[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
2 files changed, 7 insertions(+), 1 deletion(-) ocaml/idl/datamodel.ml | 2 +- ocaml/xapi/xapi_session.ml | 6 ++++++ # HG changeset patch # User Marcus Granado <marcus.granado@xxxxxxxxxx> # Date 1257526015 0 # Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f # Parent 719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5 CA-34203: only root can call slave-local-login-with-password Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx> diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml --- a/ocaml/idl/datamodel.ml Fri Nov 06 16:12:03 2009 +0000 +++ b/ocaml/idl/datamodel.ml Fri Nov 06 16:46:55 2009 +0000 @@ -960,7 +960,7 @@ ] ~in_oss_since:None ~secret:true - ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave login*) + ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency slave login*) () let local_logout = call ~flags:[`Session] diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml --- a/ocaml/xapi/xapi_session.ml Fri Nov 06 16:12:03 2009 +0000 +++ b/ocaml/xapi/xapi_session.ml Fri Nov 06 16:46:55 2009 +0000 @@ -323,6 +323,12 @@ let slave_local_login_with_password ~__context ~uname ~pwd = wipe_params_after_fn [pwd] (fun () -> if not (Context.preauth ~__context) then + if uname <> local_superuser + then (* CA-34203: never authenticate external users as local_login *) + raise (Api_errors.Server_error + (Api_errors.rbac_permission_denied, + [local_superuser; "No permission in local login"])) + else (try (* CP696 - only tries to authenticate against LOCAL superuser account *) do_local_auth uname pwd; Attachment:
xen-api.hg.patch _______________________________________________ xen-api mailing list xen-api@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/mailman/listinfo/xen-api
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |