Bug#686199: unblock: xen-api/1.3.2-11
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
Please unblock package xen-api.
The PAM fix which we did for version 1.3.2-10 wasn't correct, and thanks to
the help of Steve Langasek, we have it in a good shape now.
The details of the conversation is available in the Ubuntu BTS here:
https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899
This version of the package includes the /etc/pam.d modification that have
been suggested by Steve, and which are showing in the attached debdiff.
Please unblock xen-api/1.3.2-11
Cheers,
Thomas Goirand (zigo)
diff -Nru xen-api-1.3.2/debian/changelog xen-api-1.3.2/debian/changelog
--- xen-api-1.3.2/debian/changelog 2012-07-31 16:20:00.000000000 +0100
+++ xen-api-1.3.2/debian/changelog 2012-08-22 15:40:56.000000000 +0100
@@ -1,3 +1,9 @@
+xen-api (1.3.2-11) unstable; urgency=high
+
+ * Fix PAM settings to only allow root to issue remote commands (LP: #1033899)
+
+ -- Mike McClurg <mike.mcclurg@citrix.com> Wed, 22 Aug 2012 15:36:31 +0100
+
xen-api (1.3.2-10) unstable; urgency=high
* Fixes access rights: any user on the server could use xe to control xapi.
diff -Nru xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group
--- xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group 2012-07-31 16:20:00.000000000 +0100
+++ xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group 2012-08-22 15:40:56.000000000 +0100
@@ -1,10 +1,14 @@
--- a/scripts/pam.d-xapi
+++ b/scripts/pam.d-xapi
-@@ -1,4 +1,4 @@
+@@ -1,4 +1,8 @@
#%PAM-1.0
-auth include common-auth
-account include common-auth
-password include common-auth
++@include common-auth
+
-+auth sufficient pam_succeed_if.so user ingroup root
++# Uncomment this line to allow users of group xapi to authenticate
+#auth sufficient pam_succeed_if.so user ingroup xapi
++
++# Only allow group root to authenticate, unless above line uncommented
++auth required pam_succeed_if.so user ingroup root
Reply to: