Bug 161200

Summary: Any local user can create/destroy/... domains and attach to their consoles
Product: [Fedora] Fedora Reporter: Nils Toedtmann <bugzilla.redhat.com>
Component: xenAssignee: Rik van Riel <riel>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: mpaesold
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-24 15:42:08 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Nils Toedtmann 2005-06-21 06:49:38 EDT
Description of problem:
  Any user can use "/usr/sbin/xm [list|create|console|shutdown|destroy|...]"
  without additional authentication, even with selinux activated.

  You can even clone a domain config into /tmp, append 

    extra +=" init=/bin/bash"

  and gain rootaccess to that domain by shutting it down and booting it with the
  evil clone config.


Version-Release number of selected component (if applicable):
  xen-2-20050522
  kernel-xen0-2.6.11-1.1369_FC4
  kernel-xenU-2.6.11-1.1369_FC4


How reproducible:
  Always


Steps to Reproduce:
  Login as local user (uid!=0) and manage doamins with "/usr/sbin/xm".


Actual results:
  You can do whatever you want.


Expected results:
  Only root (or a configurable special user/group) can manage domains.


Additional info:
  This is a known issue. I do not know if it is already fixed completely
  upstream, but as xen moved from tcp sockets to unix sockets for xm/xend
  communication, it should be easy to fix.

  At least with the aid of selinux.
Comment 1 Michael Paesold 2005-06-22 03:01:38 EDT
I am not sure if this is still relevant with the unix sockets model, but SuSE 
did something about this security issue, read chapter "Security" here:
http://www.suse.de/~garloff/linux/xen/README.SuSE

Quote:
"We changed the xend to observe the xend-privileged-port setting (in
xend-config.sxp). If it's set to 1, xend will only accept configuration
commands from ports below 1024. Together with only binding to localhost,
this should provide a minimum of security against local users to change
virtual machines."
Comment 2 Rik van Riel 2005-06-22 07:46:26 EDT
I agree that this should be improved, but IMHO it should be improved in the
upstream Xen code base and not forked in a distribution package.

I think Xen fixed the issue upstream, so I will upgrade the package in rawhide soon.
Comment 3 Stephen Tweedie 2006-02-24 15:42:08 EST
This should be fixed in current Xen 3, and I can't reproduce on FC5test releases.