This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH] xen-2.0: privileged port connections

To: Anthony Liguori <aliguori@xxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] xen-2.0: privileged port connections
From: Kurt Garloff <garloff@xxxxxxx>
Date: Wed, 23 Mar 2005 18:23:54 +0100
Cc: Xen development list <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 23 Mar 2005 17:37:54 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4241A16B.5080504@xxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Organization: SUSE/Novell
References: <20050323123639.GM12479@xxxxxxxxxxxxxxxxx> <42418E24.5070906@xxxxxxxxxx> <20050323165739.GR12479@xxxxxxxxxxxxxxxxx> <4241A16B.5080504@xxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.6i

On Wed, Mar 23, 2005 at 11:03:39AM -0600, Anthony Liguori wrote:
> >Note that NFS uses such ports without asking prior permission.
> >I chose 732 because it's unassigned indeed.
> >
> I know.  That's one of the reasons using this port worries me.  There 
> may be nfs related conflicts.

The NFS client just choses a free privileged source port as does xm.
Yes, the amount of NFS mounts is limited ...
And now xen competes with NFS, but neither should really tip over.

> >Before I start working on getting the consoles under control, I 
> >wanted to see whether this approach is acceptable at all.
> > 
> >
> How would you extend this to consoles?  Each console can't have it's own 
> privileged port :-)

Oh, that's what I was planning to do. The privileged ports are less
scarce than the 4GB of memory that Xen-2 supports ...
We'll hardly get running more than 64 virtual machines, I'd guess.

> >>5) you still have to deal with xfrd
> >
> >It seems to listen on *:8002 ... 
> >Is there no authentication either? Sigh.
> >
> Nope.  I think there are a few options.  We could use hosts.allow or 
> something similiar, we could restrict it to subnets, or we could try and 
> implement some sort of authentication mechanism.
> Perhaps shutting it off by default and making it clear that it is 
> insecure is enough.

We need to document it at least. Mazbe another setting in
xend-config.sxp ...

> >And we probably need to look into the event channel (8001) as well.
> >
> Yeah.

Any insight what we could do there?

> >But for Xen-2, let's try to find a pragmatic way that enables desktop
> >users to install and test xen without raising too many security 
> >concerns.
> >
> I full-heartedly agree.  I'll gladly help out on this effort.


Kurt Garloff, Director SUSE Labs, Novell Inc.

Attachment: pgpxeI6718vYV.pgp
Description: PGP signature