WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] 3.0.5 and Xen API security

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] 3.0.5 and Xen API security
From: John Levon <levon@xxxxxxxxxxxxxxxxx>
Date: Fri, 20 Apr 2007 17:20:15 +0100
Delivery-date: Fri, 20 Apr 2007 09:14:57 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.9i
I talked with Ewan about this a little bit, but thinking some more it
seems like we really need to resolve this before 3.0.5.

Currently, if you're not using some other method, then to have full
control over xend a user needs only:

1) to be able to connect to a xen api listener
2) to be able to login to the machine

The latter is because xend is hijacking the 'login' service of PAM.
Ewan's already agreed we need to change this to use a separate service,
but I think this really needs fixing now.

I don't know anything about SSL, but I /presume/ that the code we have
for private key/certificates is sufficient for checking a client's
certificates and permissions (though Dan Berrange suggested to me this
might not be the case). Thus in this configuration, this will form
the authentication barrier.

However, I'm aware that setting this up isn't always wanted (indeed, I
don't have the slightest idea how to do that myself). You might want to
use HTTPS as merely a secure transport. Today, that's a big security
hole.

We need to change xend to use the 'xend' service, and deliver an
/etc/pam.d/xend file. Since there is no infrastructure yet for deciding
if a user can control xend, it seems like this should always refuse
authentication unless the certificate stuff has verified correctly. Or
at least we must actively disable connections except over the unix
socket or authenticated SSL.

I don't think it makes sense to ship anything other than the certificate
based solution until something is hashed out here.

On Solaris, I think we'd have a simple PAM module that checked the user
had the right RBAC profile.

regards
john

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>