[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users

Rumor has it that on Sun, Mar 13, 2005 at 10:51:22PM +0100 Kurt Garloff said:
> Hi David,
> On Sun, Mar 13, 2005 at 09:39:01PM +0000, David Hopwood wrote:
> > Kurt Garloff wrote:
> > >Why not just require the other end of the socket to be below 1024?
> > 
> > Please don't. The permission should be something that can be specifically
> > granted to a user or group id, not that requires root. Requiring root
> > tends to cause as many security problems as it solves.
> I disagree.
> Normally, you'd expect that only the sysadmin is able to control
> virtual machines. This would be the result of this simple tweak.

Which sysadmin?  Dom0 sysadmin may not be the same as a vm's sysadmin.
You would not want a VM sysadmin to be able to manage someone else's VM,
but he may want control over his own. 



Philip R. Auld, Ph.D.                          Egenera, Inc.    
Software Architect                            165 Forest St.
(508) 858-2628                            Marlboro, MA 01752

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.