From: Anthony Liguori <aliguori@us.ibm.com>
To: Kurt Garloff <garloff@suse.de>
Cc: Xen development list <xen-devel@lists.sourceforge.net>
Subject: Re: [PATCH] xen-2.0: privileged port connections
Date: Wed, 23 Mar 2005 09:41:24 -0600 [thread overview]
Message-ID: <42418E24.5070906@us.ibm.com> (raw)
In-Reply-To: <20050323123639.GM12479@tpkurt.garloff.de>
So, here's my concerns:
1) ports < 1024 are reserved although 732 is currently unassigned
2) unix domain sockets would solve the same problem
3) this approach is not flexible for finer grain control
4) you still have to find a way to deal with the consoles
5) you still have to deal with xfrd
With all that said, I'd like to see this applied as it's better than
leaving everything out in the open.
Regards,
Anthony Liguori
Kurt Garloff wrote:
>Hi,
>
>as discussed previously, I went ahead and introduced a setting that
>allows you to restrict the stuff you can when controlling xen by
>connecting to the port 8000 unless you connect from a privileged
>port.
>
>I did not yet bother to look at the event port nor did I try to address
>the consoles. The consoles will be done in a second patch if this
>approach is deemed appropriate.
>
>Note that I also do still allow unprivileged connections still to gather
>most of the information. This can be debated, but I'm not such a big fan
>of security by obscurity.
>
>I hope I did not miss anything important for the control stuff.
>
>The patch also fixes one typo (missing ") in SrvNode.py.
>
>Regards,
>
>
-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
next prev parent reply other threads:[~2005-03-23 15:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-23 12:36 [PATCH] xen-2.0: privileged port connections Kurt Garloff
2005-03-23 15:41 ` Anthony Liguori [this message]
2005-03-23 16:57 ` Kurt Garloff
2005-03-23 17:03 ` Anthony Liguori
2005-03-23 17:23 ` Kurt Garloff
2005-03-23 17:45 ` Anthony Liguori
2005-03-23 18:06 ` Rik van Riel
2005-03-23 17:36 ` Nivedita Singhvi
2005-03-24 7:31 ` David Hopwood
-- strict thread matches above, loose matches on Subject: below --
2005-03-23 17:43 Ian Pratt
2005-03-23 17:59 ` Ryan Harper
2005-03-24 19:06 ` Tommi Virtanen
2005-03-24 19:56 ` Anthony Liguori
2005-03-23 18:51 Ian Pratt
2005-03-23 19:27 ` Anthony Liguori
2005-03-23 21:37 ` Christian Limpach
2005-03-23 23:58 ` Kurt Garloff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42418E24.5070906@us.ibm.com \
--to=aliguori@us.ibm.com \
--cc=garloff@suse.de \
--cc=xen-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.