[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] XCP: Insecure Distro ?




On 09/05/2011 21:41, Adrien Guillon wrote:
Hello mailing list!

I have been working with XCP a little bit, and I have the impression
that this distro is insecure.  First, it does not look like update
repositories are enabled inside /etc/yum.repos.d, although I'm from an
apt background so I may be misinterpreting that.  Where will my
security updates come from?

Next, it appears that the root password hash is directly stored inside
/etc/passwd, which is set to world-readable!  There does not appear to
be an /etc/shadow file at all.

Unfortunately I am dropping the distro entirely due to security
concerns, I hope that these problems can be fixed.

AJ


Hi AJ,

Since this is open software we are talking about, you are free to modify these settings. However, in my opinion, XCP is designed to be only accessed via the management software (The one used for the commercial Xen Server should work), so all your security generally comes from the fact that the VMs (DomUs) have no access to the XCP host OS (Dom0). I think the assumption is, that if you don't log in to XCP and execute binaries, then exploits won't occur.

Of course, I don't use XCP, and know little about it - I'm just using whatever common sense I have on the matter (in that if you don't have multiple users on the system, then world readable permissions don't matter).

But I'd be interested to hear what someone else more qualified on the matter has to say

Cheers


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.