[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xend listening for TCP HTTP?



Ok, I confirmed this, out of the box, accessing http://localhost:8000/xen/domain as a lesser-privileged user allows one to do very bad things.

Regards,

Anthony Liguori

Anthony Liguori wrote:

Hi,

On IRC, it came up that recent snapshots of Xend are now listening for TCP HTTP connections again by default. Since it's still listening on a Unix socket and xm will always prefer that, xm still only functions as root.

However, less privileged users can still connect to the TCP port and through Xend gain root access. This seems like a pretty bad default configuration. I poked around on the TCP interface but couldn't seem to confirm this (does it only accept s-expression Content-Type now?).

Thanks for any clarification on this.

Regards,

Anthony Liguori

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.