[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] domU kernel

  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: "IDAGroup - R.W.Muller" <robin@xxxxxxxxxxx>
  • Date: Mon, 15 Oct 2007 16:10:55 -0400
  • Delivery-date: Mon, 15 Oct 2007 13:12:16 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

It's funny, my test installation just got hacked. I had a idiot password for domU and somebody uploaded a suKit 1.3
and I also found trace of adding a user (www) in dom0 and trying to change pathes with PATH=:.: plus doing an FTP
connection from dom0 (history of root in dom0, showed "ftp hackers.home.domain").
Ok I can confirm, that dom0 can be exposed to hacking by putting the kernel into domU.

Now the big question is: how can I install a Centos domU on Centos dom0 and have the kernel OUTSIDE domU ?

..and has already somebody installed xen-shell on Centos 5 dom0 ?


Christian Horn wrote:
On Sun, Oct 14, 2007 at 08:49:19PM -0400, IDAGroup - R.W.Muller wrote:
Wow, if that is true then is CentOS making a big mistake.

Nah, they probably took the pros and cons into account and then made 
the same decision as suse did for SLES: put it all into the discfile.
Xen needs a bit more work than vmware, and this is a step to make the
handling of domUs simpler.

Steve Wray wrote:
You forgot the con.

cons: Security. You now have a domU in which a local exploit could 
result in code being executed in dom0 at the next boot of that domU. 
By the way, this actually happened. See CVE-2007-4993
Right, its a con. Just couldnt think of at the time of writing ;)


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.