[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Best way to use Xen to segment & protect

  • To: Nick Anderson <nick@xxxxxxxxxxxx>
  • From: weiming <zephyr.zhao@xxxxxxxxx>
  • Date: Tue, 17 Feb 2009 16:56:58 -0500
  • Cc: "xen-users@xxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxx>, Rick Flower <rickf@xxxxxxxxxxxxx>
  • Delivery-date: Tue, 17 Feb 2009 13:58:14 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=sixhlGQ85VOfimOTJq2/oBE/yvGCCJB+nSowm1ZcgkJEc5Snh8sqMQK3h2zKsfXlGt TDu/4A+VEF1MQZI8VJUOnTHo4+njPe9FLyBcKUlnmBTi3LuaKTVc6/ypJjygTLTAw+1L 3boRlFh0DvGyhVaZOFypdRV/9ZlvnOyeAT5VI=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
Hi Nick,

In which situation can domU root escalation result in escalation to dom0?
If domU has no virtual NIC configured, will the threat still exist?

weiming


On Tue, Feb 17, 2009 at 4:41 PM, Nick Anderson <nick@xxxxxxxxxxxx> wrote:
On Tue, Feb 17, 2009 at 01:29:29PM -0800, Rick Flower wrote:
> Thanks for the info Nick... Regarding the root escalation mentioned
> above -- have there been issues with this in the past?
Yes I believe so
http://secunia.com/advisories/26986/
> Also, I guess it would help to have the domU that Apache is using to
> have tools such as Tripwire and other related tools to keep thing from
> getting too far...
Inside a domU you would want any protections you would have on any
other server.
> If you're in a domU, can you tell that it's a virtual server?  If not
> then perhap it's less likely to break out and escalate to dom0...?
Yes if its a paravirtualized machine.
> Is it possible to have a domU mount a different filesystem than dom0?
> Sorry for the numerous questions...
Not quite sure what you mean here.


--
Nick Anderson <nick@xxxxxxxxxxxx>
http://www.cmdln.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmbLvgACgkQXkxp94vgneadyQCeJi7asoe76GoNsGPèèä
Co8AoIXovsJ7ESdPCpplNiqcYjaLX2Se
=ItZu
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.