[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Best way to use Xen to segment & protect
On Feb 17, 2009, at 1:41 PM, Nick Anderson <nick@xxxxxxxxxxxx> wrote: On Tue, Feb 17, 2009 at 01:29:29PM -0800, Rick Flower wrote:Thanks for the info Nick... Regarding the root escalation mentioned above -- have there been issues with this in the past?Yes I believe so http://secunia.com/advisories/26986/ Thx... Interesting to read... Also, I guess it would help to have the domU that Apache is using tohave tools such as Tripwire and other related tools to keep thing fromgetting too far...Inside a domU you would want any protections you would have on any other server. Sounds reasonable... Ahh... Those are the special CPU's with the special extension... Don't have one of them yet...If you're in a domU, can you tell that it's a virtual server? If not then perhap it's less likely to break out and escalate to dom0...?Yes if its a paravirtualized machine. Is it possible to have a domU mount a different filesystem than dom0? Sorry for the numerous questions...Not quite sure what you mean here. I'm wondering if the dom0 could effectively only load the bare minimum in terms of filesystems that it needs to run the other domU's -- particularly if all critical services are being done in domU spaces (mail, pgsql, webapps,etc). That way each domU could mount the specific filesystems they need to work... This would perhaps allow me to have a special domU for my private data that perhap mounts an encrypted filesystem that the others don't mount.. Obviously if that special f/s is mounted in dom0 then it doesn't really help if a security breach occurs -- perhaps... Sorry ... Just thinking outloud... -- Rick _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |