (root or
> non-root) on dom0 to authenticate to xapi remotely, over either port
> 80 or 443. In the rest of this email, I'll quickly describe the two
> methods that xapi uses for authentication, then describe the nature of
> the misconfiguration, and provide a way to manually change the default
> tl;dr - the attached patch restricts xapi's configuration to only
> allow the root user to issue API commands.
> Xapi has an XML-RPC based API over which clients, such as the 'xe'
> tool or XenCenter, communicate with XCP hosts. When a client is
> running on the dom0 itself, for instance the 'xe' command, one of the
> storage managers, or a xapi plugin, that client uses the unix domain
> socket at /var/lib/xcp/xapi (on Debian/Ubuntu). That socket file is
> only writeable by root, so non-root users cannot bind to it.
> Clients can also make API calls to xapi remotely, over either port 80
> or 443. For remote authentication, xapi uses PAM to verify user
> accounts. Because xapi was ported from XCP, where we assume that any
> local user is effectively a root, user, xapi has always allowed any
> valid user in dom0 to authenticate and run xapi API commands. This
> means that, assuming you have a user account called guest, with the
> password guest, you can do the following from an unprivileged account:
> $ xe vm-list -s localhost -u guest -pw guest
> We kept this default behavior when we ported xapi to Debian. While
> this configuration made sense in XCP and XenServer, it doesn't make
> sense for the use cases we were targeting for xapi on Debian and
> Ubuntu. In the next update of the xcp-xapi package on both Debian
> Wheezy and Ubuntu Precise, the default setting will be to only allow
> the root user to make remote API calls.
> I have attached a patch (pam-xapi.diff) which causes xapi to only
> allow the root account to issue remote commands. To apply this patch,
> save it to /tmp and do:
> # cd /etc/pam.d/
> # patch < /tmp/pam-xapi.diff
> You will not have to restart xapi for this to take affect. The patch
> leaves a commented line at the bottom of /etc/pam.d/xapi, which, when
> uncommented, will allow users of the group 'xapi' to issue remote
> commands. You must create this group manually before uncommenting this
> This issue will be resolved in the next update of the xcp-xapi package
> in both Debian Wheezy and Ubuntu Precise. The Debian package should be
> ready very soon. I am working with the Ubuntu Security team to make
> sure the package in Precise gets updated as soon as possible as well.
is it normal, than I'm able to access xapi remotelly
from remote machine as root, without password (or with
wrong password)? For example:
xe -s host vm-list
xe -s host -u root vm-list
give me pretty list of my virtual machines, and
xe -s 192.168.128.8 -u guest vm-list
For usage run: 'xe help'
The same is when using openxenmanager.
It happens in xcp-xapi 1.3.2-10 (debian sid), which seems
to contain this patch. When I revert file to it's previous
version, it doesn't let me in as root without correct password.
Xen-api mailing list
Xen-api [at] lists