From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Hopwood <david.nospam.hopwood@blueyonder.co.uk>
Subject: Re: severe security issue on dom0/xend/xm/non-root users
Date: Sun, 13 Mar 2005 21:39:01 +0000
Message-ID: <4234B2F5.1070205@blueyonder.co.uk>
References: <Pine.LNX.4.58.0503041118010.13626@gradall.private.brainfood.com> <1109962904.2746.12.camel@localhost> <4228B4D3.8020909@xensource.com> <1109965655.3355.8.camel@localhost> <20050304195646.GA31213@wavehammer.waldi.eu.org> <Pine.LNX.4.61.0503051651070.31720@chimarrao.boston.redhat.com> <422B1E47.9050502@tv.debian.net> <Pine.LNX.4.61.0503061613160.31720@chimarrao.boston.redhat.com> <20050313145512.GC29310@tpkurt.garloff.de>
Reply-To: david.nospam.hopwood@blueyonder.co.uk
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
In-Reply-To: <20050313145512.GC29310@tpkurt.garloff.de>
Sender: xen-devel-admin@lists.sourceforge.net
Errors-To: xen-devel-admin@lists.sourceforge.net
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.sourceforge.net>
List-Help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
To: xen-devel@lists.sourceforge.net
List-Id: xen-devel@lists.xenproject.org

Kurt Garloff wrote:
> On Sun, Mar 06, 2005 at 04:14:24PM -0500, Rik van Riel wrote:
>>On Sun, 6 Mar 2005, Tommi Virtanen wrote:
>>
>>>That's not good design. I sincerely think access to any confidential
>>>or security conscious part of xen should be limited, e.g. with a
>>>unix domain socket located in a directory only readable by a certain
>>>group.
>>
>>Good point, then we could use filesystem permissions
>>and/or selinux policy to restrict who gets access to
>>xend.
> 
> Why not just require the other end of the socket to be below 1024?

Please don't. The permission should be something that can be specifically
granted to a user or group id, not that requires root. Requiring root
tends to cause as many security problems as it solves.

> If you bind to localhost, that should be enough.
> 
> xm would then use a privileged socket if it can (i.e. if called as 
> root).
> 
> Using an selinux policy for this would be aiming cannons at sparrows
> (german saying, in english that's breaking a fly on the wheel).

"using a sledgehammer to crack a nut".

-- 
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click