WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] protecting xen startup

To: Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Subject: Re: [Xen-devel] protecting xen startup
From: Mark Williamson <maw48@xxxxxxxxxxxxxxxx>
Date: Tue, 23 Nov 2004 18:07:52 +0000 (GMT)
Cc: xen-devel@xxxxxxxxxxxx
Delivery-date: Tue, 23 Nov 2004 18:10:39 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: <20041123170546.GB6250@xxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <20041123170546.GB6250@xxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
i notice that there's a management interface on port 8000.

There are currently two HTTP-based management interfaces. Once of them is the Xensv web interface, the other is the Xend HTTP-based API, which is used by both the command line xm tool and Xensv to issue commands to Xend.

i seek to protect this interface such that nothing but a trusted program
(think selinux) may run, manage, start up or shut down xen oses.

Currently, anyone who can access Xend's port can issue management commands. Xend can optionally be configured to only accept connections from localhost, in which case only local users will be able to issue commands to it.

is the port 8000 stuff just providing a web server (/etc/init.d/xend)
front-end to some extra system calls?

Not exactly. At the Linux Level, there aren't any extra Xen system calls. Most commands are issued to Xen by performing ioctls on the /proc/xen/privcmd file. The commands which are issued through this file are largely transparent to XenLinux however, having meaning only when they are parsed by Xen.

is the port 8000 stuff actually running in the xen boot-up stuff?

Xend starts its HTTP interface when it starts up and will do anything the HTTP interface tells it to do. If Xend isn't running then the HTTP interface is not accessible (but you can't do a lot without Xend).

HTH,
Mark




ta,

l.

--
--
<a href="http://lkcl.net";>http://lkcl.net</a>
--


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>