Re: [Xen-users] User access to "xm console"

[Derrik Pates <demon@xxxxxxxxxxxxx>]

Andy Smith wrote:
> I would like to give users access to xm console to their domain.  I
> am using xen 2.0.7 and don't really want to upgrade this server to
> 3.0 just yet.
> 
> Has anyone done this?  Does anyone have any tips?  Are there any
> security issues with doing this?  Beyond the usual that it's going
> to require at least some access to dom0 which is potentially risky..

I've gone to the length of adding code to my custom domU provisioning
script to set up a plain user for each created domain, with the GECOS
field containing the full name of the domain to attach to. Each of them
is a member of a group (I call it 'vscons'). I assign these users a
shell of /usr/local/bin/xencons-sh, which contains the following:

#!/bin/bash

/usr/sbin/xm console $(getent passwd $(id -u) | cut -d ':' -f 5)

That way, the users in question can't do anything other than attach to
the console of their Xen instance, and disconnection means immediate logout.

Keep in mind that Xen 3 requires a different script, as the domU
consoles are done quite differently than they were in 2.0.x.

-- 
Derrik Pates
demon@xxxxxxxxxxxxx

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users