This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Best way to use Xen to segment & protect

On Feb 17, 2009, at 1:41 PM, Nick Anderson <nick@xxxxxxxxxxxx> wrote:

On Tue, Feb 17, 2009 at 01:29:29PM -0800, Rick Flower wrote:
Thanks for the info Nick... Regarding the root escalation mentioned
above -- have there been issues with this in the past?
Yes I believe so

Thx... Interesting to read...

Also, I guess it would help to have the domU that Apache is using to
have tools such as Tripwire and other related tools to keep thing from
getting too far...
Inside a domU you would want any protections you would have on any
other server.

Sounds reasonable...

If you're in a domU, can you tell that it's a virtual server?  If not
then perhap it's less likely to break out and escalate to dom0...?
Yes if its a paravirtualized machine.
Ahh... Those are the special CPU's with the special extension... Don't have one of them yet...

Is it possible to have a domU mount a different filesystem than dom0?
Sorry for the numerous questions...
Not quite sure what you mean here.

I'm wondering if the dom0 could effectively only load the bare minimum in terms of filesystems that it needs to run the other domU's -- particularly if all critical services are being done in domU spaces (mail, pgsql, webapps,etc). That way each domU could mount the specific filesystems they need to work... This would perhaps allow me to have a special domU for my private data that perhap mounts an encrypted filesystem that the others don't mount.. Obviously if that special f/s is mounted in dom0 then it doesn't really help if a security breach occurs -- perhaps...

Sorry ... Just thinking outloud...

-- Rick

Xen-users mailing list