[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-API] [SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10


in xcp-xapi 1.3.2-10, the pam config file /etc/pam.d/xapi reads as:

---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<


auth sufficient pam_succeed_if.so user ingroup root
#auth sufficient pam_succeed_if.so user ingroup xapi

---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<

With this configuration, PAM allows to access XAPI from local and
remote machines as root without providing password, for example

xe -s host vm-list
xe -s host -u root vm-list

both print the list of VMs on host.

I don't think it is intended behaviour? Shouldn't it be fixed?

I haven't opportunity to play too much with pam and learn it in depth,
but maybe something as in attachment would do job? Could someone look
at it and tell if it's ok or not?

With best regards,

PaweÅ Tomulik

Attachment: xapi
Description: Text document

Xen-api mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.