This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] XCP: Insecure Distro ?

To: A Cold Penguin <verycoldpenguin@xxxxxxxxxxx>
Subject: Re: [Xen-users] XCP: Insecure Distro ?
From: Joseph Glanville <joseph.glanville@xxxxxxxxxxxxxx>
Date: Tue, 10 May 2011 21:56:18 +1000
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 10 May 2011 04:57:38 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <BLU150-w60D638FF9F548697E3BFF0BD870@xxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <BLU150-w60D638FF9F548697E3BFF0BD870@xxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Sorry I wasn't completely clear.
The reason why the use of /etc/passwd vs /etc/shadow is
non-consequential is that XCP is a single user machine where all
access is via UID 0.
As such UNIX file permissions are effectively useless. For all intents
and purposes 700 = 777 if you are always root and everything is owned
by root yes?
XCP could be secured further through the use of a mulit-user
environment, sudo, selinux and grsec patches but for it's usecase it
would be entirely overkill.
In the usecases that XCP will be employed a single user environment is
all that is required for the reason that the only trusted system in
the stack is the management controller. XCP is not designed to have
users ever using shell access on their XCP nodes.
All operations on XCP are carried out though deamons running as root
all of which can read /etc/passwd or /etc/shadow regardless - as such
it would not add any extra security.
As I noted earlier it is possible to make XCP secure enough to live on
a public network, but I don't think it would be a beneficial use of
XCP developers time.

Does this further clarify why changing to /etc/shadow would be of no


On 10 May 2011 17:16, A Cold Penguin <verycoldpenguin@xxxxxxxxxxx> wrote:
>> The points highlighted don't represent security risks if the dom0 is
>> properly isolated on a secure management network.
> Unfortunately there are some situations where even having an air-gap between
> networks, is not considered secure enough.
> Having the password hashes in world-readable files is basically a no-no, and
> would mean that this product could not go into production use.
> Basically this appears to be a relaxation in security against the 'norm', if
> this is only required due to keeping different pool members in sync,
> I think that investigation should be made into an alternative method of
> synchronising the members.
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

Kind regards,
Founder | Director
Orion Virtualisation Solutions | www.orionvm.com.au | Phone: 1300 56
99 52 | Mobile: 0428 754 846

Xen-users mailing list