[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] [SECURITY] Default settings for Xapi on Debian/Ubuntu allow, non-root remote access

W dniu 31.07.2012 17:20, Mike McClurg pisze:
Hi all,

I want to make a security disclosure for all current versions of the
xcp-xapi package in both Debian and Ubuntu. The default PAM
authentication settings for xapi allow any valid user account (root or
non-root) on dom0 to authenticate to xapi remotely, over either port
80 or 443. In the rest of this email, I'll quickly describe the two
methods that xapi uses for authentication, then describe the nature of
the misconfiguration, and provide a way to manually change the default

tl;dr - the attached patch restricts xapi's configuration to only
allow the root user to issue API commands.

Xapi has an XML-RPC based API over which clients, such as the 'xe'
tool or XenCenter, communicate with XCP hosts. When a client is
running on the dom0 itself, for instance the 'xe' command, one of the
storage managers, or a xapi plugin, that client uses the unix domain
socket at /var/lib/xcp/xapi (on Debian/Ubuntu). That socket file is
only writeable by root, so non-root users cannot bind to it.

Clients can also make API calls to xapi remotely, over either port 80
or 443. For remote authentication, xapi uses PAM to verify user
accounts. Because xapi was ported from XCP, where we assume that any
local user is effectively a root, user, xapi has always allowed any
valid user in dom0 to authenticate and run xapi API commands. This
means that, assuming you have a user account called guest, with the
password guest, you can do the following from an unprivileged account:

$ xe vm-list -s localhost -u guest -pw guest

We kept this default behavior when we ported xapi to Debian. While
this configuration made sense in XCP and XenServer, it doesn't make
sense for the use cases we were targeting for xapi on Debian and
Ubuntu. In the next update of the xcp-xapi package on both Debian
Wheezy and Ubuntu Precise, the default setting will be to only allow
the root user to make remote API calls.

I have attached a patch (pam-xapi.diff) which causes xapi to only
allow the root account to issue remote commands. To apply this patch,
save it to /tmp and do:

# cd /etc/pam.d/
# patch < /tmp/pam-xapi.diff

You will not have to restart xapi for this to take affect. The patch
leaves a commented line at the bottom of /etc/pam.d/xapi, which, when
uncommented, will allow users of the group 'xapi' to issue remote
commands. You must create this group manually before uncommenting this

This issue will be resolved in the next update of the xcp-xapi package
in both Debian Wheezy and Ubuntu Precise. The Debian package should be
ready very soon. I am working with the Ubuntu Security team to make
sure the package in Precise gets updated as soon as possible as well.



is it normal, than I'm able to access xapi remotelly
from remote machine as root, without password (or with
wrong password)? For example:

xe -s host vm-list


xe -s host -u root vm-list

give me pretty list of my virtual machines, and

xe -s -u guest vm-list
Authentication failed
For usage run: 'xe help'

The same is when using openxenmanager.

It happens in xcp-xapi 1.3.2-10 (debian sid), which seems
to contain this patch. When I revert file to it's previous
version, it doesn't let me in as root without correct password.

PaweÅ Tomulik

Xen-api mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.