[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users
Kurt Garloff wrote: And my suggestion was binding to localhost only and requiring a port < 1024 -- then you'd need to be a local user with CAP_NET_BIND_SERVICE capability. Granting additional rights by providing this capability from a setuid root wrapper (or a PAM service that sets this on login)should not be too hard and straightforward enough to not introduce another load of security holes. There's a simple reason why that's not really what you want. Imagine two security-sensitive services, with different sets of allowed users. Using UNIX domain sockets with filesystem access control allows using two groups to list the allowed users for each service -- using <1024 source port does not. Please use UNIX domain sockets. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |