[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Should applications be running on Dom0



Joseph M. Deming wrote:

1)  Applications running on DomO could, theoretically, compromise
security between the Dom0 boxes and the DomU's by providing further
handles that could be leveraged if a security loophole is exploited in
Xen.  In other words, by keeping the DomO as a nice clean, minimal
install you minimize the vector of attacks possible that would be
possible by gaining access to the Dom0 kernel or communication between
Dom0's and DomU devices.

At 22:05 +0100 17/8/10, Jonathan Tripathy wrote:
Much more simple: Dom0 has access to all disks of all DomUs - no exploits required :)

Indeed, there is no "theoretically" involved. Anything running on Dom0 has access to everything - it can shut down a DomU, it can alter the contents of their disks as well as read them.

So in a way the argument is the same as for running services chroot'd on a single server - if they get compromised then it limits the damage they can do. It's not something you **must** do, it's something you as administrator decide to do or not depending on what you believe the risks to be, and what your tolerance for risk is.

The difference with Dom0 is that you are giving someone the opportunity to compromise not just the one 'machine', but potentially a whole virtual rack of machines.

I'm with the other, for a production machine exposed to the big bad internet, then it makes sense to keep Dom0 lean and clean. For education purposes and experimentation, I'd see nothing wrong with running your desktop in Dom0.

Just remember, there is no such thing as "no risk" or "safe". You just have to assess the risks and minimise them as far as is reasonable/practical for **your** application.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.