Hi, I would like to give users access to xm console to their domain. I am using xen 2.0.7 and don''t really want to upgrade this server to 3.0 just yet. Has anyone done this? Does anyone have any tips? Are there any security issues with doing this? Beyond the usual that it''s going to require at least some access to dom0 which is potentially risky.. Thanks, Andy _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Andy Smith wrote:> I would like to give users access to xm console to their domain. I > am using xen 2.0.7 and don''t really want to upgrade this server to > 3.0 just yet. > > Has anyone done this? Does anyone have any tips? Are there any > security issues with doing this? Beyond the usual that it''s going > to require at least some access to dom0 which is potentially risky..I''ve gone to the length of adding code to my custom domU provisioning script to set up a plain user for each created domain, with the GECOS field containing the full name of the domain to attach to. Each of them is a member of a group (I call it ''vscons''). I assign these users a shell of /usr/local/bin/xencons-sh, which contains the following: #!/bin/bash /usr/sbin/xm console $(getent passwd $(id -u) | cut -d '':'' -f 5) That way, the users in question can''t do anything other than attach to the console of their Xen instance, and disconnection means immediate logout. Keep in mind that Xen 3 requires a different script, as the domU consoles are done quite differently than they were in 2.0.x. -- Derrik Pates demon@devrandom.net _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dear Andy, You can refer to xen wiki for howto go about assigning ports to domains http://wiki.xensource.com/xenwiki/XenFaq (Question 7.2) Since in xen 2.0, vifnames can be constant and defined through the config file, the above solution works pretty well. After the setup just do a telnet hostip port and you should see the domX console. On 1/2/06, Andy Smith <andy@strugglers.net> wrote:> > I would like to give users access to xm console to their domain. I > am using xen 2.0.7 and don''t really want to upgrade this server to > 3.0 just yet. > > Has anyone done this? Does anyone have any tips? Are there any > security issues with doing this? Beyond the usual that it''s going > to require at least some access to dom0 which is potentially risky.. >regards, Anand _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dear Derrik, Would you mind sharing your custom script ? On 1/2/06, Derrik Pates <demon@devrandom.net> wrote:> > I''ve gone to the length of adding code to my custom domU provisioning > script to set up a plain user for each created domain, with the GECOS > field containing the full name of the domain to attach to. Each of them > is a member of a group (I call it ''vscons''). I assign these users a > shell of /usr/local/bin/xencons-sh, which contains the following: > > #!/bin/bash > > /usr/sbin/xm console $(getent passwd $(id -u) | cut -d '':'' -f 5) > > That way, the users in question can''t do anything other than attach to > the console of their Xen instance, and disconnection means immediate > logout. > > Keep in mind that Xen 3 requires a different script, as the domU > consoles are done quite differently than they were in 2.0.x. >Thanks for the nice script. regards, Anand _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anand wrote:> Would you mind sharing your custom script ?The script I wrote for handling the "virtual serial console" setup with Xen 3 is as follows: ---- BEGIN SCRIPT ---- #!/usr/bin/perl use English; $ENV{''PATH''} ''/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin''; die("This script must be setuid root") if $EUID != 0; $instname = (getpwuid($UID))[6]; ($real_instname) = $instname =~ /^([a-z0-9\._\-]+)$/i; print "*** Entering console, press Ctrl-] to detach ***\n"; system(''/usr/sbin/xm'', ''console'', $real_instname); print "\n*** Console detached ***\n"; ---- END SCRIPT ---- I installed this script as /usr/local/bin/xencons-sh, owned by user root, group vscons, mode 4750. This allows just the users in group vscons (for whom this should be their shell anyway) to run it, preventing anyone else from doing untoward things with the script. Make sure that you install your distribution''s package containing suidperl ("perl-suid" on Debian), as this script must run setuid root, otherwise it won''t be able to open the console. -- Derrik Pates demon@devrandom.net _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Mon, Jan 02, 2006 at 01:15:58AM -0500, Derrik Pates wrote:> I''ve gone to the length of adding code to my custom domU provisioning > script to set up a plain user for each created domain, with the GECOS > field containing the full name of the domain to attach to. Each of them > is a member of a group (I call it ''vscons''). I assign these users a > shell of /usr/local/bin/xencons-sh, which contains the following: > > #!/bin/bash > > /usr/sbin/xm console $(getent passwd $(id -u) | cut -d '':'' -f 5)Thanks Derrik. That''s pretty much what I''d come up with too - although I didn''t think of using the GECOS field that way. That''s going to be a useful stop-gap idea until I get around to implementing LDAP or something, as there''s now so many things that the users need to log into... _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users