Comment 5 for bug 1033899

<email address hidden>:~$ id
uid=1000(xenadmin) gid=1000(xenadmin) groups=1000(xenadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)

xenadmin@act-sm-071:~$ xe host-is-in-emergency-mode -s localhost -u root -pw ""
false

As user xenadmin, I can execute "host-is-in-emergency-mode" against XAPI running on localhost as user root without having to supply root's password.

Effectively anyone can connect to XAPI as root without supplying a password and execute API commands.