[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Should applications be running on Dom0

To: Xen-users@xxxxxxxxxxxxxxxxxxx
From: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Date: Wed, 18 Aug 2010 07:48:02 +0100
Cc:
Delivery-date: Tue, 17 Aug 2010 23:58:42 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Joseph M. Deming wrote:

1)  Applications running on DomO could, theoretically, compromise
security between the Dom0 boxes and the DomU's by providing further
handles that could be leveraged if a security loophole is exploited in
Xen.  In other words, by keeping the DomO as a nice clean, minimal
install you minimize the vector of attacks possible that would be
possible by gaining access to the Dom0 kernel or communication between
Dom0's and DomU devices.


At 22:05 +0100 17/8/10, Jonathan Tripathy wrote:

Much more simple: Dom0 has access to all disks of all DomUs - noexploits required :)

Indeed, there is no "theoretically" involved. Anything running onDom0 has access to everything - it can shut down a DomU, it can alterthe contents of their disks as well as read them.

So in a way the argument is the same as for running services chroot'don a single server - if they get compromised then it limits thedamage they can do. It's not something you **must** do, it'ssomething you as administrator decide to do or not depending on whatyou believe the risks to be, and what your tolerance for risk is.

The difference with Dom0 is that you are giving someone theopportunity to compromise not just the one 'machine', but potentiallya whole virtual rack of machines.

I'm with the other, for a production machine exposed to the big badinternet, then it makes sense to keep Dom0 lean and clean. Foreducation purposes and experimentation, I'd see nothing wrong withrunning your desktop in Dom0.

Just remember, there is no such thing as "no risk" or "safe". Youjust have to assess the risks and minimise them as far as isreasonable/practical for **your** application.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] Should applications be running on Dom0
  - From: Brent Bolin
- RE: [Xen-users] Should applications be running on Dom0
  - From: Jonathan Tripathy
- RE: [Xen-users] Should applications be running on Dom0
  - From: Nathan Eisenberg
- RE: [Xen-users] Should applications be running on Dom0
  - From: Joseph M. Deming
- Re: [Xen-users] Should applications be running on Dom0
  - From: Jonathan Tripathy

Prev by Date: Re: [Xen-users] [resolved] xend does not start
Next by Date: Re: [Xen-users] Did anyone succeeded in installing xen 4.0.0 on Debian Lenny?
Previous by thread: Re: [Xen-users] Should applications be running on Dom0
Next by thread: RE: [Xen-users] Should applications be running on Dom0
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.