This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH] xen-2.0: privileged port connections

To: Kurt Garloff <garloff@xxxxxxx>
Subject: Re: [Xen-devel] [PATCH] xen-2.0: privileged port connections
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Wed, 23 Mar 2005 09:41:24 -0600
Cc: Xen development list <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 23 Mar 2005 15:55:24 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20050323123639.GM12479@xxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Organization: IBM
References: <20050323123639.GM12479@xxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)
So, here's my concerns:

1) ports < 1024 are reserved although 732 is currently unassigned
2) unix domain sockets would solve the same problem
3) this approach is not flexible for finer grain control
4) you still have to find a way to deal with the consoles
5) you still have to deal with xfrd

With all that said, I'd like to see this applied as it's better than leaving everything out in the open.

Anthony Liguori

Kurt Garloff wrote:


as discussed previously, I went ahead and introduced a setting that
allows you to restrict the stuff you can when controlling xen by
connecting to the port 8000 unless you connect from a privileged

I did not yet bother to look at the event port nor did I try to address
the consoles. The consoles will be done in a second patch if this approach is deemed appropriate.
Note that I also do still allow unprivileged connections still to gather
most of the information. This can be debated, but I'm not such a big fan
of security by obscurity.

I hope I did not miss anything important for the control stuff.

The patch also fixes one typo (missing ") in SrvNode.py.


This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
Xen-devel mailing list