[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users

On Mon, Mar 14, 2005 at 09:58:50AM -0500, Philip R Auld wrote:
> Rumor has it that on Sun, Mar 13, 2005 at 10:51:22PM +0100 Kurt Garloff said:
> > Normally, you'd expect that only the sysadmin is able to control
> > virtual machines. This would be the result of this simple tweak.
> Which sysadmin?  Dom0 sysadmin may not be the same as a vm's sysadmin.
> You would not want a VM sysadmin to be able to manage someone else's VM,
> but he may want control over his own. 

The most straightforward approach would be to have dom0 sysadmin to be
the one in control of all the other domains.

Currently all dom0 users are, which is inconvenient, as machines that
are used as desktops will need to have dom0 uers.

Of course, the other domains can have their own root users. This is
not changed by restricting control connections to be originating from
ports < 1024.

Kurt Garloff                   <kurt@xxxxxxxxxx>             [Koeln, DE]
Physics:Plasma modeling <garloff@xxxxxxxxxxxxxxxxxxx> [TU Eindhoven, NL]
Linux: SUSE Labs (Director)    <garloff@xxxxxxx>            [Novell Inc]

Attachment: pgpgVAV3f4_dr.pgp
Description: PGP signature



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.