Your message dated Sun, 05 Aug 2012 21:23:13 +0100
with message-id <1344198193.21252.34.ca...@jacala.jungle.funky-badger.org>
and subject line Re: Bug#683472: unblock: xen-api/1.3.2-10
has caused the Debian Bug report #683472,
regarding unblock: xen-api/1.3.2-10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
683472: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683472
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package xen-api
The current version in Wheezy suffers from a wrong default PAM setting of
PAM, giving access to XAPI to any account on th server, as per:
http://lists.xen.org/archives/html/xen-api/2012-07/msg00059.html
Relevant diff:
http://anonscm.debian.org/gitweb/?p=pkg-xen/xen-api.git;a=commitdiff;h=c75c43b2fd6ab55113023e6f9b6510f5cdd3573e
So, please unblock xen-api/1.3.2-10 ASAP.
Cheers,
Thomas
--- End Message ---
--- Begin Message ---
On Sun, 2012-08-05 at 11:21 +0800, Thomas Goirand wrote:
> On 08/04/2012 11:52 PM, Adam D. Barratt wrote:
> > The changelog and actual changes appear to disagree:
> >
> > + - Adds a xapi group.
> > + - Configure PAM to only grant access to root and xapi groups.
> >
> > versus
> >
> > ++auth sufficient pam_succeed_if.so user ingroup root
> > ++#auth sufficient pam_succeed_if.so user ingroup xapi
[...]
> It has been decided at the last moment, together with upstream (eg: Mike
> from Citrix) that we would add the xapi group, but only provide the pam
> configuration with disabled access to XAPI for the members of this
> group, for security purpose, and to force the admins to understand how
> it worked.
Then the changelog shouldn't suggest that installing the new version
allows members of the new group to gain the access without any further
action.
> To provide access to a user to XAPI, an administrator would have to add
> such user into the XAPI group, then uncomment the above line.
>
> So, even though it could have been mentioned in the changelog, I think
> it is fine the way it is right now. If you feel we should, I don't mind
> mentioning it in the README.Debian.
Well, the point of the changelog is rather to document the changes, not
something that's kinda sorta close to the changes. I've unblocked the
package, but the existence of the group and its use should really be
documented. Indeed, given that this is a behavioural change from the
previous version of the package, a NEWS.Debian mention would quite
possibly be appropriate.
Regards,
Adam
--- End Message ---