WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Vserver like security in Xen

from [Mark Williamson] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx, jimm@xxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Vserver like security in Xen
From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date: Wed, 31 Jan 2007 21:34:17 +0000
Delivery-date: Wed, 31 Jan 2007 13:35:18 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <004b01c7456d$712943b0$5dd810d1@e3demo>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <004b01c7456d$712943b0$5dd810d1@e3demo>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.5 
> I have been using Xen and vserver for some time now.  One feature I would
> like to reproduce in Xen is Vservers ability to limit/reduce root's
> privileges using the Linux (POSIX) Capability system.

I'm familiar with Xen rather than VServer.  Xen doesn't really do anything to 
lock down what root can do within the virtual machine.  The way you'd lock 
things down is to impose restrictions on what that machine could do, e.g. 
checks on IP addresses, firewalling to only allow certain protocols through, 
etc etc.

There's currently not a lot you can do to prevent root eg. modifying 
filesystems, although you could arrange some sort of backups / snapshots or 
even network-based logging so that there is some sort of unforgeable audit 
trail.

Any particular things you had in mind?

Cheers,
Mark

> I would appreciate any comments from those who are familiar with both
> Vserver and Xen and have been able to lock down root's abilities and
> privileges.
>
>
> Thanks!
> --Jim
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Re: DomU boot fails with can't find root on Fedora 6, Ligesh
Next by Date:  Re: [Xen-users] [Iscsitarget-devel] tracking down cause of filesystem corruption, Steve Wray
Previous by Thread:  Re: [Xen-users] Vserver like security in Xen, Henning Sprang
Next by Thread:  [Xen-users] Problems with xen/kernel / autoloading, Per Olav
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy