Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi, Please unblock package xen-api. The PAM fix which we did for version 1.3.2-10 wasn't correct, and thanks to the help of Steve Langasek, we have it in a good shape now. The details of the conversation is available in the Ubuntu BTS here: https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1033899 This version of the package includes the /etc/pam.d modification that have been suggested by Steve, and which are showing in the attached debdiff. Please unblock xen-api/1.3.2-11 Cheers, Thomas Goirand (zigo)
diff -Nru xen-api-1.3.2/debian/changelog xen-api-1.3.2/debian/changelog --- xen-api-1.3.2/debian/changelog 2012-07-31 16:20:00.000000000 +0100 +++ xen-api-1.3.2/debian/changelog 2012-08-22 15:40:56.000000000 +0100 @@ -1,3 +1,9 @@ +xen-api (1.3.2-11) unstable; urgency=high + + * Fix PAM settings to only allow root to issue remote commands (LP: #1033899) + + -- Mike McClurg <mike.mccl...@citrix.com> Wed, 22 Aug 2012 15:36:31 +0100 + xen-api (1.3.2-10) unstable; urgency=high * Fixes access rights: any user on the server could use xe to control xapi. diff -Nru xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group --- xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group 2012-07-31 16:20:00.000000000 +0100 +++ xen-api-1.3.2/debian/patches/pam-auth-root-xapi-group 2012-08-22 15:40:56.000000000 +0100 @@ -1,10 +1,14 @@ --- a/scripts/pam.d-xapi +++ b/scripts/pam.d-xapi -@@ -1,4 +1,4 @@ +@@ -1,4 +1,8 @@ #%PAM-1.0 -auth include common-auth -account include common-auth -password include common-auth ++@include common-auth + -+auth sufficient pam_succeed_if.so user ingroup root ++# Uncomment this line to allow users of group xapi to authenticate +#auth sufficient pam_succeed_if.so user ingroup xapi ++ ++# Only allow group root to authenticate, unless above line uncommented ++auth required pam_succeed_if.so user ingroup root