Xen project Mailing List

[Xen-API] [SECURITY] Default settings for Xapi on Debian/Ubuntu allow, non-root remote access

To: "xen-api@xxxxxxxxxxxxxxxxxxx" <xen-api@xxxxxxxxxxxxxxxxxxx>

From: Mike McClurg <mike.mcclurg@xxxxxxxxxx>

Date: Tue, 31 Jul 2012 16:20:31 +0100

Delivery-date: Tue, 31 Jul 2012 15:21:06 +0000

List-id: User and development list for XCP and XAPI <xen-api.lists.xen.org>

Hi all, I want to make a security disclosure for all current versions of the xcp-xapi package in both Debian and Ubuntu. The default PAM authentication settings for xapi allow any valid user account (root or non-root) on dom0 to authenticate to xapi remotely, over either port 80 or 443. In the rest of this email, I'll quickly describe the two methods that xapi uses for authentication, then describe the nature of the misconfiguration, and provide a way to manually change the default setting. tl;dr - the attached patch restricts xapi's configuration to only allow the root user to issue API commands. Xapi has an XML-RPC based API over which clients, such as the 'xe' tool or XenCenter, communicate with XCP hosts. When a client is running on the dom0 itself, for instance the 'xe' command, one of the storage managers, or a xapi plugin, that client uses the unix domain socket at /var/lib/xcp/xapi (on Debian/Ubuntu). That socket file is only writeable by root, so non-root users cannot bind to it. Clients can also make API calls to xapi remotely, over either port 80 or 443. For remote authentication, xapi uses PAM to verify user accounts. Because xapi was ported from XCP, where we assume that any local user is effectively a root, user, xapi has always allowed any valid user in dom0 to authenticate and run xapi API commands. This means that, assuming you have a user account called guest, with the password guest, you can do the following from an unprivileged account: $ xe vm-list -s localhost -u guest -pw guest We kept this default behavior when we ported xapi to Debian. While this configuration made sense in XCP and XenServer, it doesn't make sense for the use cases we were targeting for xapi on Debian and Ubuntu. In the next update of the xcp-xapi package on both Debian Wheezy and Ubuntu Precise, the default setting will be to only allow the root user to make remote API calls. I have attached a patch (pam-xapi.diff) which causes xapi to only allow the root account to issue remote commands. To apply this patch, save it to /tmp and do: # cd /etc/pam.d/ # patch < /tmp/pam-xapi.diff You will not have to restart xapi for this to take affect. The patch leaves a commented line at the bottom of /etc/pam.d/xapi, which, when uncommented, will allow users of the group 'xapi' to issue remote commands. You must create this group manually before uncommenting this line. This issue will be resolved in the next update of the xcp-xapi package in both Debian Wheezy and Ubuntu Precise. The Debian package should be ready very soon. I am working with the Ubuntu Security team to make sure the package in Precise gets updated as soon as possible as well. Mike

Attachment: pam-xapi.diff
Description: Text Data

_______________________________________________ Xen-api mailing list Xen-api@xxxxxxxxxxxxx http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.