xen-devel

[Top] [All Lists]

Re: [Xen-devel] Xend listening for TCP HTTP?

from [Anthony Liguori]

[Permanent Link][Original]

To:	Nivedita Singhvi <niv@xxxxxxxxxx>
Subject:	Re: [Xen-devel] Xend listening for TCP HTTP?
From:	Anthony Liguori <aliguori@xxxxxxxxxx>
Date:	Thu, 15 Dec 2005 17:48:35 -0600
Cc:	xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, Ewan Mellor <ewan@xxxxxxxxxxxxx>
Delivery-date:	Thu, 15 Dec 2005 23:50:43 +0000
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<43A1FF98.7010803@xxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<43A1EA68.7060908@xxxxxxxxxx> <43A1EB22.3050001@xxxxxxxxxx> <43A1FF98.7010803@xxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mozilla Thunderbird 1.0.7 (X11/20051013)

Nivedita Singhvi wrote:

Anthony Liguori wrote:
Ok, I confirmed this, out of the box, accessinghttp://localhost:8000/xen/domain as a lesser-privileged user allowsone to do very bad things.
Anthony, were you using the default xend-config.sxp?


Yup.

Currently, although the default is off for http support
in xend, the default config file turns it on:

#(xend-http-server no)
(xend-http-server yes)


Yup.  This was added in:

# HG changeset patch
# User emellor@xxxxxxxxxxxxxxxxxxxxxx
# Node ID cefe36be8592090b4edb08060cca67a004c04617
# Parent  4d49f61a7feef3fca5fb3e991a5a1d741b6cd690
Tidy xend-config.sxp, removing entries that haven't been used since the

hotplugging stuff was introduced (block-*, console-port-base,console-address)

and introducing entries for options that have been present for ages

(xend-{http,unix,relocation}-server, xend-unix-path,xend-relocation-address,

enable-dump).  Remove vif-antispoof, as Vifctl no longer passes this option
down.

I imagine it was unintentional.  Ewan?

Regards,

Anthony Liguori

thanks,
Nivedita
Regards,

Anthony Liguori

Anthony Liguori wrote:
Hi,
On IRC, it came up that recent snapshots of Xend are now listeningfor TCP HTTP connections again by default. Since it's stilllistening on a Unix socket and xm will always prefer that, xm stillonly functions as root.
However, less privileged users can still connect to the TCP port andthrough Xend gain root access. This seems like a pretty bad defaultconfiguration. I poked around on the TCP interface but couldn'tseem to confirm this (does it only accept s-expression Content-Typenow?).
Thanks for any clarification on this.

Regards,

Anthony Liguori

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-devel] Xend listening for TCP HTTP?, Anthony Liguori Re: [Xen-devel] Xend listening for TCP HTTP?, Anthony Liguori Re: [Xen-devel] Xend listening for TCP HTTP?, Nivedita Singhvi Re: [Xen-devel] Xend listening for TCP HTTP?, Anthony Liguori <=

Previous by Date:	Re: [Xen-devel] Xend listening for TCP HTTP?, Nivedita Singhvi
Next by Date:	[Xen-devel] [PATCH] Turn http access off in default xend-config.sxp, Nivedita Singhvi
Previous by Thread:	Re: [Xen-devel] Xend listening for TCP HTTP?, Nivedita Singhvi
Next by Thread:	[Xen-devel] [PATCH] make network-bridge work in more environments, Dave Virtual
Indexes:	[Date] [Thread] [Top] [All Lists]