[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-API] [SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10

To: xen-api@xxxxxxxxxxxxxxxxxxx
From: Pawel Tomulik <ptomulik@xxxxxxxxxxxxxx>
Date: Mon, 13 Aug 2012 08:15:22 +0200
Delivery-date: Mon, 13 Aug 2012 06:15:47 +0000
List-id: User and development list for XCP and XAPI <xen-api.lists.xen.org>

Hi,

in xcp-xapi 1.3.2-10, the pam config file /etc/pam.d/xapi reads as:


---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<

#%PAM-1.0

auth sufficient pam_succeed_if.so user ingroup root
#auth sufficient pam_succeed_if.so user ingroup xapi

---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<


With this configuration, PAM allows to access XAPI from local and
remote machines as root without providing password, for example

xe -s host vm-list
xe -s host -u root vm-list

both print the list of VMs on host.

I don't think it is intended behaviour? Shouldn't it be fixed?

I haven't opportunity to play too much with pam and learn it in depth,
but maybe something as in attachment would do job? Could someone look
at it and tell if it's ok or not?

With best regards,

--
PaweÅ Tomulik

Attachment: xapi
Description: Text document

_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

Follow-Ups:
- Re: [Xen-API] [SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10
  - From: George Shuklin

Prev by Date: [Xen-API] VM RRD
Next by Date: Re: [Xen-API] [SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10
Previous by thread: [Xen-API] VM RRD
Next by thread: Re: [Xen-API] [SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.