This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users

To: Rik van Riel <riel@xxxxxxxxxx>
Subject: Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users
From: Kurt Garloff <kurt@xxxxxxxxxx>
Date: Sun, 13 Mar 2005 15:55:12 +0100
Cc: Tommi Virtanen <tv@xxxxxxxxxxxxx>, Bastian Blank <waldi@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 13 Mar 2005 14:55:59 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.61.0503061613160.31720@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Organization: SUSE/Novell
References: <Pine.LNX.4.58.0503041118010.13626@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1109962904.2746.12.camel@localhost> <4228B4D3.8020909@xxxxxxxxxxxxx> <1109965655.3355.8.camel@localhost> <20050304195646.GA31213@xxxxxxxxxxxxxxxxxxxxxxx> <Pine.LNX.4.61.0503051651070.31720@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <422B1E47.9050502@xxxxxxxxxxxxx> <Pine.LNX.4.61.0503061613160.31720@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.6i
Hi Rik,

On Sun, Mar 06, 2005 at 04:14:24PM -0500, Rik van Riel wrote:
> On Sun, 6 Mar 2005, Tommi Virtanen wrote:
> > That's not good design. I sincerely think access to any confidential
> > or security conscious part of xen should be limited, e.g. with a
> > unix domain socket located in a directory only readable by a certain
> > group.
> Good point, then we could use filesystem permissions
> and/or selinux policy to restrict who gets access to
> xend.

Why not just require the other end of the socket to be below 1024?
If you bind to localhost, that should be enough.

xm would then use a privileged socket if it can (i.e. if called as 

Using an selinux policy for this would be aiming cannons at sparrows
(german saying, in english that's breaking a fly on the wheel).

> > Note that if there are harmless xm commands (xm list and so on), they
> > could be allowed for all users in dom0.
> This would require either access permission checks inside
> xend, or a separate socket for only unprivileged operations.

Then defer the client[1] port check to the command parser.

Kurt Garloff                   <kurt@xxxxxxxxxx>             [Koeln, DE]
Physics:Plasma modeling <garloff@xxxxxxxxxxxxxxxxxxx> [TU Eindhoven, NL]
Linux: SUSE Labs (Director)    <garloff@xxxxxxx>            [Novell Inc]

Attachment: pgpkycT2uRt1e.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>