Re: [Xen-users] Best way to use Xen to segment & protect

To:	Nick Anderson <nick@xxxxxxxxxxxx>
Subject:	Re: [Xen-users] Best way to use Xen to segment & protect
From:	weiming <zephyr.zhao@xxxxxxxxx>
Date:	Tue, 17 Feb 2009 16:56:58 -0500
Cc:	"xen-users@xxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxx>, Rick Flower <rickf@xxxxxxxxxxxxx>
Delivery-date:	Tue, 17 Feb 2009 13:58:14 -0800
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=9NPKijsBbj+S+OO0pWE4X31RttVC783A8kwO9zEQQeM=; b=qb6KAnQpbX+tUBMatQW1ISsp0e3AD/iAybqgNdXTH8ck4TNrL5Uqt3C7QfNqz7HT4o kQFldkk55N1pWxQzDa2Sh+2nzA/fSU/YzT4Utp1NkoyagpoVS3V01Y/TBSRwXpugqhZK 3CJOoWXKD1+v3Nkl4SJBqk5Kjjz2GdiLBtVp0=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=sixhlGQ85VOfimOTJq2/oBE/yvGCCJB+nSowm1ZcgkJEc5Snh8sqMQK3h2zKsfXlGt TDu/4A+VEF1MQZI8VJUOnTHo4+njPe9FLyBcKUlnmBTi3LuaKTVc6/ypJjygTLTAw+1L 3boRlFh0DvGyhVaZOFypdRV/9ZlvnOyeAT5VI=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<20090217214112.GK18265@tp>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<481F5E65-E562-413F-8D2C-5B1F698D6E66@xxxxxxxxxxxxx> <20090217205551.GI18265@tp> <25D58C48-CD53-4731-B75A-736D4B0E4D40@xxxxxxxxxxxxx> <20090217214112.GK18265@tp>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Hi Nick,

In which situation can domU root escalation result in escalation to dom0?
If domU has no virtual NIC configured, will the threat still exist?

weiming

On Tue, Feb 17, 2009 at 4:41 PM, Nick Anderson <nick@xxxxxxxxxxxx> wrote:

On Tue, Feb 17, 2009 at 01:29:29PM -0800, Rick Flower wrote:
> Thanks for the info Nick... Regarding the root escalation mentioned
> above -- have there been issues with this in the past?

Yes I believe so
http://secunia.com/advisories/26986/

> Also, I guess it would help to have the domU that Apache is using to
> have tools such as Tripwire and other related tools to keep thing from
> getting too far...

Inside a domU you would want any protections you would have on any
other server.

> If you're in a domU, can you tell that it's a virtual server? If not
> then perhap it's less likely to break out and escalate to dom0...?

Yes if its a paravirtualized machine.

> Is it possible to have a domU mount a different filesystem than dom0?
> Sorry for the numerous questions...

Not quite sure what you mean here.

--

Nick Anderson <nick@xxxxxxxxxxxx>

http://www.cmdln.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmbLvgACgkQXkxp94vgneadyQCeJi7asoe76GoNsGP薳舟䡼
Co8AoIXovsJ7ESdPCpplNiqcYjaLX2Se
=ItZu
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] Best way to use Xen to segment & protect