This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users

To: Rik van Riel <riel@xxxxxxxxxx>
Subject: Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users
From: Kurt Garloff <kurt@xxxxxxxxxx>
Date: Sun, 13 Mar 2005 18:09:32 +0100
Cc: Tommi Virtanen <tv@xxxxxxxxxxxxx>, Bastian Blank <waldi@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 13 Mar 2005 17:10:02 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.61.0503131058390.15306@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Organization: SUSE/Novell
References: <Pine.LNX.4.58.0503041118010.13626@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1109962904.2746.12.camel@localhost> <4228B4D3.8020909@xxxxxxxxxxxxx> <1109965655.3355.8.camel@localhost> <20050304195646.GA31213@xxxxxxxxxxxxxxxxxxxxxxx> <Pine.LNX.4.61.0503051651070.31720@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <422B1E47.9050502@xxxxxxxxxxxxx> <Pine.LNX.4.61.0503061613160.31720@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050313145512.GC29310@xxxxxxxxxxxxxxxxx> <Pine.LNX.4.61.0503131058390.15306@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.6i
Hi Rik,

On Sun, Mar 13, 2005 at 11:00:27AM -0500, Rik van Riel wrote:
> On Sun, 13 Mar 2005, Kurt Garloff wrote:
> > Why not just require the other end of the socket to be below 1024?
> > If you bind to localhost, that should be enough.
> Because the ability to open connections from ports < 1024
> is a capability, which can be retained by daemons after
> dropping the other root privileges.

But I don't see a problem with this.

Kurt Garloff                   <kurt@xxxxxxxxxx>             [Koeln, DE]
Physics:Plasma modeling <garloff@xxxxxxxxxxxxxxxxxxx> [TU Eindhoven, NL]
Linux: SUSE Labs (Director)    <garloff@xxxxxxx>            [Novell Inc]

Attachment: pgph14fio3nCf.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>