Bug 161200 - Any local user can create/destroy/... domains and attach to their consoles
Any local user can create/destroy/... domains and attach to their consoles
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Rik van Riel
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-21 06:49 EDT by Nils Toedtmann
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-24 15:42:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nils Toedtmann 2005-06-21 06:49:38 EDT
Description of problem:
  Any user can use "/usr/sbin/xm [list|create|console|shutdown|destroy|...]"
  without additional authentication, even with selinux activated.

  You can even clone a domain config into /tmp, append 

    extra +=" init=/bin/bash"

  and gain rootaccess to that domain by shutting it down and booting it with the
  evil clone config.


Version-Release number of selected component (if applicable):
  xen-2-20050522
  kernel-xen0-2.6.11-1.1369_FC4
  kernel-xenU-2.6.11-1.1369_FC4


How reproducible:
  Always


Steps to Reproduce:
  Login as local user (uid!=0) and manage doamins with "/usr/sbin/xm".


Actual results:
  You can do whatever you want.


Expected results:
  Only root (or a configurable special user/group) can manage domains.


Additional info:
  This is a known issue. I do not know if it is already fixed completely
  upstream, but as xen moved from tcp sockets to unix sockets for xm/xend
  communication, it should be easy to fix.

  At least with the aid of selinux.
Comment 1 Michael Paesold 2005-06-22 03:01:38 EDT
I am not sure if this is still relevant with the unix sockets model, but SuSE 
did something about this security issue, read chapter "Security" here:
http://www.suse.de/~garloff/linux/xen/README.SuSE

Quote:
"We changed the xend to observe the xend-privileged-port setting (in
xend-config.sxp). If it's set to 1, xend will only accept configuration
commands from ports below 1024. Together with only binding to localhost,
this should provide a minimum of security against local users to change
virtual machines."
Comment 2 Rik van Riel 2005-06-22 07:46:26 EDT
I agree that this should be improved, but IMHO it should be improved in the
upstream Xen code base and not forked in a distribution package.

I think Xen fixed the issue upstream, so I will upgrade the package in rawhide soon.
Comment 3 Stephen Tweedie 2006-02-24 15:42:08 EST
This should be fixed in current Xen 3, and I can't reproduce on FC5test releases.

Note You need to log in before you can comment on or make changes to this bug.