|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] domU kernel
Nico Kadel-Garcia wrote: Steve Wray wrote:Christian Horn wrote:On Fri, Oct 12, 2007 at 12:14:02AM -0400, IDAGroup - R.W.Muller wrote:Hi, I found lots of threads where people talk about domU kernel sitting in /boot of dom0. [snip] There's a big advantage to pygrub: kernel update procedures for DomU have nothing to do with Dom0's kernel. This prevents version and feature conflicts with package management sytems, and allows updates and reboots of DomU without having to write to Dom0. This was particularlycons: Security. You now have a domU in which a local exploit could result in code being executed in dom0 at the next boot of that domU. By the way, this actually happened. See CVE-2007-4993IMHO putting the kernel in domU and using pygrub was always asking for trouble.In my opinion it is completely crazy to expose dom0 to potential exploits from domU.So far as I am aware this is the *only* way to so expose dom0 to domU security holes and I am deeply shocked if it is true that "One sees mostly this nowadays" I don't believe that the convenience of this outweighs the undeniable security implications. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |