Hi, I am planning to offer a hosted xen server within my locality. My question is, is there any security issue that I should be aware of. I am currently letting user to choose which kernel they want to boot. Is there any possibility, that with, say a recompiled kernel or kernel module, a user can actually gain access to the Dom0? Thank you Azrul Rahim _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Azrul Rahim wrote:> Hi, > > I am planning to offer a hosted xen server within my locality. My > question is, is there any security issue that I should be aware of. I > am currently letting user to choose which kernel they want to boot. > > Is there any possibility, that with, say a recompiled kernel or kernel > module, a user can actually gain access to the Dom0? > > Thank you > > Azrul Rahim >That would be a *SERIOUS* bug, and if anyone knew of such, we''d be reporting it pretty fast. There was a fascinating RHEL bug reported, in the use of pygrub, because pygrub would read the grub contents from the DomU at boot time and this created an interesting security risk for the pygrub program itself. A much bigger risk is the standard co-location risk of "these machines I don''t control are inside my network: how do I protect myself from them?". _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Azrul Rahim schreef:> I am planning to offer a hosted xen server within my locality. My > question is, is there any security issue that I should be aware of. I > am currently letting user to choose which kernel they want to boot. > > Is there any possibility, that with, say a recompiled kernel or kernel > module, a user can actually gain access to the Dom0?Not that I am aware of. A risk of taking over mac addies spoofing IPs is, if you don''t take the proper precautions. Such as ebtables. Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHpaOnYH1+F2Rqwn0RCkJrAKCHrsEbsEw7QRAoa467FdJKa/8DwQCeOspo pn78TKrLfcFDV9F8b4/LqDQ=vK05 -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> Hi, > > I am planning to offer a hosted xen server within my locality. My > question is, is there any security issue that I should be aware of. I > am currently letting user to choose which kernel they want to boot. > > Is there any possibility, that with, say a recompiled kernel or kernel > module, a user can actually gain access to the Dom0?I''ve been developing Xen drivers for Windows, and I can tell you first hand that it is definitely possible to crash at least some versions of Xen by doing things wrong on a DomU. I''m talking about causing the machine to hang or to reboot. Even now, with the PV drivers working nicely, when I bring up the PV network driver it will often kill all the tcp connections I have to Dom0. I can re-establish them almost immediately, but there''s still the potential for a DomU to cause trouble. I''m not sure what the cause of this is, possibly just a problem of having the same MAC address in two locations causing the bridge to hiccup. James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
(cc''d back to the list... I assume that was your intent?)> It might be safer if I explicitly specify the kernel outside the DomU > and disable kernel module loading. Just wondering if this is overly > paranoidProbably not a lot of point. The sort of crashes I was seeing aren''t something that someone will just stumble across by accident (unless they are doing driver development on your box). And if you are trying to prevent malicious activity, the malicious user could just load a kernel module anyway. James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sun, Feb 03, 2008 at 10:09:08AM +0000, Nico Kadel-Garcia wrote:> That would be a *SERIOUS* bug, and if anyone knew of such, we''d be > reporting it pretty fast. There was a fascinating RHEL bug reported, in > the use of pygrub, because pygrub would read the grub contents from the > DomU at boot time and this created an interesting security risk for the > pygrub program itself.what ever happened to this, anyhow? did PyGrub start running fsck before it mounts the untrusted filesystems? or was the solution to fix http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497 such that linux doesn''t panic on corrupted filesystems? Why wouldn''t pygrub run fsck on it''s target system anyhow? I mean, even if the user isn''t being malicious, it''s quite possible that the partition in question was shut down improperly. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users