Re: [Xen-users] domU kernel

["IDAGroup - R.W.Muller" <robin@xxxxxxxxxxx>]

It's funny, my test installation just got hacked. I had a idiot password for domU and somebody uploaded a suKit 1.3
and I also found trace of adding a user (www) in dom0 and trying to change pathes with PATH=:.: plus doing an FTP
connection from dom0 (history of root in dom0, showed "ftp hackers.home.domain").
Ok I can confirm, that dom0 can be exposed to hacking by putting the kernel into domU.

Now the big question is: how can I install a Centos domU on Centos dom0 and have the kernel OUTSIDE domU ?

..and has already somebody installed xen-shell on Centos 5 dom0 ?

Thanks,
Robin



Christian Horn wrote:

On Sun, Oct 14, 2007 at 08:49:19PM -0400, IDAGroup - R.W.Muller wrote:
  

Wow, if that is true then is CentOS making a big mistake.
    

Nah, they probably took the pros and cons into account and then made 
the same decision as suse did for SLES: put it all into the discfile.
Xen needs a bit more work than vmware, and this is a step to make the
handling of domUs simpler.

  

Steve Wray wrote:
    

You forgot the con.

cons: Security. You now have a domU in which a local exploit could 
result in code being executed in dom0 at the next boot of that domU. 
By the way, this actually happened. See CVE-2007-4993
      

Right, its a con. Just couldnt think of at the time of writing ;)


Christian

  

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users