From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tommi Virtanen Subject: Re: severe security issue on dom0/xend/xm/non-root users Date: Sun, 06 Mar 2005 17:14:15 +0200 Message-ID: <422B1E47.9050502@tv.debian.net> References: <1109962904.2746.12.camel@localhost> <4228B4D3.8020909@xensource.com> <1109965655.3355.8.camel@localhost> <20050304195646.GA31213@wavehammer.waldi.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit In-Reply-To: Sender: xen-devel-admin@lists.sourceforge.net Errors-To: xen-devel-admin@lists.sourceforge.net List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , List-Archive: To: Rik van Riel Cc: Bastian Blank , xen-devel@lists.sourceforge.net List-Id: xen-devel@lists.xenproject.org Rik van Riel wrote: > Note that I do not believe that xend access should be root > only, people may want to run management software under another > UID. As long as domain 0 doesn't get any untrusted users, > things should be fine. That's not good design. I sincerely think access to any confidential or security conscious part of xen should be limited, e.g. with a unix domain socket located in a directory only readable by a certain group. If any user in dom0 can do sensitive xm operations, a security bug in _any_ dom0 networked app allows the attacker to gain remote root. That is, (xen trusts every user in dom0) implies (in dom0, all security vulnerabilities give access to root). Note that if there are harmless xm commands (xm list and so on), they could be allowed for all users in dom0. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click