Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161200 - Any local user can create/destroy/... domains and attach to their consoles
Summary: Any local user can create/destroy/... domains and attach to their consoles
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: xen
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Rik van Riel
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-21 10:49 UTC by Nils Toedtmann
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-24 20:42:08 UTC


Attachments (Terms of Use)

Description Nils Toedtmann 2005-06-21 10:49:38 UTC
Description of problem:
  Any user can use "/usr/sbin/xm [list|create|console|shutdown|destroy|...]"
  without additional authentication, even with selinux activated.

  You can even clone a domain config into /tmp, append 

    extra +=" init=/bin/bash"

  and gain rootaccess to that domain by shutting it down and booting it with the
  evil clone config.


Version-Release number of selected component (if applicable):
  xen-2-20050522
  kernel-xen0-2.6.11-1.1369_FC4
  kernel-xenU-2.6.11-1.1369_FC4


How reproducible:
  Always


Steps to Reproduce:
  Login as local user (uid!=0) and manage doamins with "/usr/sbin/xm".


Actual results:
  You can do whatever you want.


Expected results:
  Only root (or a configurable special user/group) can manage domains.


Additional info:
  This is a known issue. I do not know if it is already fixed completely
  upstream, but as xen moved from tcp sockets to unix sockets for xm/xend
  communication, it should be easy to fix.

  At least with the aid of selinux.

Comment 1 Michael Paesold 2005-06-22 07:01:38 UTC
I am not sure if this is still relevant with the unix sockets model, but SuSE 
did something about this security issue, read chapter "Security" here:
http://www.suse.de/~garloff/linux/xen/README.SuSE

Quote:
"We changed the xend to observe the xend-privileged-port setting (in
xend-config.sxp). If it's set to 1, xend will only accept configuration
commands from ports below 1024. Together with only binding to localhost,
this should provide a minimum of security against local users to change
virtual machines."

Comment 2 Rik van Riel 2005-06-22 11:46:26 UTC
I agree that this should be improved, but IMHO it should be improved in the
upstream Xen code base and not forked in a distribution package.

I think Xen fixed the issue upstream, so I will upgrade the package in rawhide soon.

Comment 3 Stephen Tweedie 2006-02-24 20:42:08 UTC
This should be fixed in current Xen 3, and I can't reproduce on FC5test releases.


Note You need to log in before you can comment on or make changes to this bug.