Xen project Mailing List

Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server

To: Christian Limpach <Christian.Limpach@xxxxxxxxxxxxx>

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

Date: Tue, 27 Mar 2007 22:18:26 +0100

Cc: xen-staging@xxxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx

Delivery-date: Tue, 27 Mar 2007 14:17:26 -0700

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Tue, Mar 27, 2007 at 02:06:42PM -0700, Christian Limpach wrote: > > hvm: Remove access to QEMU monitor in VNC server > > > > This fixes a RHEL5 errata and CVE-2007-0998. > > > > The monitor is still accessible in debug builds of ioemu (debug=y). > > > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> > > This change is quite weird since it doesn't disable monitor access when > using SDL. Well SDL isn't exposed to the network directly - to access the monitor via the SDL console, you'd need to first access the X server desktop in question. Unprivileged local users, or remote user can't typically get access to X desktop of the person who started the VM, so its not neccessary to disable it. > Also, the additional virtual consoles can be used for giving access to > things without security implications, like serial ports. The console enables the users to map the virtual serial port onto a physical device. Not a huge issue, but still basically a privilege escalation because it lets users access hardware they'd not otherwise be able to. > I think a much better fix for the security issue would be to change the > default monitor output not to be a virtual console. Yes, long term I expect that if we want to avoid Xen forking still further from QEMU then we'll need XenD itself to own the monitor channel, because the monitor is becoming the official way to reconfig stuff on the fly. So if XenD redirected the monitor to a STDIN/SDOUT then it could safely have complete control over it & not expose it to the user. This is the approach we already take in libvirt for managing QEMU & KVM guests & it works quite well. I didn't do that myself because its much more work & I was prioritizing the security fix. NB, this fix is slightly different from what we actually put in RHEL. The RHEL version removed the code completely - this version allows it to be toggled at build time because Keir wanted to keep access for developers who are doing debugging of HVM guests. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.