From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tommi Virtanen <tv@tv.debian.net>
Subject: Re: severe security issue on dom0/xend/xm/non-root users
Date: Fri, 18 Mar 2005 11:19:52 +0200
Message-ID: <423A9D38.9080601@tv.debian.net>
References: <422B1E47.9050502@tv.debian.net> <Pine.LNX.4.61.0503061613160.31720@chimarrao.boston.redhat.com> <20050313145512.GC29310@tpkurt.garloff.de> <4234B2F5.1070205@blueyonder.co.uk> <20050313215122.GC11358@tpkurt.garloff.de> <20050314145850.GB6037@vienna.egenera.com> <20050314151652.GE11417@tpkurt.garloff.de> <20050314155421.GD6037@vienna.egenera.com> <20050314161316.GM11417@tpkurt.garloff.de> <423927DB.3040305@tv.debian.net> <20050317150230.GW11685@tpkurt.garloff.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
In-Reply-To: <20050317150230.GW11685@tpkurt.garloff.de>
Sender: xen-devel-admin@lists.sourceforge.net
Errors-To: xen-devel-admin@lists.sourceforge.net
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.sourceforge.net>
List-Help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
To: Kurt Garloff <kurt@garloff.de>
Cc: Philip R Auld <pauld@egenera.com>, David Hopwood <david.hopwood@blueyonder.co.uk>, xen-devel@lists.sourceforge.net
List-Id: xen-devel@lists.xenproject.org

Kurt Garloff wrote:
>>There's a simple reason why that's not really what you want.
>>
>>Imagine two security-sensitive services, with different sets of
>>allowed users. Using UNIX domain sockets with filesystem access
>>control allows using two groups to list the allowed users for each
>>service -- using <1024 source port does not.
> 
> It does.
> The frontend (that would acquire the privileged socket) would need
> to be setuid root for this and then could enforce whatever policies,
> much more flexible than the Unix group membership model if you want.

Oh, the group-restricted UNIX domain socket wins there, too.

Your model:

   - setuid client that only lets certain users open ports <1024

My model:

   - setgid client that only lets certain users connect to the protected
     socket
OR
   - just add the certain users to the group, and let them access the
     protected socket.

The UNIX domain socket way is both more flexible and _more secure_
-- it only needs setgid where the port<1024 thing needs setuid.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click