I wrote to Ralph Passgang:
] I'm playing around with 3.0.1-0tha3 and I found that when I had
] installed it it arranged for the relocation server port to be
] accessible from localhost.
]
] I think that this is a bad idea because it means that any local user
] could create new domains and effectively gain control of the local
] system (eg, by migrating a domain which has suitable hardware
] access). Have I understood the situation correctly ?
]
] I know that in many installations it is not sensible for the dom0 to
] be accessible by unprivileged users, but in other configurations it
] can make sense to make dom0 the `main' system. So, I think the xen
] package's configuration should be secure by default.
Ralph suggested that since he was just packaging the upstream default
config file I should mention it here.
Is there any chance that this default could be changed ? Or is the
file in question just an example ? I enclose it for your reference.
Thanks,
Ian.
# -*- sh -*-
#
# Xend configuration file.
#
# This example configuration is appropriate for an installation that
# utilizes a bridged network configuration. Access to xend via http
# is disabled.
# Commented out entries show the default for that entry, unless otherwise
# specified.
#(logfile /var/log/xend.log)
#(loglevel DEBUG)
#(xend-http-server no)
#(xend-unix-server yes)
#(xend-relocation-server no)
(xend-relocation-server yes)
#(xend-unix-path /var/lib/xend/xend-socket)
# Port xend should use for the HTTP interface, if xend-http-server is set.
#(xend-port 8000)
# Port xend should use for the relocation interface, if xend-relocation-server
# is set.
#(xend-relocation-port 8002)
# Address xend should listen on for HTTP connections, if xend-http-server is
# set.
# Specifying 'localhost' prevents remote connections.
# Specifying the empty string '' (the default) allows all connections.
#(xend-address '')
#(xend-address localhost)
# Address xend should listen on for relocation-socket connections, if
# xend-relocation-server is set.
# Meaning and default as for xend-address above.
#(xend-relocation-address '')
# The hosts allowed to talk to the relocation port. If this is empty (the
# default), then all connections are allowed (assuming that the connection
# arrives on a port and interface on which we are listening; see
# xend-relocation-port and xend-relocation-address above). Otherwise, this
# should be a space-separated sequence of regular expressions. Any host with
# a fully-qualified domain name or an IP address that matches one of these
# regular expressions will be accepted.
#
# For example:
# (xend-relocation-hosts-allow '^localhost$ ^.*\.example\.org$')
#
#(xend-relocation-hosts-allow '')
(xend-relocation-hosts-allow '^localhost$')
# The limit (in kilobytes) on the size of the console buffer
#(console-limit 1024)
##
# To bridge network traffic, like this:
#
# dom0: fake eth0 -> vif0.0 -+
# |
# bridge -> real eth0 -> the network
# |
# domU: fake eth0 -> vifN.0 -+
#
# use
#
# (network-script network-bridge)
#
# Your eth0 is used as the outgoing interface, by default. To use a different
# one (e.g. eth1) use
#
# (network-script 'network-bridge netdev=eth1')
#
# The bridge is named xenbr0, by default. To rename the bridge, use
#
# (network-script 'network-bridge bridge=<name>')
#
# It is possible to use the network-bridge script in more complicated
# scenarios, such as having two outgoing interfaces, with two bridges, and
# two fake interfaces per guest domain. To do things like this, write
# yourself a wrapper script, and call network-bridge from it, as appropriate.
#
(network-script network-bridge)
# The script used to control virtual interfaces. This can be overridden on a
# per-vif basis when creating a domain or a configuring a new vif. The
# vif-bridge script is designed for use with the network-bridge script, or
# similar configurations.
#
# If you have overridden the bridge name using
# (network-script 'network-bridge bridge=<name>') then you may wish to do the
# same here. The bridge name can also be set when creating a domain or
# configuring a new vif, but a value specified here would act as a default.
#
# If you are using only one bridge, the vif-bridge script will discover that,
# so there is no need to specify it explicitly.
#
(vif-script vif-bridge)
## Use the following if network traffic is routed, as an alternative to the
# settings for bridged networking given above.
#(network-script network-route)
#(vif-script vif-route)
## Use the following if network traffic is routed with NAT, as an alternative
# to the settings for bridged networking given above.
#(network-script network-nat)
#(vif-script vif-nat)
# Dom0 will balloon out when needed to free memory for domU.
# dom0-min-mem is the lowest memory level (in MB) dom0 will get down to.
# If dom0-min-mem=0, dom0 will never balloon out.
(dom0-min-mem 196)
# In SMP system, dom0 will use dom0-cpus # of CPUS
# If dom0-cpus = 0, dom0 will take all cpus available
(dom0-cpus 0)
# Whether to enable core-dumps when domains crash.
#(enable-dump no)
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home