* domU to dom0 security
@ 2005-03-24 13:52 Brian Hays
2005-03-24 19:44 ` Mark Williamson
0 siblings, 1 reply; 2+ messages in thread
From: Brian Hays @ 2005-03-24 13:52 UTC (permalink / raw)
To: xen-devel
Hello,
I am considering using XEN to host "virtual dedicated servers" for a
few of my clients. Are there any security issues that would allow domU
(guestOS) admins access to dom0 or global xend commands by default? If
so, is there anything I can do to lock it down so that only dom0 users
(root) would have access to dom0 and the xend commands?
Thanks,
Brian
-------------------------------------------------------
This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
Embedded(r) & Windows Mobile(tm) platforms, applications & content. Register
by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: domU to dom0 security
2005-03-24 13:52 domU to dom0 security Brian Hays
@ 2005-03-24 19:44 ` Mark Williamson
0 siblings, 0 replies; 2+ messages in thread
From: Mark Williamson @ 2005-03-24 19:44 UTC (permalink / raw)
To: xen-devel, Brian Hays
> I am considering using XEN to host "virtual dedicated servers" for a
> few of my clients. Are there any security issues that would allow domU
> (guestOS) admins access to dom0
No the aim is for domUs to have no more power to abuse dom0 than a separate
physical machine would (i.e. they'd have to use some sort of network based
attack, just like another machine would).
> or global xend commands by default?
I think the current default is to accept Xend commands anywhere (!). You can
restrict this to only allow commands from localhost (i.e. from users local to
dom0). This is a bit better, as long as you trust your dom0 users.
You'll probably want to use some firewall rules in dom0 to isolate the Xend
and Xfrd services appropriately.
Cheers,
Mark
> If
> so, is there anything I can do to lock it down so that only dom0 users
> (root) would have access to dom0 and the xend commands?
>
> Thanks,
> Brian
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
> Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
> Embedded(r) & Windows Mobile(tm) platforms, applications & content.
> Register by 3/29 & save $300
> http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xen-devel
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-03-24 19:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-24 13:52 domU to dom0 security Brian Hays
2005-03-24 19:44 ` Mark Williamson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.