--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
Please unblock package xen-api.
The PAM fix which we did for version 1.3.2-10 wasn't correct, and thanks to
the help of Steve Langasek, we have it in a good shape now.
The details of the conversation is available in the Ubuntu BTS here:
https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899
This version of the package includes the /etc/pam.d modification that have
been suggested by Steve, and which are showing in the attached debdiff.
Please unblock xen-api/1.3.2-11
Cheers,
Thomas Goirand (zigo)
diff -Nru xen-api-1.3.2/debian/changelog xen-api-1.3.2/debian/changelog
--- xen-api-1.3.2/debian/changelog 2012-07-31 16:20:00.000000000 +0100
+++ xen-api-1.3.2/debian/changelog 2012-08-22 15:40:56.000000000 +0100
@@ -1,3 +1,9 @@
+xen-api (1.3.2-11) unstable; urgency=high
+
+ * Fix PAM settings to only allow root to issue remote commands (LP: #1033899)
+
+ -- Mike McClurg <mike.mcclurg@citrix.com> Wed, 22 Aug 2012 15:36:31 +0100
+
xen-api (1.3.2-10) unstable; urgency=high
* Fixes access rights: any user on the server could use xe to control xapi.
diff -Nru xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group
--- xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group 2012-07-31 16:20:00.000000000 +0100
+++ xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group 2012-08-22 15:40:56.000000000 +0100
@@ -1,10 +1,14 @@
--- a/scripts/pam.d-xapi
+++ b/scripts/pam.d-xapi
-@@ -1,4 +1,4 @@
+@@ -1,4 +1,8 @@
#%PAM-1.0
-auth include common-auth
-account include common-auth
-password include common-auth
++@include common-auth
+
-+auth sufficient pam_succeed_if.so user ingroup root
++# Uncomment this line to allow users of group xapi to authenticate
+#auth sufficient pam_succeed_if.so user ingroup xapi
++
++# Only allow group root to authenticate, unless above line uncommented
++auth required pam_succeed_if.so user ingroup root
--- End Message ---
--- Begin Message ---
On Thu, 2012-08-30 at 11:02 -0700, Steve Langasek wrote:
> On Thu, Aug 30, 2012 at 06:07:55PM +0800, Thomas Goirand wrote:
> > On 08/30/2012 03:20 AM, Adam D. Barratt wrote:
> > > On Thu, 2012-08-30 at 03:01 +0800, Thomas Goirand wrote:
> > >> Please unblock package xen-api.
>
> > >> The PAM fix which we did for version 1.3.2-10 wasn't correct, and thanks to
> > >> the help of Steve Langasek, we have it in a good shape now.
>
> > >> The details of the conversation is available in the Ubuntu BTS here:
> > >> https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899
[...]
> > Indeed, this is a permission problem in this page, its marked as
> > "Private Security". I'm not sure how the Ubuntu stuff works though.
[...]
> I've talked to the Ubuntu security team and they've unembargoed the bug;
> there's no reason to keep it private when there's public conversation
> pointing at the fact that it's a security issue. So that link works now.
Thanks. Unblocked.
Regards,
Adam
--- End Message ---