[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] [SECURITY] Default settings for Xapi on Debian with xcp-xapi 1.3.2-10

  • To: xen-api@xxxxxxxxxxxxx
  • From: George Shuklin <george.shuklin@xxxxxxxxx>
  • Date: Mon, 13 Aug 2012 10:42:36 +0400
  • Delivery-date: Mon, 13 Aug 2012 06:42:49 +0000
  • List-id: User and development list for XCP and XAPI <xen-api.lists.xen.org>
ACK, it really happens.

Some tests:


auth sufficient pam_succeed_if.so user ingroup root
auth sufficient pam_succeed_if.so user ingroup xapi

xe vm-list -u root -s 127.1 - successful


auth sufficient pam_succeed_if.so user ingroup root
#auth sufficient pam_succeed_if.so user ingroup xapi

xe vm-list -u root -s 127.1 - successful

#auth sufficient pam_succeed_if.so user ingroup root
auth sufficient pam_succeed_if.so user ingroup xapi

- fail for root (passwordless and with correct password),
but allow no-password access for user within group 'xapi' (guest/guest).

#auth sufficient pam_succeed_if.so user ingroup root
#auth sufficient pam_succeed_if.so user ingroup xapi

- not successful

Funny, but last case (everything commented out) works with correct password  xe vm-list -u root -p rootpw -s 127.1
and did not work with guest/other users (kinda expected normal behavior).

I don't really know much about PAM, but those lines seems be wrong and allow to login without password any user within mentioned group.

13.08.2012 10:15, Pawel Tomulik пишет:
Hi,

in xcp-xapi 1.3.2-10, the pam config file /etc/pam.d/xapi reads as:


---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<

#%PAM-1.0

auth sufficient pam_succeed_if.so user ingroup root
#auth sufficient pam_succeed_if.so user ingroup xapi

---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8<


With this configuration, PAM allows to access XAPI from local and
remote machines as root without providing password, for example

xe -s host vm-list
xe -s host -u root vm-list

both print the list of VMs on host.

I don't think it is intended behaviour? Shouldn't it be fixed?

I haven't opportunity to play too much with pam and learn it in depth,
but maybe something as in attachment would do job? Could someone look
at it and tell if it's ok or not?

With best regards, 



_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api


_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.