From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tommi Virtanen <tv@tv.debian.net>
Subject: Re: severe security issue on dom0/xend/xm/non-root users
Date: Thu, 17 Mar 2005 08:46:51 +0200
Message-ID: <423927DB.3040305@tv.debian.net>
References: <20050304195646.GA31213@wavehammer.waldi.eu.org> <Pine.LNX.4.61.0503051651070.31720@chimarrao.boston.redhat.com> <422B1E47.9050502@tv.debian.net> <Pine.LNX.4.61.0503061613160.31720@chimarrao.boston.redhat.com> <20050313145512.GC29310@tpkurt.garloff.de> <4234B2F5.1070205@blueyonder.co.uk> <20050313215122.GC11358@tpkurt.garloff.de> <20050314145850.GB6037@vienna.egenera.com> <20050314151652.GE11417@tpkurt.garloff.de> <20050314155421.GD6037@vienna.egenera.com> <20050314161316.GM11417@tpkurt.garloff.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
In-Reply-To: <20050314161316.GM11417@tpkurt.garloff.de>
Sender: xen-devel-admin@lists.sourceforge.net
Errors-To: xen-devel-admin@lists.sourceforge.net
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.sourceforge.net>
List-Help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
To: Kurt Garloff <kurt@garloff.de>
Cc: Philip R Auld <pauld@egenera.com>, David Hopwood <david.hopwood@blueyonder.co.uk>, xen-devel@lists.sourceforge.net
List-Id: xen-devel@lists.xenproject.org

Kurt Garloff wrote:
> And my suggestion was binding to localhost only and requiring a port 
> < 1024 -- then you'd need to be a local user with CAP_NET_BIND_SERVICE 
> capability.  Granting additional rights by providing this capability 
> from a setuid root wrapper (or a PAM service that sets this on login)
> should not be too hard and straightforward enough to not introduce
> another load of security holes.

There's a simple reason why that's not really what you want.

Imagine two security-sensitive services, with different sets of
allowed users. Using UNIX domain sockets with filesystem access
control allows using two groups to list the allowed users for each
service -- using <1024 source port does not.

Please use UNIX domain sockets.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click