xen-devel

[Top] [All Lists]

Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to Q

from [Daniel P. Berrange]

[Permanent Link][Original]

To:	Christian Limpach <Christian.Limpach@xxxxxxxxxxxxx>
Subject:	Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server
From:	"Daniel P. Berrange" <berrange@xxxxxxxxxx>
Date:	Tue, 27 Mar 2007 22:18:26 +0100
Cc:	xen-staging@xxxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Tue, 27 Mar 2007 14:17:26 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<0326530267625D42A4E36594FDD0D1432EBA8A@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<200703271524.l2RFOMNg003926@xxxxxxxxxxxxxxxxxxxxxxx> <0326530267625D42A4E36594FDD0D1432EBA8A@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to:	"Daniel P. Berrange" <berrange@xxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mutt/1.4.1i

On Tue, Mar 27, 2007 at 02:06:42PM -0700, Christian Limpach wrote:
> > hvm: Remove access to QEMU monitor in VNC server
> > 
> > This fixes a RHEL5 errata and CVE-2007-0998.
> > 
> > The monitor is still accessible in debug builds of ioemu (debug=y).
> > 
> > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> 
> This change is quite weird since it doesn't disable monitor access when
> using SDL.

Well SDL isn't exposed to the network directly - to access the monitor
via the SDL console, you'd need to first access the X server desktop in
question. Unprivileged local users, or remote user can't typically get 
access to X desktop of the person who started the VM, so its not neccessary
to disable it.

> Also, the additional virtual consoles can be used for giving access to
> things without security implications, like serial ports.

The console enables the users to map the virtual serial port onto a physical
device. Not a huge issue, but still basically a privilege escalation because
it lets users access hardware they'd not otherwise be able to.

> I think a much better fix for the security issue would be to change the
> default monitor output not to be a virtual console.

Yes, long term I expect that if we want to avoid Xen forking still further
from QEMU then we'll need XenD itself to own the monitor channel, because
the monitor is becoming the official way to reconfig stuff on the fly. So
if XenD redirected the monitor to a STDIN/SDOUT then it could safely have
complete control over it & not expose it to the user. This is the approach
we already take in libvirt for managing QEMU & KVM guests & it works quite
well. I didn't do that myself because its much more work & I was prioritizing
the security fix. 

NB, this fix is slightly different from what we actually put in RHEL. The
RHEL version removed the code completely - this version allows it to be
toggled at build time because Keir wanted to keep access for developers
who are doing debugging of HVM guests.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Christian Limpach Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Daniel P. Berrange <= RE: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Christian Limpach Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Daniel P. Berrange RE: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Christian Limpach Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Daniel P. Berrange [Xen-devel] Re: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Anthony Liguori [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Christian Limpach [Xen-devel] Re: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Anthony Liguori

Previous by Date:	[Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Christian Limpach
Next by Date:	[Xen-devel] Please pull xen-ia64-unstable.hg, Alex Williamson
Previous by Thread:	[Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Christian Limpach
Next by Thread:	RE: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Christian Limpach
Indexes:	[Date] [Thread] [Top] [All Lists]