Hi all... I''m a Xen newbie and was wondering about the merits of using Xen to segment off my private data from the prying eyes & fingers of Apache/ PHP hackers (something that bit me recently). If I create several DOM''s -- one for Apache, 1 for mail, 1 for pgsql and 1 for my private data, is that a good way to ensure that IF someone gets around Apache ( for instance) that my private data will not be compromised? The server I''ve got is a quad Xeon Proliant running FC6 MTIA!! -- Rick _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Nick Anderson
2009-Feb-17 20:55 UTC
Re: [Xen-users] Best way to use Xen to segment & protect
On Tue, Feb 17, 2009 at 12:06:53PM -0800, Rick Flower wrote:> Hi all... > I''m a Xen newbie and was wondering about the merits of using Xen to > segment off my private data from the prying eyes & fingers of Apache/PHP > hackers (something that bit me recently). If I create several DOM''s -- > one for Apache, 1 for mail, 1 for pgsql and 1 for my private data, is > that a good way to ensure that IF someone gets around Apache ( for > instance) that my private data will not be compromised? The server I''ve > got is a quad Xeon Proliant running FC6 > MTIA!! > -- RickIt would make it just as secure as having it on a separate machine. However if your dom0 was compromised there is nothing standing in the way to compromise all domUs. Also if there are ever any domU root escalation issues someone attacking through your webserver would be able to escalate to dom0 and then have access to all of your virtual machines. -- Nick Anderson <nick@anders0n.net> http://www.cmdln.org _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Rick Flower
2009-Feb-17 21:29 UTC
Re: [Xen-users] Best way to use Xen to segment & protect
On Feb 17, 2009, at 12:55 PM, Nick Anderson <nick@anders0n.net> wrote:> On Tue, Feb 17, 2009 at 12:06:53PM -0800, Rick Flower wrote: >> Hi all... >> I''m a Xen newbie and was wondering about the merits of using Xen to >> segment off my private data from the prying eyes & fingers of >> Apache/PHP >> hackers (something that bit me recently). If I create several >> DOM''s -- >> one for Apache, 1 for mail, 1 for pgsql and 1 for my private data, is >> that a good way to ensure that IF someone gets around Apache ( for >> instance) that my private data will not be compromised? The server >> I''ve >> got is a quad Xeon Proliant running FC6 >> MTIA!! >> -- Rick > It would make it just as secure as having it on a separate machine. > However if your dom0 was compromised there is nothing standing in the > way to compromise all domUs. Also if there are ever any domU root > escalation issues someone attacking through your webserver would be > able to escalate to dom0 and then have access to all of your virtual > machines.Thanks for the info Nick... Regarding the root escalation mentioned above -- have there been issues with this in the past? Also, I guess it would help to have the domU that Apache is using to have tools such as Tripwire and other related tools to keep thing from getting too far... If you''re in a domU, can you tell that it''s a virtual server? If not then perhap it''s less likely to break out and escalate to dom0...? Is it possible to have a domU mount a different filesystem than dom0? Sorry for the numerous questions... Thx! -- Rick _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Nick Anderson
2009-Feb-17 21:41 UTC
Re: [Xen-users] Best way to use Xen to segment & protect
On Tue, Feb 17, 2009 at 01:29:29PM -0800, Rick Flower wrote:> Thanks for the info Nick... Regarding the root escalation mentioned > above -- have there been issues with this in the past?Yes I believe so http://secunia.com/advisories/26986/> Also, I guess it would help to have the domU that Apache is using to > have tools such as Tripwire and other related tools to keep thing from > getting too far...Inside a domU you would want any protections you would have on any other server.> If you''re in a domU, can you tell that it''s a virtual server? If not > then perhap it''s less likely to break out and escalate to dom0...?Yes if its a paravirtualized machine.> Is it possible to have a domU mount a different filesystem than dom0? > Sorry for the numerous questions...Not quite sure what you mean here. -- Nick Anderson <nick@anders0n.net> http://www.cmdln.org _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Nick, In which situation can domU root escalation result in escalation to dom0? If domU has no virtual NIC configured, will the threat still exist? weiming On Tue, Feb 17, 2009 at 4:41 PM, Nick Anderson <nick@anders0n.net> wrote:> On Tue, Feb 17, 2009 at 01:29:29PM -0800, Rick Flower wrote: > > Thanks for the info Nick... Regarding the root escalation mentioned > > above -- have there been issues with this in the past? > Yes I believe so > http://secunia.com/advisories/26986/ > > Also, I guess it would help to have the domU that Apache is using to > > have tools such as Tripwire and other related tools to keep thing from > > getting too far... > Inside a domU you would want any protections you would have on any > other server. > > If you''re in a domU, can you tell that it''s a virtual server? If not > > then perhap it''s less likely to break out and escalate to dom0...? > Yes if its a paravirtualized machine. > > Is it possible to have a domU mount a different filesystem than dom0? > > Sorry for the numerous questions... > Not quite sure what you mean here. > > > -- > Nick Anderson <nick@anders0n.net> > http://www.cmdln.org > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkmbLvgACgkQXkxp94vgneadyQCeJi7asoe76GoNsGP薳舟䡼 > Co8AoIXovsJ7ESdPCpplNiqcYjaLX2Se > =ItZu > -----END PGP SIGNATURE----- > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Rick Flower
2009-Feb-17 22:28 UTC
Re: [Xen-users] Best way to use Xen to segment & protect
On Feb 17, 2009, at 1:41 PM, Nick Anderson <nick@anders0n.net> wrote:> On Tue, Feb 17, 2009 at 01:29:29PM -0800, Rick Flower wrote: >> Thanks for the info Nick... Regarding the root escalation mentioned >> above -- have there been issues with this in the past? > Yes I believe so > http://secunia.com/advisories/26986/Thx... Interesting to read...> >> Also, I guess it would help to have the domU that Apache is using to >> have tools such as Tripwire and other related tools to keep thing >> from >> getting too far... > Inside a domU you would want any protections you would have on any > other server.Sounds reasonable...> >> If you''re in a domU, can you tell that it''s a virtual server? If not >> then perhap it''s less likely to break out and escalate to dom0...? > Yes if its a paravirtualized machine.Ahh... Those are the special CPU''s with the special extension... Don''t have one of them yet...> >> Is it possible to have a domU mount a different filesystem than dom0? >> Sorry for the numerous questions... > Not quite sure what you mean here.I''m wondering if the dom0 could effectively only load the bare minimum in terms of filesystems that it needs to run the other domU''s -- particularly if all critical services are being done in domU spaces (mail, pgsql, webapps,etc). That way each domU could mount the specific filesystems they need to work... This would perhaps allow me to have a special domU for my private data that perhap mounts an encrypted filesystem that the others don''t mount.. Obviously if that special f/s is mounted in dom0 then it doesn''t really help if a security breach occurs -- perhaps... Sorry ... Just thinking outloud... -- Rick _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2009-Feb-18 07:52 UTC
Re: [Xen-users] Best way to use Xen to segment & protect
Rick Flower wrote:>>>Is it possible to have a domU mount a different filesystem than dom0? >>>Sorry for the numerous questions... >>Not quite sure what you mean here. > >I''m wondering if the dom0 could effectively only load the bare >minimum in terms of filesystems that it needs to run the other >domU''s -- particularly if all critical services are being done in >domU spaces (mail, pgsql, webapps,etc). That way each domU could >mount the specific filesystems they need to work... This would >perhaps allow me to have a special domU for my private data that >perhap mounts an encrypted filesystem that the others don''t mount.. >Obviously if that special f/s is mounted in dom0 then it doesn''t >really help if a security breach occurs -- perhaps...Dom0 and DomUs don''t share a filesystem - unless you put some effort into it and run something like a clustering filesystem that allows multiple machines to share a volume. Dom0 has it''s own filesystems, each DomU has it''s own filesystems that look to it just like they were on real disks - they can be stored in a file on a Dom0 filesystem rather than having their own partition, but that''s not the same as sharing a filesystem. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users