Bug#683472: unblock: xen-api/1.3.2-10
On 08/04/2012 11:52 PM, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On Wed, 2012-08-01 at 10:19 +0800, Thomas Goirand wrote:
>> Please unblock package xen-api
>>
>> The current version in Wheezy suffers from a wrong default PAM setting of
>> PAM, giving access to XAPI to any account on th server, as per:
>> http://lists.xen.org/archives/html/xen-api/2012-07/msg00059.html
>
> The changelog and actual changes appear to disagree:
>
> + - Adds a xapi group.
> + - Configure PAM to only grant access to root and xapi groups.
>
> versus
>
> ++auth sufficient pam_succeed_if.so user ingroup root
> ++#auth sufficient pam_succeed_if.so user ingroup xapi
>
> Regards,
>
> Adam
Hi,
It has been decided at the last moment, together with upstream (eg: Mike
from Citrix) that we would add the xapi group, but only provide the pam
configuration with disabled access to XAPI for the members of this
group, for security purpose, and to force the admins to understand how
it worked.
To provide access to a user to XAPI, an administrator would have to add
such user into the XAPI group, then uncomment the above line.
So, even though it could have been mentioned in the changelog, I think
it is fine the way it is right now. If you feel we should, I don't mind
mentioning it in the README.Debian.
Please unblock xen-api. :)
Thomas
Reply to: