Mailing List Archive: Xen: API

[SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10

Index | Next | Previous | View Threaded

ptomulik at meil

Aug 12, 2012, 11:15 PM

Post #1 of 2 (257 views)
Permalink

[SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10

Hi,

in xcp-xapi 1.3.2-10, the pam config file /etc/pam.d/xapi reads as:

---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<

#%PAM-1.0

auth sufficient pam_succeed_if.so user ingroup root
#auth sufficient pam_succeed_if.so user ingroup xapi

---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<

With this configuration, PAM allows to access XAPI from local and
remote machines as root without providing password, for example

xe -s host vm-list
xe -s host -u root vm-list

both print the list of VMs on host.

I don't think it is intended behaviour? Shouldn't it be fixed?

I haven't opportunity to play too much with pam and learn it in depth,
but maybe something as in attachment would do job? Could someone look
at it and tell if it's ok or not?

With best regards,

--
Paweł Tomulik

Attachments:

xapi (0.16 KB)

george.shuklin at gmail

Aug 12, 2012, 11:42 PM

Post #2 of 2 (229 views)
Permalink

Re: [SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10 [In reply to]

ACK, it really happens.

Some tests:

auth sufficient pam_succeed_if.so user ingroup root
auth sufficient pam_succeed_if.so user ingroup xapi

xe vm-list -u root -s 127.1 - successful

auth sufficient pam_succeed_if.so user ingroup root
#auth sufficient pam_succeed_if.so user ingroup xapi

xe vm-list -u root -s 127.1 - successful

#auth sufficient pam_succeed_if.so user ingroup root
auth sufficient pam_succeed_if.so user ingroup xapi

- fail for root (passwordless and with correct password),
but allow no-password access for user within group 'xapi' (guest/guest).

#auth sufficient pam_succeed_if.so user ingroup root
#auth sufficient pam_succeed_if.so user ingroup xapi

- not successful

Funny, but last case (everything commented out) works with correct
password xe vm-list -u root -p rootpw -s 127.1
and did not work with guest/other users (kinda expected normal behavior).

I don't really know much about PAM, but those lines seems be wrong and
allow to login without password any user within mentioned group.

13.08.2012 10:15, Pawel Tomulik ?????:
> Hi,
>
> in xcp-xapi 1.3.2-10, the pam config file /etc/pam.d/xapi reads as:
>
>
> ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<
>
> #%PAM-1.0
>
> auth sufficient pam_succeed_if.so user ingroup root
> #auth sufficient pam_succeed_if.so user ingroup xapi
>
> ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<
>
>
> With this configuration, PAM allows to access XAPI from local and
> remote machines as root without providing password, for example
>
> xe -s host vm-list
> xe -s host -u root vm-list
>
> both print the list of VMs on host.
>
> I don't think it is intended behaviour? Shouldn't it be fixed?
>
> I haven't opportunity to play too much with pam and learn it in depth,
> but maybe something as in attachment would do job? Could someone look
> at it and tell if it's ok or not?
>
> With best regards,
>
>
>
> _______________________________________________
> Xen-api mailing list
> Xen-api [at] lists
> http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads