[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#686199: marked as done (unblock: xen-api/1.3.2-11)

Your message dated Thu, 30 Aug 2012 22:10:26 +0100
with message-id <1346361026.29555.30.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#686199: unblock: xen-api/1.3.2-11
has caused the Debian Bug report #686199,
regarding unblock: xen-api/1.3.2-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
686199: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686199
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package xen-api.

The PAM fix which we did for version 1.3.2-10 wasn't correct, and thanks to
the help of Steve Langasek, we have it in a good shape now.

The details of the conversation is available in the Ubuntu BTS here:
https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899

This version of the package includes the /etc/pam.d modification that have
been suggested by Steve, and which are showing in the attached debdiff.

Please unblock xen-api/1.3.2-11

Cheers,

Thomas Goirand (zigo)

diff -Nru xen-api-1.3.2/debian/changelog xen-api-1.3.2/debian/changelog
--- xen-api-1.3.2/debian/changelog	2012-07-31 16:20:00.000000000 +0100
+++ xen-api-1.3.2/debian/changelog	2012-08-22 15:40:56.000000000 +0100
@@ -1,3 +1,9 @@
+xen-api (1.3.2-11) unstable; urgency=high
+
+  * Fix PAM settings to only allow root to issue remote commands (LP: #1033899)
+
+ -- Mike McClurg <mike.mcclurg@citrix.com>  Wed, 22 Aug 2012 15:36:31 +0100
+
 xen-api (1.3.2-10) unstable; urgency=high
 
   * Fixes access rights: any user on the server could use xe to control xapi.
diff -Nru xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group
--- xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group	2012-07-31 16:20:00.000000000 +0100
+++ xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group	2012-08-22 15:40:56.000000000 +0100
@@ -1,10 +1,14 @@
 --- a/scripts/pam.d-xapi
 +++ b/scripts/pam.d-xapi
-@@ -1,4 +1,4 @@
+@@ -1,4 +1,8 @@
  #%PAM-1.0
 -auth       include     common-auth
 -account    include     common-auth
 -password   include     common-auth
++@include common-auth
 +
-+auth sufficient pam_succeed_if.so user ingroup root
++# Uncomment this line to allow users of group xapi to authenticate
 +#auth sufficient pam_succeed_if.so user ingroup xapi
++
++# Only allow group root to authenticate, unless above line uncommented
++auth required pam_succeed_if.so user ingroup root

--- End Message ---
--- Begin Message --- 
On Thu, 2012-08-30 at 11:02 -0700, Steve Langasek wrote:
> On Thu, Aug 30, 2012 at 06:07:55PM +0800, Thomas Goirand wrote:
> > On 08/30/2012 03:20 AM, Adam D. Barratt wrote:
> > > On Thu, 2012-08-30 at 03:01 +0800, Thomas Goirand wrote:
> > >> Please unblock package xen-api.
> 
> > >> The PAM fix which we did for version 1.3.2-10 wasn't correct, and thanks to
> > >> the help of Steve Langasek, we have it in a good shape now.
> 
> > >> The details of the conversation is available in the Ubuntu BTS here:
> > >> https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899
[...]
> > Indeed, this is a permission problem in this page, its marked as
> > "Private Security". I'm not sure how the Ubuntu stuff works though.
[...]
> I've talked to the Ubuntu security team and they've unembargoed the bug;
> there's no reason to keep it private when there's public conversation
> pointing at the fact that it's a security issue.  So that link works now.

Thanks.  Unblocked.

Regards,

Adam

--- End Message ---
Reply to: