[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server

> From: Daniel P. Berrange [mailto:berrange@xxxxxxxxxx] 
> Well SDL isn't exposed to the network directly - to access the monitor
> via the SDL console, you'd need to first access the X server 
> desktop in
> question. Unprivileged local users, or remote user can't 
> typically get 
> access to X desktop of the person who started the VM, so its 
> not neccessary
> to disable it.

What about the unprivileged local user using the X desktop?

> The console enables the users to map the virtual serial port 
> onto a physical
> device. Not a huge issue, but still basically a privilege 
> escalation because
> it lets users access hardware they'd not otherwise be able to.

?? You get access to the guests serial port through a virtual console in
VNC/SDL, how is that a privilege escalation?

Don't you think that having the monitor (and the serial port) not
exposed by default through VNC/SDL is a sufficient and more flexibel fix
for the security issue? 


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.