This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] XCP: Insecure Distro ?

To: Joseph Glanville <joseph.glanville@xxxxxxxxxxxxxx>
Subject: Re: [Xen-users] XCP: Insecure Distro ?
From: Christopher J Petrolino <cpetrolino@xxxxxxxxx>
Date: Mon, 9 May 2011 22:32:30 -0400
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 09 May 2011 19:33:49 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=yM/ZtVuOSSUJR9Q/ieBDBX8lVX9eoBDtPFWAs4caM2w=; b=S73ol7gHC+6AieN9jO5Li4sz3Q6kVKgAZjtn91NEtNsHAr4QFNsZ4pOkwInR1gBiuU s7e20ZMsuYng+1wZ5vblceVYvZVH6rES39ahz+UL+OdzzDHa9HZmDCGRRKcA9l4joEEd mWM+Yvlo9eII6ymhcz8iqO7tagZhSsxz2ry64=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=qrcmFO1pAhofvFXuYp3PdFEse2OPKrNd9aix8gaZoVU2JWKxwlDVeW12NjMKMHwpKR epqFVG8Ker7F3Q/xR9CXhSgXeZV+0e4MYye3tI1OWJLaiopdbR6r5d7sb0mMdIaJN9Sr BaiolViq4SQL/uc0C85L9KzEM3+IzWBPH0W9k=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <BANLkTikijiabtD0sLzuta0Y0vShRtDFOGA@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <BANLkTinHQJ_eUtfk+4PQudpZX8ZpoEu1yg@xxxxxxxxxxxxxx> <4DC85999.8020407@xxxxxxxx> <BANLkTi=jZGRZ=w+tFBxD0pJ5WKYuirPuRw@xxxxxxxxxxxxxx> <3B16E199-EB05-4DCE-A7ED-38369E111FB7@xxxxxxxxxxxx> <BANLkTikijiabtD0sLzuta0Y0vShRtDFOGA@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Joseph you are exactly right documentation is definitely in need of
work in the case of XCP. Fortunately for the community the person who
is spearheading the effort is a really bright individual and in the
long run the documentation will get there.

On Mon, May 9, 2011 at 10:24 PM, Joseph Glanville
<joseph.glanville@xxxxxxxxxxxxxx> wrote:
> Hi,
> The points highlighted don't represent security risks if the dom0 is
> properly isolated on a secure management network.
> Following that, the only attack vector then available is exploitation
> of the hypervisor from untrusted guests. At which point UNIX
> permissions aren't worth much.
> However, the fact someone was to bring up the points signifies there
> is a lack of communication as to how XCP and systems like it are meant
> to be employed. Possibly some further documentation on XCP best
> practices is in order?
> Joseph.
> On 10 May 2011 11:44, Eduardo Bragatto <eduardo@xxxxxxxxxxxx> wrote:
>> On May 9, 2011, at 6:29 PM, Adrien Guillon wrote:
>>> Security updates are common, and generally do not make major interface
>>> changes by design.  I have no desire to update anything aside from
>>> receiving fixes for buffer overflows, or other exploits that are found
>>> in the wild.  The system in question should be in production for
>>> several years, and security patches are inevitable during that period
>>> of time.
>> In Xen's case I will have to disagree. If you're trying to build an HA
>> cluster, you need to make sure all your nodes have precisely the same dom0
>> if you want things like live migration to work properly.
>> Besides disrupting one single system, problems caused by updates could
>> potentially harm the entire pool (how do you update all dom0 nodes to the
>> same software version at the same time and make sure nothing will try to be
>> "live migrated" from one node to another in the meanwhile?)
>> The concern about buffer overflows is intrinsically related to security,
>> which is the next topic...
>>> It likely took some effort to eliminate /etc/shadow in the first
>>> place, as this has been standard practice for a very long time.  I
>>> will not debate the merits of storing hashes in /etc/passwd or
>>> /etc/shadow because that debate ended a very long time ago.  Quite
>>> simply this distro has a major security flaw.
>> As others have pointed out, dom0 is not supposed to be accessed by anybody
>> other than root. I would go further and say it's not supposed to be accessed
>> over any public network, such as the Internet or the wifi network you'd find
>> in a Starbucks.
>> I believe the main idea is that you should isolate dom0 from the world in
>> all possible ways, so no matter what security flaws it might have, they will
>> never be exploited.
>> Maybe they should make it explicit like: you should always run dom0 on a
>> private network, controlled and secured by VPNs or any other methods.
>> Best regads,
>> Eduardo Bragatto
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@xxxxxxxxxxxxxxxxxxx
>> http://lists.xensource.com/xen-users
> --
> Kind regards,
> Joseph.
> Founder | Director
> Orion Virtualisation Solutions | www.orionvm.com.au | Phone: 1300 56
> 99 52 | Mobile: 0428 754 846
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

Xen-users mailing list