|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-API] [SECURITY] Default settings for Xapi on Debian/Ubuntu allow, non-root remote access
W dniu 31.07.2012 17:20, Mike McClurg pisze: Hi all, I want to make a security disclosure for all current versions of the xcp-xapi package in both Debian and Ubuntu. The default PAM authentication settings for xapi allow any valid user account (root or non-root) on dom0 to authenticate to xapi remotely, over either port 80 or 443. In the rest of this email, I'll quickly describe the two methods that xapi uses for authentication, then describe the nature of the misconfiguration, and provide a way to manually change the default setting. tl;dr - the attached patch restricts xapi's configuration to only allow the root user to issue API commands. Xapi has an XML-RPC based API over which clients, such as the 'xe' tool or XenCenter, communicate with XCP hosts. When a client is running on the dom0 itself, for instance the 'xe' command, one of the storage managers, or a xapi plugin, that client uses the unix domain socket at /var/lib/xcp/xapi (on Debian/Ubuntu). That socket file is only writeable by root, so non-root users cannot bind to it. Clients can also make API calls to xapi remotely, over either port 80 or 443. For remote authentication, xapi uses PAM to verify user accounts. Because xapi was ported from XCP, where we assume that any local user is effectively a root, user, xapi has always allowed any valid user in dom0 to authenticate and run xapi API commands. This means that, assuming you have a user account called guest, with the password guest, you can do the following from an unprivileged account: $ xe vm-list -s localhost -u guest -pw guest We kept this default behavior when we ported xapi to Debian. While this configuration made sense in XCP and XenServer, it doesn't make sense for the use cases we were targeting for xapi on Debian and Ubuntu. In the next update of the xcp-xapi package on both Debian Wheezy and Ubuntu Precise, the default setting will be to only allow the root user to make remote API calls. I have attached a patch (pam-xapi.diff) which causes xapi to only allow the root account to issue remote commands. To apply this patch, save it to /tmp and do: # cd /etc/pam.d/ # patch < /tmp/pam-xapi.diff You will not have to restart xapi for this to take affect. The patch leaves a commented line at the bottom of /etc/pam.d/xapi, which, when uncommented, will allow users of the group 'xapi' to issue remote commands. You must create this group manually before uncommenting this line. This issue will be resolved in the next update of the xcp-xapi package in both Debian Wheezy and Ubuntu Precise. The Debian package should be ready very soon. I am working with the Ubuntu Security team to make sure the package in Precise gets updated as soon as possible as well. Mike Hi, is it normal, than I'm able to access xapi remotelly from remote machine as root, without password (or with wrong password)? For example: xe -s host vm-list or xe -s host -u root vm-list give me pretty list of my virtual machines, and xe -s 192.168.128.8 -u guest vm-list Authentication failed For usage run: 'xe help' The same is when using openxenmanager. It happens in xcp-xapi 1.3.2-10 (debian sid), which seems to contain this patch. When I revert file to it's previous version, it doesn't let me in as root without correct password. Regards! -- PaweÅ Tomulik _______________________________________________ Xen-api mailing list Xen-api@xxxxxxxxxxxxx http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |