WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

[Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-pa

To: xen-api <xen-api@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-API] [PATCH] CA-34203: only root can call slave-local-login-with-password
From: Marcus Granado <marcus.granado@xxxxxxxxxx>
Date: Fri, 6 Nov 2009 16:48:07 +0000
Delivery-date: Fri, 06 Nov 2009 08:48:40 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
2 files changed, 7 insertions(+), 1 deletion(-)
ocaml/idl/datamodel.ml     |    2 +-
ocaml/xapi/xapi_session.ml |    6 ++++++


# HG changeset patch
# User Marcus Granado <marcus.granado@xxxxxxxxxx>
# Date 1257526015 0
# Node ID 0a45055b867ad44d3e3f7c26e29ffe9dc1ee3c9f
# Parent  719d8f6c6d8cfe94cf612ddf26cc11af24fd99d5
CA-34203: only root can call slave-local-login-with-password

Signed-off-by: Marcus Granado <marcus.granado@xxxxxxxxxxxxx>

diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/idl/datamodel.ml
--- a/ocaml/idl/datamodel.ml    Fri Nov 06 16:12:03 2009 +0000
+++ b/ocaml/idl/datamodel.ml    Fri Nov 06 16:46:55 2009 +0000
@@ -960,7 +960,7 @@
          ]
   ~in_oss_since:None
   ~secret:true
-  ~allowed_roles:_R_POOL_ADMIN (*only root can do an emergency slave login*)
+  ~allowed_roles:_R_LOCAL_ROOT_ONLY (*only root can do an emergency slave 
login*)
   ()
 
 let local_logout = call ~flags:[`Session]
diff -r 719d8f6c6d8c -r 0a45055b867a ocaml/xapi/xapi_session.ml
--- a/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:12:03 2009 +0000
+++ b/ocaml/xapi/xapi_session.ml        Fri Nov 06 16:46:55 2009 +0000
@@ -323,6 +323,12 @@
 let slave_local_login_with_password ~__context ~uname ~pwd = 
wipe_params_after_fn [pwd] (fun () ->
   if not (Context.preauth ~__context)
   then
+    if uname <> local_superuser
+    then (* CA-34203: never authenticate external users as local_login *)
+      raise (Api_errors.Server_error
+        (Api_errors.rbac_permission_denied,
+        [local_superuser; "No permission in local login"]))
+    else
     (try
        (* CP696 - only tries to authenticate against LOCAL superuser account *)
        do_local_auth uname pwd;

Attachment: xen-api.hg.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api