WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users

from [Anthony Liguori] [Permanent Link][Original]
To: david.nospam.hopwood@xxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Sat, 19 Mar 2005 00:29:30 -0600
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Sat, 19 Mar 2005 06:35:26 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <423B8F76.9060602@xxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Organization: IBM
References: <422B1E47.9050502@xxxxxxxxxxxxx> <Pine.LNX.4.61.0503061613160.31720@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050313145512.GC29310@xxxxxxxxxxxxxxxxx> <4234B2F5.1070205@xxxxxxxxxxxxxxxx> <20050313215122.GC11358@xxxxxxxxxxxxxxxxx> <20050314145850.GB6037@xxxxxxxxxxxxxxxxxx> <20050314151652.GE11417@xxxxxxxxxxxxxxxxx> <20050314155421.GD6037@xxxxxxxxxxxxxxxxxx> <20050314161316.GM11417@xxxxxxxxxxxxxxxxx> <423927DB.3040305@xxxxxxxxxxxxx> <20050317150230.GW11685@xxxxxxxxxxxxxxxxx> <423A9D38.9080601@xxxxxxxxxxxxx> <423B8F76.9060602@xxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041206) 
David Hopwood wrote:


You can 1 and 3 just as easily with the Unix domain socket method.
Although you could also do 2, there's no need (2 is not a flexibility
advantage, it's just something you have to do to make the port<1024
method secure).
More importantly, using SCM_CREDENTIALS allows you to pass the actual user credentials overs the domain socket.
This is by far the best mechanism as it allows access control to be implemented entirely within the daemon without doing any nasty set[ug]id trickery. Its entire purpose in life is doing exactly what we're trying to do :-) 

Regards,
Anthony Liguori


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] extending blkif_request_t, Deepak Manohar
Next by Date:  Re: [Xen-devel] extending blkif_request_t, Xin Zhao
Previous by Thread:  Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users, David Hopwood
Next by Thread:  Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users, David Hopwood
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy