|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: RE: [Xen-devel] severe security issue on dom0/xend/xm/non-root users
Hi Ian,
On Sun, Mar 13, 2005 at 05:17:38PM -0000, Ian Pratt wrote:
> I think this is a good first step, and pretty easy to implement.
... if you know twisted well enough. I did not invest much time,
but I failed.
I had a short look and thought that adding something like
def connectionMade(self):
if self.transport:
log.info("xend: connect from host %s, port %ui" % \
(self.transport.client[0], self.transport.client[1]))
if self.transport.client[1] >= 1024:
self.loseConnection()
to class EventProtocol in SrvDaemon.py would do the job.
I was wrong ... the log.info never even triggered.
Making this configurable would be a plus as well, I guess.
in XendRoot.py, I had put
"""Default for xend-privileged """
xend_privileged_default = '1'
[...]
def get_xend_privileged(self):
"""Get the setting that controls whether xend only accepts connections
from privileged ports.
"""
return self.get_config_value('xend-privileged',
self.xend_privileged_default)
And then these pieces would need to be connected.
And xm taught to try grabbing a privileged port.
> Volunteers?
Someone more familiar with the xend implementation should be more
successful than me.
> With the next generation of tools we could insist on using SSL and thus
> that the client have an appropriate certificate.
That's the full blown approach, of course, as it would enable you to
allow remote control.
Regards,
--
Kurt Garloff <kurt@xxxxxxxxxx> [Koeln, DE]
Physics:Plasma modeling <garloff@xxxxxxxxxxxxxxxxxxx> [TU Eindhoven, NL]
Linux: SUSE Labs (Director) <garloff@xxxxxxx> [Novell Inc]
Attachment:
pgphd29EPYPVh.pgp
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |