From: Mike Wray <mike.wray@hpl.hp.com>
To: Charles Coffing <ccoffing@novell.com>
Cc: xen-devel@lists.sourceforge.net, lkcl@lkcl.net
Subject: Re: protecting xen startup
Date: Tue, 23 Nov 2004 17:58:23 +0000 [thread overview]
Message-ID: <41A37A3F.2000905@hpl.hp.com> (raw)
In-Reply-To: <s1a31208.035@sinclair.provo.novell.com>
Charles Coffing wrote:
> Right, xend is just an HTTP interface to Xen via system calls or ioctls
> (xend <--> linux <--> Xen).
>
> There's also a daemon (xfrd) running on 8002.
>
> There currently is no authentication on either port.
>
> In the source tree, look at docs/misc/xend.tex, although some details
> are out of date.
>
Correct, though you can configure the interface listened to by xend
in the xend config. The default is open. To disable network access
configure 'localhost'. See 'xend-address' in '/etc/xen/xend-config.sxp'.
Xend is implemented using the Twisted framework in Python, and this
supports configuring https and authentication in front of web
services - we just haven't got around to it.
There's currently no security on port 8002 for the transfer daemon (xfrd).
There are various things that could be done. For example xfrd
could be set to listen on loopback only and you could use ssh or stunnel
to secure the comms and forward ports. I'm hoping to get around to securing
this.
>
> HTH,
> Charles
>
>
>
>>>>Luke Kenneth Casson Leighton <lkcl@lkcl.net> 11/23/04 10:05 am >>>
>
> hi,
>
> i notice that there's a management interface on port 8000.
>
> i seek to protect this interface such that nothing but a trusted program
>
> (think selinux) may run, manage, start up or shut down xen oses.
>
> so: where can i find out information about the structure of the
> xen management interface?
>
> is the port 8000 stuff just providing a web server (/etc/init.d/xend)
> front-end to some extra system calls?
>
> is the port 8000 stuff actually running in the xen boot-up stuff?
>
> if it's some extra system calls that's very good because it will be
> possible to add selinux security hooks to protect each system call.
>
> ta,
>
> l.
>
Mike
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
next prev parent reply other threads:[~2004-11-23 17:58 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-23 17:33 protecting xen startup Charles Coffing
2004-11-23 17:58 ` Mike Wray [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-11-24 11:48 Neugebauer, Rolf
2004-11-24 15:24 ` Luke Kenneth Casson Leighton
2004-11-24 20:24 ` Luke Kenneth Casson Leighton
2004-11-23 23:58 Neugebauer, Rolf
2004-11-24 10:53 ` Luke Kenneth Casson Leighton
2004-11-24 11:55 ` Mark Williamson
2004-11-23 17:05 Luke Kenneth Casson Leighton
2004-11-23 18:07 ` Mike Wray
2004-11-23 21:03 ` Luke Kenneth Casson Leighton
2004-11-23 18:07 ` Mark Williamson
2004-11-23 20:51 ` Luke Kenneth Casson Leighton
2004-11-23 21:03 ` Ian Pratt
2004-11-23 21:52 ` Luke Kenneth Casson Leighton
2004-11-23 22:00 ` Jan Kundrát
2004-11-24 0:21 ` Luke Kenneth Casson Leighton
2004-11-24 8:17 ` Mark Williamson
2004-11-24 10:39 ` Luke Kenneth Casson Leighton
2004-11-23 22:49 ` Mark Williamson
2004-11-24 0:18 ` Luke Kenneth Casson Leighton
2004-11-24 8:27 ` Mark Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41A37A3F.2000905@hpl.hp.com \
--to=mike.wray@hpl.hp.com \
--cc=ccoffing@novell.com \
--cc=lkcl@lkcl.net \
--cc=xen-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.