WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to Q

from [Christian Limpach] [Permanent Link][Original]
To: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Subject: RE: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server
From: "Christian Limpach" <Christian.Limpach@xxxxxxxxxxxxx>
Date: Tue, 27 Mar 2007 14:32:00 -0700
Cc: xen-staging@xxxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 27 Mar 2007 14:31:34 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20070327211826.GD3126@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <200703271524.l2RFOMNg003926@xxxxxxxxxxxxxxxxxxxxxxx> <0326530267625D42A4E36594FDD0D1432EBA8A@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <20070327211826.GD3126@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcdwtYAAO7QP7uZsTMyPwO+dY5OFuAAAI/LQ
Thread-topic: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server 
> From: Daniel P. Berrange [mailto:berrange@xxxxxxxxxx] 
> 
> Well SDL isn't exposed to the network directly - to access the monitor
> via the SDL console, you'd need to first access the X server 
> desktop in
> question. Unprivileged local users, or remote user can't 
> typically get 
> access to X desktop of the person who started the VM, so its 
> not neccessary
> to disable it.

What about the unprivileged local user using the X desktop?

> The console enables the users to map the virtual serial port 
> onto a physical
> device. Not a huge issue, but still basically a privilege 
> escalation because
> it lets users access hardware they'd not otherwise be able to.

?? You get access to the guests serial port through a virtual console in
VNC/SDL, how is that a privilege escalation?

Don't you think that having the monitor (and the serial port) not
exposed by default through VNC/SDL is a sufficient and more flexibel fix
for the security issue? 

    Christian

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] Re: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Anthony Liguori
Next by Date:  [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Christian Limpach
Previous by Thread:  Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Daniel P. Berrange
Next by Thread:  Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server, Daniel P. Berrange
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy