From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <aliguori@us.ibm.com>
Subject: Re: [PATCH] xen-2.0: privileged port connections
Date: Wed, 23 Mar 2005 09:41:24 -0600
Message-ID: <42418E24.5070906@us.ibm.com>
References: <20050323123639.GM12479@tpkurt.garloff.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
In-Reply-To: <20050323123639.GM12479@tpkurt.garloff.de>
Sender: xen-devel-admin@lists.sourceforge.net
Errors-To: xen-devel-admin@lists.sourceforge.net
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.sourceforge.net>
List-Help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
To: Kurt Garloff <garloff@suse.de>
Cc: Xen development list <xen-devel@lists.sourceforge.net>
List-Id: xen-devel@lists.xenproject.org

So, here's my concerns:

1) ports < 1024 are reserved although 732 is currently unassigned
2) unix domain sockets would solve the same problem
3) this approach is not flexible for finer grain control
4) you still have to find a way to deal with the consoles
5) you still have to deal with xfrd

With all that said, I'd like to see this applied as it's better than 
leaving everything out in the open.

Regards,
Anthony Liguori

Kurt Garloff wrote:

>Hi,
>
>as discussed previously, I went ahead and introduced a setting that
>allows you to restrict the stuff you can when controlling xen by
>connecting to the port 8000 unless you connect from a privileged
>port.
>
>I did not yet bother to look at the event port nor did I try to address
>the consoles. The consoles will be done in a second patch if this 
>approach is deemed appropriate. 
>
>Note that I also do still allow unprivileged connections still to gather
>most of the information. This can be debated, but I'm not such a big fan
>of security by obscurity.
>
>I hope I did not miss anything important for the control stuff.
>
>The patch also fixes one typo (missing ") in SrvNode.py.
>
>Regards,
>  
>



-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click