[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] XCP: Insecure Distro ?


  • To: Adrien Guillon <aj.guillon@xxxxxxxxx>
  • From: Chris Petrolino <cpetrolino@xxxxxxxxx>
  • Date: Mon, 9 May 2011 17:51:09 -0400
  • Cc: "xen-users@xxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 09 May 2011 14:53:16 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:from:in-reply-to:mime-version:date:message-id:subject:to :cc:content-type; b=TOWW9s6MQQFPRqGpk/JXiZNZiONuvyJDhFQ62wT1uJSnnm6w//nGun9j2xkDhhHkkh n1YekLDdamsYfPKL+2HlzDoldE+hJ3LTtcYITLm3Vxnvi/b5JscDQdHIC+M5TK7gNGWc vFEkzRIkZ1mgazixoUgw7I7TMDLwRku4HL0do=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Do you know how many "commercial" Linux based appliances there are out
there? How many of them follow the patch cycle of the Linux flavor
they are based on?

Have you offered the community any suggestions on how to improve the
security model of XCP? We are all ears.

As for updates not having the potential to break things, I strongly disagree.

Kind Regards,

Christopher James Petrolino


On May 9, 2011, at 5:30 PM, Adrien Guillon <aj.guillon@xxxxxxxxx> wrote:

> Security updates are common, and generally do not make major interface
> changes by design.  I have no desire to update anything aside from
> receiving fixes for buffer overflows, or other exploits that are found
> in the wild.  The system in question should be in production for
> several years, and security patches are inevitable during that period
> of time.
>
> It likely took some effort to eliminate /etc/shadow in the first
> place, as this has been standard practice for a very long time.  I
> will not debate the merits of storing hashes in /etc/passwd or
> /etc/shadow because that debate ended a very long time ago.  Quite
> simply this distro has a major security flaw.
>
>
> On Mon, May 9, 2011 at 5:16 PM, riki <phobie@xxxxxxxx> wrote:
>> Well, you are right from the multi-user point of view regarding the passwd
>> file, but XCP is designed as appliance, xe utility or something speaking
>> xapi is a way of interfacing it, no user other than root should access dom0.
>>
>> Updates - question of stability, i hope you do not want to risk reload of
>> all your VM`s due to libc changes or something like that :).  You need to
>> update what? Xen hypervisor? Openvswitch, xapi toolstack? Everything should
>> be locked down on lower levels (network access to dom0, physical access to
>> appliances).
>>
>> Try to change the point of view and stop looking at it as a standard
>> multiuser linux enviroment.
>>
>> r.
>>
>> On 05/09/2011 10:41 PM, Adrien Guillon wrote:
>>>
>>> Hello mailing list!
>>>
>>> I have been working with XCP a little bit, and I have the impression
>>> that this distro is insecure.  First, it does not look like update
>>> repositories are enabled inside /etc/yum.repos.d, although I'm from an
>>> apt background so I may be misinterpreting that.  Where will my
>>> security updates come from?
>>>
>>> Next, it appears that the root password hash is directly stored inside
>>> /etc/passwd, which is set to world-readable!  There does not appear to
>>> be an /etc/shadow file at all.
>>>
>>> Unfortunately I am dropping the distro entirely due to security
>>> concerns, I hope that these problems can be fixed.
>>>
>>> AJ
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@xxxxxxxxxxxxxxxxxxx
>>> http://lists.xensource.com/xen-users
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@xxxxxxxxxxxxxxxxxxx
>> http://lists.xensource.com/xen-users
>>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.