Re: [Xen-devel] severe security issue on dom0/xend/xm/non-root users

[Kurt Garloff <kurt@xxxxxxxxxx>]

Hi Rik,

On Sun, Mar 06, 2005 at 04:14:24PM -0500, Rik van Riel wrote:
> On Sun, 6 Mar 2005, Tommi Virtanen wrote:
> > That's not good design. I sincerely think access to any confidential
> > or security conscious part of xen should be limited, e.g. with a
> > unix domain socket located in a directory only readable by a certain
> > group.
> 
> Good point, then we could use filesystem permissions
> and/or selinux policy to restrict who gets access to
> xend.

Why not just require the other end of the socket to be below 1024?
If you bind to localhost, that should be enough.

xm would then use a privileged socket if it can (i.e. if called as 
root).

Using an selinux policy for this would be aiming cannons at sparrows
(german saying, in english that's breaking a fly on the wheel).

> > Note that if there are harmless xm commands (xm list and so on), they
> > could be allowed for all users in dom0.
> 
> This would require either access permission checks inside
> xend, or a separate socket for only unprivileged operations.

Then defer the client[1] port check to the command parser.

Regards,
-- 
Kurt Garloff                   <kurt@xxxxxxxxxx>             [Koeln, DE]
Physics:Plasma modeling <garloff@xxxxxxxxxxxxxxxxxxx> [TU Eindhoven, NL]
Linux: SUSE Labs (Director)    <garloff@xxxxxxx>            [Novell Inc]

Attachment: pgpz5GW8unJf5.pgp
Description: PGP signature