Just a quick question regarding the security of a Xen host. Are there any security implications I need to be aware of if I allow a Xen-U host to use kernel modules? I''ve mainly used UML in past, where a user could easily read files on the host machines filesystem. Is it safe to allow people to run with modules allowed? ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> -----Original Message----- > From: xen-devel-admin@lists.sourceforge.net [mailto:xen-devel- > admin@lists.sourceforge.net] On Behalf Of Phillip Mumford > Sent: 19 January 2005 14:39 > To: xen-devel@lists.sourceforge.net > Subject: [Xen-devel] Xen Security > > Just a quick question regarding the security of a Xen host. > > Are there any security implications I need to be aware of if I allow a > Xen-U host to use kernel modules? I''ve mainly used UML in past, where > a user could easily read files on the host machines filesystem. > > Is it safe to allow people to run with modules allowed?Xen provides stronger isolation than UML and kernel modules in a VM should only be able to compromise the resources that that VM has access to (eg its filespace) but not other VMs rolf> > > ------------------------------------------------------- > This SF.Net email is sponsored by: IntelliVIEW -- InteractiveReporting> Tool for open source databases. Create drag-&-drop reports. Save time > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. > Download a FREE copy at http://www.intelliview.com/go/osdn_nl > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xen-devel------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On 20 Jan 2005, at 11:00, Neugebauer, Rolf wrote:> > >> -----Original Message----- >> From: xen-devel-admin@lists.sourceforge.net [mailto:xen-devel- >> admin@lists.sourceforge.net] On Behalf Of Phillip Mumford >> Sent: 19 January 2005 14:39 >> To: xen-devel@lists.sourceforge.net >> Subject: [Xen-devel] Xen Security >> >> Just a quick question regarding the security of a Xen host. >> >> Are there any security implications I need to be aware of if I allow a >> Xen-U host to use kernel modules? I''ve mainly used UML in past, where >> a user could easily read files on the host machines filesystem. >> >> Is it safe to allow people to run with modules allowed? > > Xen provides stronger isolation than UML and kernel modules in a VM > should only be able to compromise the resources that that VM has access > to (eg its filespace) but not other VMsBut to further prevent security issues inside that domain, disable if you can modules and, to some extent, sysctl support. ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Phillip Mumford wrote:> Is it safe to allow people to run with modules allowed?Yes. See earlier discussions on the list for specifics if needed. -- Naked ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel