Xend listening for TCP HTTP?

Xend listening for TCP HTTP?

[Anthony Liguori]

Hi,

On IRC, it came up that recent snapshots of Xend are now listening for 
TCP HTTP connections again by default.  Since it's still listening on a 
Unix socket and xm will always prefer that, xm still only functions as root.

However, less privileged users can still connect to the TCP port and 
through Xend gain root access.  This seems like a pretty bad default 
configuration.  I poked around on the TCP interface but couldn't seem to 
confirm this (does it only accept s-expression Content-Type now?).

Thanks for any clarification on this.

Regards,

Anthony Liguori

Re: Xend listening for TCP HTTP?

[Anthony Liguori]

Ok, I confirmed this, out of the box, accessing 
http://localhost:8000/xen/domain as a lesser-privileged user allows one 
to do very bad things.

Regards,

Anthony Liguori

Anthony Liguori wrote:

> Hi,
>
> On IRC, it came up that recent snapshots of Xend are now listening for 
> TCP HTTP connections again by default.  Since it's still listening on 
> a Unix socket and xm will always prefer that, xm still only functions 
> as root.
>
> However, less privileged users can still connect to the TCP port and 
> through Xend gain root access.  This seems like a pretty bad default 
> configuration.  I poked around on the TCP interface but couldn't seem 
> to confirm this (does it only accept s-expression Content-Type now?).
>
> Thanks for any clarification on this.
>
> Regards,
>
> Anthony Liguori
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>

Re: Xend listening for TCP HTTP?

[Nivedita Singhvi]

Anthony Liguori wrote:
> Ok, I confirmed this, out of the box, accessing 
> http://localhost:8000/xen/domain as a lesser-privileged user allows one 
> to do very bad things.

Anthony, were you using the default xend-config.sxp?

Currently, although the default is off for http support
in xend, the default config file turns it on:

#(xend-http-server no)
(xend-http-server yes)

Note that it is restricted to local users, though:

# Address xend should listen on for HTTP connections, if xend-http-server is
# set.
# Specifying 'localhost' prevents remote connections.
# Specifying the empty string '' (the default) allows all connections.
#(xend-address '')
(xend-address localhost)

I'm about to submit a patch to turn this off in the default
file that's installed, as it's generally the case that most
people won't change it...

thanks,
Nivedita

> Regards,
> 
> Anthony Liguori
> 
> Anthony Liguori wrote:
> 
>> Hi,
>>
>> On IRC, it came up that recent snapshots of Xend are now listening for 
>> TCP HTTP connections again by default.  Since it's still listening on 
>> a Unix socket and xm will always prefer that, xm still only functions 
>> as root.
>>
>> However, less privileged users can still connect to the TCP port and 
>> through Xend gain root access.  This seems like a pretty bad default 
>> configuration.  I poked around on the TCP interface but couldn't seem 
>> to confirm this (does it only accept s-expression Content-Type now?).
>>
>> Thanks for any clarification on this.
>>
>> Regards,
>>
>> Anthony Liguori
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>>
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
> 
> 

Re: Xend listening for TCP HTTP?

[Anthony Liguori]

Nivedita Singhvi wrote:

> Anthony Liguori wrote:
>
>> Ok, I confirmed this, out of the box, accessing 
>> http://localhost:8000/xen/domain as a lesser-privileged user allows 
>> one to do very bad things.
>
>
> Anthony, were you using the default xend-config.sxp?

Yup.

> Currently, although the default is off for http support
> in xend, the default config file turns it on:
>
> #(xend-http-server no)
> (xend-http-server yes)

Yup.  This was added in:

# HG changeset patch
# User emellor@leeni.uk.xensource.com
# Node ID cefe36be8592090b4edb08060cca67a004c04617
# Parent  4d49f61a7feef3fca5fb3e991a5a1d741b6cd690
Tidy xend-config.sxp, removing entries that haven't been used since the
hotplugging stuff was introduced (block-*, console-port-base, 
console-address)
and introducing entries for options that have been present for ages
(xend-{http,unix,relocation}-server, xend-unix-path, 
xend-relocation-address,
enable-dump).  Remove vif-antispoof, as Vifctl no longer passes this option
down.

I imagine it was unintentional.  Ewan?

Regards,

Anthony Liguori

> thanks,
> Nivedita
>
>> Regards,
>>
>> Anthony Liguori
>>
>> Anthony Liguori wrote:
>>
>>> Hi,
>>>
>>> On IRC, it came up that recent snapshots of Xend are now listening 
>>> for TCP HTTP connections again by default.  Since it's still 
>>> listening on a Unix socket and xm will always prefer that, xm still 
>>> only functions as root.
>>>
>>> However, less privileged users can still connect to the TCP port and 
>>> through Xend gain root access.  This seems like a pretty bad default 
>>> configuration.  I poked around on the TCP interface but couldn't 
>>> seem to confirm this (does it only accept s-expression Content-Type 
>>> now?).
>>>
>>> Thanks for any clarification on this.
>>>
>>> Regards,
>>>
>>> Anthony Liguori
>>>
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@lists.xensource.com
>>> http://lists.xensource.com/xen-devel
>>>
>>
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>>
>>
>
>