[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] XCP: Insecure Distro ?
I don't think anyone is intentionally trying to be a flamer here but I also don't think it is the most productive to send a message to the list that says "XCP is missing X and Y so I'm not going to use it. I too have found several things that are important to me lacking from XCP, but I also see the amazing potential and appreciate all the hard work that has been put into it so far. Anyway back to what the OP brought up - 1. /etc/shadow is still not present in XenServer 5.6 fp1 as far as I can tell. See here - http://forums.citrix.com/message.jspa?messageID=1552977 2. It certainly would be nice to see dedicated XCP repositories created, but my hunch is that there are probably a lot of reasons why it hasn't happened yet. On Mon, May 9, 2011 at 8:26 PM, Randy Katz <rkatz@xxxxxxxxxxxxxxxxxxxxx> wrote: > Why is flaming always the first line with you people? He brought up 2 very > important issues in the > form of questions which should be addressed: > > 1. Security flaw in XCP? > 2. Where are the patches/updates going to come from and how? > > If you want to flame someone go ahead and flame me, but Adrien's questions > seem sincere and important! > > Regards, > Randy Katz > > On 5/9/2011 2:51 PM, Chris Petrolino wrote: >> >> Do you know how many "commercial" Linux based appliances there are out >> there? How many of them follow the patch cycle of the Linux flavor >> they are based on? >> >> Have you offered the community any suggestions on how to improve the >> security model of XCP? We are all ears. >> >> As for updates not having the potential to break things, I strongly >> disagree. >> >> Kind Regards, >> >> Christopher James Petrolino >> >> >> On May 9, 2011, at 5:30 PM, Adrien Guillon<aj.guillon@xxxxxxxxx> wrote: >> >>> Security updates are common, and generally do not make major interface >>> changes by design. I have no desire to update anything aside from >>> receiving fixes for buffer overflows, or other exploits that are found >>> in the wild. The system in question should be in production for >>> several years, and security patches are inevitable during that period >>> of time. >>> >>> It likely took some effort to eliminate /etc/shadow in the first >>> place, as this has been standard practice for a very long time. I >>> will not debate the merits of storing hashes in /etc/passwd or >>> /etc/shadow because that debate ended a very long time ago. Quite >>> simply this distro has a major security flaw. >>> >>> >>> On Mon, May 9, 2011 at 5:16 PM, riki<phobie@xxxxxxxx> wrote: >>>> >>>> Well, you are right from the multi-user point of view regarding the >>>> passwd >>>> file, but XCP is designed as appliance, xe utility or something speaking >>>> xapi is a way of interfacing it, no user other than root should access >>>> dom0. >>>> >>>> Updates - question of stability, i hope you do not want to risk reload >>>> of >>>> all your VM`s due to libc changes or something like that :). You need >>>> to >>>> update what? Xen hypervisor? Openvswitch, xapi toolstack? Everything >>>> should >>>> be locked down on lower levels (network access to dom0, physical access >>>> to >>>> appliances). >>>> >>>> Try to change the point of view and stop looking at it as a standard >>>> multiuser linux enviroment. >>>> >>>> r. >>>> >>>> On 05/09/2011 10:41 PM, Adrien Guillon wrote: >>>>> >>>>> Hello mailing list! >>>>> >>>>> I have been working with XCP a little bit, and I have the impression >>>>> that this distro is insecure. First, it does not look like update >>>>> repositories are enabled inside /etc/yum.repos.d, although I'm from an >>>>> apt background so I may be misinterpreting that. Where will my >>>>> security updates come from? >>>>> >>>>> Next, it appears that the root password hash is directly stored inside >>>>> /etc/passwd, which is set to world-readable! There does not appear to >>>>> be an /etc/shadow file at all. >>>>> >>>>> Unfortunately I am dropping the distro entirely due to security >>>>> concerns, I hope that these problems can be fixed. >>>>> >>>>> AJ >>>>> >>>>> _______________________________________________ >>>>> Xen-users mailing list >>>>> Xen-users@xxxxxxxxxxxxxxxxxxx >>>>> http://lists.xensource.com/xen-users >>>> >>>> _______________________________________________ >>>> Xen-users mailing list >>>> Xen-users@xxxxxxxxxxxxxxxxxxx >>>> http://lists.xensource.com/xen-users >>>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@xxxxxxxxxxxxxxxxxxx >>> http://lists.xensource.com/xen-users >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@xxxxxxxxxxxxxxxxxxx >> http://lists.xensource.com/xen-users >> > > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |