| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Best way to use Xen to segment & protect
On Feb 17, 2009, at 1:41 PM, Nick Anderson <nick@xxxxxxxxxxxx> wrote:
On Tue, Feb 17, 2009 at 01:29:29PM -0800, Rick Flower wrote:
Thanks for the info Nick... Regarding the root escalation mentioned
above -- have there been issues with this in the past?
Yes I believe so
http://secunia.com/advisories/26986/
Thx... Interesting to read...
Also, I guess it would help to have the domU that Apache is using to
have tools such as Tripwire and other related tools to keep thing
from
getting too far...
Inside a domU you would want any protections you would have on any
other server.
Sounds reasonable...
If you're in a domU, can you tell that it's a virtual server? If not
then perhap it's less likely to break out and escalate to dom0...?
Yes if its a paravirtualized machine.
Ahh... Those are the special CPU's with the special extension... Don't
have one of them yet...
Is it possible to have a domU mount a different filesystem than dom0?
Sorry for the numerous questions...
Not quite sure what you mean here.
I'm wondering if the dom0 could effectively only load the bare minimum
in terms of filesystems that it needs to run the other domU's --
particularly if all critical services are being done in domU spaces
(mail, pgsql, webapps,etc). That way each domU could mount the
specific filesystems they need to work... This would perhaps allow me
to have a special domU for my private data that perhap mounts an
encrypted filesystem that the others don't mount.. Obviously if that
special f/s is mounted in dom0 then it doesn't really help if a
security breach occurs -- perhaps...
Sorry ... Just thinking outloud...
-- Rick
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home