Re: [Xen-devel] domU to dom0 security

[Mark Williamson <maw48@xxxxxxxxxxxx>]

> I am considering using XEN to host "virtual dedicated servers" for a
> few of my clients. Are there any security issues that would allow domU
> (guestOS) admins access to dom0

No the aim is for domUs to have no more power to abuse dom0 than a separate 
physical machine would (i.e. they'd have to use some sort of network based 
attack, just like another machine would).

> or global xend commands by default?

I think the current default is to accept Xend commands anywhere (!).  You can 
restrict this to only allow commands from localhost (i.e. from users local to 
dom0).  This is a bit better, as long as you trust your dom0 users.

You'll probably want to use some firewall rules in dom0 to isolate the Xend 
and Xfrd services appropriately.

Cheers,
Mark

> If  
> so, is there anything I can do to lock it down so that only dom0 users
> (root) would have access to dom0 and the xend commands?
>
> Thanks,
> Brian
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
> Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
> Embedded(r) & Windows Mobile(tm) platforms, applications & content. 
> Register by 3/29 & save $300
> http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/xen-devel


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel