[Security] Default PAM settings allow execution of remote API commands without password

I've subscribed two of the Debian package maintainers, Mike and Thomas.

I'm not familiar enough with how xen-api is used, so could one of you explain the reasoning for this change?

Hi,

Basically, before, anyone with an account on the box could execute commands with xe (eg: use XAPI), when what was intended was that only the root would.

What I did in the Debian SID package was creating a xapi group, then if someone is *not* in that group, or if the PAM group thing isn't uncommented, then he will not have access to XAPI. It seems that the patch for Ubuntu doesn't have the addition of the new group, in order to limit changes, which I think is fine (if someone wants to grant access to a non-root user, then the xapi group would need to be manually created, and the PAM config file for that group uncommented).

Do you understand now? If my explanations were not enough, please let me know. If you want to read more details, Mike did an advisory here:
http://lists.xen.org/archives/html/xen-api/2012-07/msg00059.html

But I don't think you need to read that much! :)

Cheers,

Thomas Goirand (zigo)

Hi Thomas,

The new PAM rule allows a user to execute remote API commands when the uses is a member of group root or xapi ( if uncommented ). This is expected behavior when the user is logged in on a terminal but when authenticating via the HTTP API (connecting via XenCenter) this PAM rule allows anyone to login and execute commands as root without a password

Francis

I'm not sure if I understand the issue here. If a user is logged in as root, they should be allowed to issue XenAPI commands (either through the xe CLI, or through the XML-RPC API, over the local unix domain socket) without a password. This is the current behavior, both before and after this patch has been applied.

The new PAM rules only apply to someone using the XML-RPC API remotely, either over HTTP or HTTPS. The new rule allows only the root user to issue commands. The user must provide a username and password each time he/she executes a remote API command. The old PAM rules allowed any local user on the host to issue these commands. The new rule restricts this to just the root user (and users in the group xapi, iff that line is uncommented).

Here are a few tests that one can run on the new xcp-xapi in order to see the expected behavior. All commands are run from dom0.

root# xe vm-list
<this should work>

root# xe vm-list -s localhost -u root -pw <root's password>
<this should work (remote API call authenticating with root)>

root# xe vm-list -s locahost -u guest -pw <guest's password>
<this should FAIL (remote API call authenticating with non-root)>

guest$ xe vm-list
<this should FAIL (only root has access to local unix domain socket)>

guest$ xe vm-list -s localhost -u guest -pw <guest's password>
<this should FAIL (remote API call authenticating with non-root)>

guest$ xe vm-list -s localhost -u root -pw <root's password>
<this should work (remote API call authenticating with root)>

<email address hidden>:~$ id
uid=1000(xenadmin) gid=1000(xenadmin) groups=1000(xenadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)

xenadmin@act-sm-071:~$ xe host-is-in-emergency-mode -s localhost -u root -pw ""
false

As user xenadmin, I can execute "host-is-in-emergency-mode" against XAPI running on localhost as user root without having to supply root's password.

Effectively anyone can connect to XAPI as root without supplying a password and execute API commands.

Right, that's quite embarassing. Francis, what we want to do is only allow root (after authenticating!) to issue remote commands. Do you know PAM well enough to explain to me how to implement this?

Alright, I think the following PAM file will work:

#%PAM-1.0
@include common-auth
auth required pam_succeed_if.so user ingroup root

Does this look correct?

The PAM config you mentioned works as expected i,e only allow root after successful authentication. How do we change it such that it allows users from group root and xapi after successful authentication?

We could add the line:

auth required pam_succeed_if.so user ingroup xapi

to allow users of group xapi to authenticate. Note that the PAM config in comment #7 allows users in the root *group* to authenticate, which is probably what we want to do. I could be convinced that this more restrictive config is better:

auth required pam_succeed_if.so uid eq 0

Which would only allow the root user (UID 0) to authenticate.

See pam_succeed_if manpage here: http://linux.die.net/man/8/pam_succeed_if

Please understand that I am no PAM expert (as you might have guessed). I would appreciate if someone with more PAM experience, possibly from the Ubuntu Security team, would comment on the PAM config that I'm suggesting.

Mike I am trying to get users of group root and xapi to authenticate but the following config does not work

#%PAM-1.0
@include common-auth
auth required pam_succeed_if.so user ingroup root
# Uncomment below if you want users of group xapi to successfully authenticate.
# The group xapi should be manually created.
auth required pam_succeed_if.so user ingroup xapi

I would like users of group xapi to successfully authenticate so that VM admins (members of group xapi ) (administering vm via XenCenter ) don't have to be members of group root in dom0. This adds to dom0 security.

Someone from Ubuntu Security team please comment

If you put two "require" entries, then the authentication will need to
satisfy both of them, so only users in both the xapi and root groups would
authenticate.

I believe that a way of having a "either one or other" semantics is to have
a "sufficient" entry _before_ a "required" entry, like the example below.
If the "sufficient" entry holds true, then pam returns ok and doesn't
evaluate the "required" entry. Otherwise, it goes on to test the "required"
entry. But this would need testing (I don't have a machine to test this
right now):

#%PAM-1.0
@include common-auth
auth sufficient pam_succeed_if.so user ingroup xapi
auth required pam_succeed_if.so user ingroup root

On Fri, Aug 10, 2012 at 2:24 PM, Francis Pereira <
francispereira@7terminals.com> wrote:

> Mike I am trying to get users of group root and xapi to authenticate but
> the following config does not work
>
> #%PAM-1.0
> @include common-auth
> auth required pam_succeed_if.so user ingroup root
> # Uncomment below if you want users of group xapi to successfully
> authenticate.
> # The group xapi should be manually created.
> auth required pam_succeed_if.so user ingroup xapi
>
>
> I would like users of group xapi to successfully authenticate so that VM
> admins (members of group xapi ) (administering vm via XenCenter ) don't
> have to be members of group root in dom0. This adds to dom0 security.
>
> Someone from Ubuntu Security team please comment
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1033899
>
> Title:
> [Security] Default PAM settings allow execution of remote API commands
> without password
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899/+subscriptions
>

My understanding matches the description provided by Marcus.

However, it would be good to have a PAM expert review this since we got it wrong the first time, so I've subscribed Steve Langasek.

Steve, can you comment on the proper pam configuration needed for this use case?

I would suggest that the optimal solution is this:

auth [success=1 default=ignore] pam_succeed_if.so user ingroup xapi
auth requisite pam_succeed_if.so user ingroup root
@include common-auth

translation: if the user is in group xapi, proceed to run the common-auth checks. if not, check if the user is in group root. if the user is in neither group, fail immediately (without prompting for a password).

I can confirm that the PAM config suggested by Steve in comment #13 works as expected. Tests below:

# password is required for user root (member of root group :))
<email address hidden>:~# id
uid=0(root) gid=0(root) groups=0(root)
<email address hidden>:~# xe host-is-in-emergency-mode -s localhost -u root -pw ""
Authentication failed
For usage run: 'xe help'
<email address hidden>:~# xe host-is-in-emergency-mode -s localhost -u root -pw "pamtest"
false

# password is required for user xenadmin (member of xapi group)
<email address hidden>:~$ id
uid=1000(xenadmin) gid=1000(xenadmin) groups=1000(xenadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare),1001(xapi)
<email address hidden>:~$ xe host-is-in-emergency-mode -s localhost -u xenadmin -pw ""
Authentication failed
For usage run: 'xe help'
<email address hidden>:~$ xe host-is-in-emergency-mode -s localhost -u xenadmin -pw "pamtest"
false

# correct password supplied but no login since the user is not a member of root or xapi
<email address hidden>:~$ xe host-is-in-emergency-mode -s localhost -u francis -pw ""
Authentication failed
For usage run: 'xe help'
<email address hidden>:~$ xe host-is-in-emergency-mode -s localhost -u francis -pw "pamtest"
Authentication failed
For usage run: 'xe help'

Mike/Thomas - will there be a package update available in the repo fixing this bug or will this simply get fixed in the next scheduled release ?

We'll fix this in an update soon. This is definitely a regression on top of the first PAM-config bug we've fixed.

On 08/16/2012 03:43 PM, Mike McClurg wrote:
> We'll fix this in an update soon. This is definitely a regression on top
> of the first PAM-config bug we've fixed.

Hi Mike,

With all the discussions, I'm not sure what we should do...

Can you please send an updated debian/patches file for this bug, so that
I can upload a fixed version in SID?

Cheers,

Thomas

Yes, I'll do that. I may not be able to get to it until this weekend,
though.

Debdiff attached.

This bug was fixed in the package xen-api - 1.3.2-11

---------------
xen-api (1.3.2-11) unstable; urgency=high

  * Fix PAM settings to only allow root to issue remote commands (LP: #1033899)

 -- Mike McClurg <email address hidden> Wed, 22 Aug 2012 15:36:31 +0100

Thanks everyone for helping fix this.

@Mike, was this fixed for precise with the upload 1.3.2-5ubuntu0.1?

Thanks

precise has seen the end of its life and is no longer receiving any updates.
Marking the precise task for this ticket as 'Won't Fix'.