Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Any local user can create/destroy/... domains and attach to their consoles|
|Product:||[Fedora] Fedora||Reporter:||Nils Toedtmann <bugzilla.redhat.com>|
|Component:||xen||Assignee:||Rik van Riel <riel>|
|Status:||CLOSED RAWHIDE||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-02-24 15:42:08 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Nils Toedtmann 2005-06-21 06:49:38 EDT
Description of problem: Any user can use "/usr/sbin/xm [list|create|console|shutdown|destroy|...]" without additional authentication, even with selinux activated. You can even clone a domain config into /tmp, append extra +=" init=/bin/bash" and gain rootaccess to that domain by shutting it down and booting it with the evil clone config. Version-Release number of selected component (if applicable): xen-2-20050522 kernel-xen0-2.6.11-1.1369_FC4 kernel-xenU-2.6.11-1.1369_FC4 How reproducible: Always Steps to Reproduce: Login as local user (uid!=0) and manage doamins with "/usr/sbin/xm". Actual results: You can do whatever you want. Expected results: Only root (or a configurable special user/group) can manage domains. Additional info: This is a known issue. I do not know if it is already fixed completely upstream, but as xen moved from tcp sockets to unix sockets for xm/xend communication, it should be easy to fix. At least with the aid of selinux.
Comment 1 Michael Paesold 2005-06-22 03:01:38 EDT
I am not sure if this is still relevant with the unix sockets model, but SuSE did something about this security issue, read chapter "Security" here: http://www.suse.de/~garloff/linux/xen/README.SuSE Quote: "We changed the xend to observe the xend-privileged-port setting (in xend-config.sxp). If it's set to 1, xend will only accept configuration commands from ports below 1024. Together with only binding to localhost, this should provide a minimum of security against local users to change virtual machines."
Comment 2 Rik van Riel 2005-06-22 07:46:26 EDT
I agree that this should be improved, but IMHO it should be improved in the upstream Xen code base and not forked in a distribution package. I think Xen fixed the issue upstream, so I will upgrade the package in rawhide soon.
Comment 3 Stephen Tweedie 2006-02-24 15:42:08 EST
This should be fixed in current Xen 3, and I can't reproduce on FC5test releases.