Your message dated Thu, 30 Aug 2012 22:10:26 +0100
with message-id <[email protected]>
and subject line Re: Bug#686199: unblock: xen-api/1.3.2-11
has caused the Debian Bug report #686199,
regarding unblock: xen-api/1.3.2-11
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
686199: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686199
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi,
Please unblock package xen-api.
The PAM fix which we did for version 1.3.2-10 wasn't correct, and thanks to
the help of Steve Langasek, we have it in a good shape now.
The details of the conversation is available in the Ubuntu BTS here:
https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899
This version of the package includes the /etc/pam.d modification that have
been suggested by Steve, and which are showing in the attached debdiff.
Please unblock xen-api/1.3.2-11
Cheers,
Thomas Goirand (zigo)
diff -Nru xen-api-1.3.2/debian/changelog xen-api-1.3.2/debian/changelog
--- xen-api-1.3.2/debian/changelog 2012-07-31 16:20:00.000000000 +0100
+++ xen-api-1.3.2/debian/changelog 2012-08-22 15:40:56.000000000 +0100
@@ -1,3 +1,9 @@
+xen-api (1.3.2-11) unstable; urgency=high
+
+ * Fix PAM settings to only allow root to issue remote commands (LP: #1033899)
+
+ -- Mike McClurg <[email protected]> Wed, 22 Aug 2012 15:36:31 +0100
+
xen-api (1.3.2-10) unstable; urgency=high
* Fixes access rights: any user on the server could use xe to control xapi.
diff -Nru xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group
--- xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group 2012-07-31 16:20:00.000000000 +0100
+++ xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group 2012-08-22 15:40:56.000000000 +0100
@@ -1,10 +1,14 @@
--- a/scripts/pam.d-xapi
+++ b/scripts/pam.d-xapi
-@@ -1,4 +1,4 @@
+@@ -1,4 +1,8 @@
#%PAM-1.0
-auth include common-auth
-account include common-auth
-password include common-auth
++@include common-auth
+
-+auth sufficient pam_succeed_if.so user ingroup root
++# Uncomment this line to allow users of group xapi to authenticate
+#auth sufficient pam_succeed_if.so user ingroup xapi
++
++# Only allow group root to authenticate, unless above line uncommented
++auth required pam_succeed_if.so user ingroup root
--- End Message ---
--- Begin Message ---
On Thu, 2012-08-30 at 11:02 -0700, Steve Langasek wrote:
> On Thu, Aug 30, 2012 at 06:07:55PM +0800, Thomas Goirand wrote:
> > On 08/30/2012 03:20 AM, Adam D. Barratt wrote:
> > > On Thu, 2012-08-30 at 03:01 +0800, Thomas Goirand wrote:
> > >> Please unblock package xen-api.
>
> > >> The PAM fix which we did for version 1.3.2-10 wasn't correct, and thanks
> > >> to
> > >> the help of Steve Langasek, we have it in a good shape now.
>
> > >> The details of the conversation is available in the Ubuntu BTS here:
> > >> https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899
[...]
> > Indeed, this is a permission problem in this page, its marked as
> > "Private Security". I'm not sure how the Ubuntu stuff works though.
[...]
> I've talked to the Ubuntu security team and they've unembargoed the bug;
> there's no reason to keep it private when there's public conversation
> pointing at the fact that it's a security issue. So that link works now.
Thanks. Unblocked.
Regards,
Adam
--- End Message ---
