The points highlighted don't represent security risks if the dom0 is
properly isolated on a secure management network.
Following that, the only attack vector then available is exploitation
of the hypervisor from untrusted guests. At which point UNIX
permissions aren't worth much.
However, the fact someone was to bring up the points signifies there
is a lack of communication as to how XCP and systems like it are meant
to be employed. Possibly some further documentation on XCP best
practices is in order?
On 10 May 2011 11:44, Eduardo Bragatto <eduardo@xxxxxxxxxxxx> wrote:
> On May 9, 2011, at 6:29 PM, Adrien Guillon wrote:
>> Security updates are common, and generally do not make major interface
>> changes by design. I have no desire to update anything aside from
>> receiving fixes for buffer overflows, or other exploits that are found
>> in the wild. The system in question should be in production for
>> several years, and security patches are inevitable during that period
>> of time.
> In Xen's case I will have to disagree. If you're trying to build an HA
> cluster, you need to make sure all your nodes have precisely the same dom0
> if you want things like live migration to work properly.
> Besides disrupting one single system, problems caused by updates could
> potentially harm the entire pool (how do you update all dom0 nodes to the
> same software version at the same time and make sure nothing will try to be
> "live migrated" from one node to another in the meanwhile?)
> The concern about buffer overflows is intrinsically related to security,
> which is the next topic...
>> It likely took some effort to eliminate /etc/shadow in the first
>> place, as this has been standard practice for a very long time. I
>> will not debate the merits of storing hashes in /etc/passwd or
>> /etc/shadow because that debate ended a very long time ago. Quite
>> simply this distro has a major security flaw.
> As others have pointed out, dom0 is not supposed to be accessed by anybody
> other than root. I would go further and say it's not supposed to be accessed
> over any public network, such as the Internet or the wifi network you'd find
> in a Starbucks.
> I believe the main idea is that you should isolate dom0 from the world in
> all possible ways, so no matter what security flaws it might have, they will
> never be exploited.
> Maybe they should make it explicit like: you should always run dom0 on a
> private network, controlled and secured by VPNs or any other methods.
> Best regads,
> Eduardo Bragatto
> Xen-users mailing list
Founder | Director
Orion Virtualisation Solutions | www.orionvm.com.au | Phone: 1300 56
99 52 | Mobile: 0428 754 846
Xen-users mailing list