[SECURITY] default PAM settings allow any local account to authenticate to xapi
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xen-api (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Xapi's default PAM settings allow any local user to authenticate and issue remote API commands. I have attached a debdiff which resolves this issue. Below is a diff which describes the changes we'll make to the xapi PAM config file.
--- /etc/pam.d/xapi
+++ /etc/pam.d/xapi
@@ -1,4 +1,5 @@
#%PAM-1.0
-auth include common-auth
-account include common-auth
-password include common-auth
+
+auth sufficient pam_succeed_if.so user ingroup root
+#Uncomment to allow group 'xapi' to authenticate. You must create this group manually!
+#auth sufficient pam_succeed_if.so user ingroup xapi
This update will soon be pushed into Debian Wheezy. Please apply this update to the xen-api package in Precise.
Related branches
security vulnerability: | yes → no |
visibility: | private → public |
Changed in xen-api (Ubuntu Quantal): | |
status: | New → Fix Committed |
status: | Fix Committed → Fix Released |
Changed in xen-api (Ubuntu Precise): | |
status: | New → Confirmed |
importance: | Undecided → High |
Hi,
Please note that this has been fixed in SID. So for Ubuntu 12.10, I would recommend to sync from SID, which by the way, has many other fixes. I would also recommend taking the latest version from SID for Ubuntu 12.04, but if that's not the policy, then a backport of the fix can be done.
Thomas