This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] domU kernel

It's funny, my test installation just got hacked. I had a idiot password for domU and somebody uploaded a suKit 1.3
and I also found trace of adding a user (www) in dom0 and trying to change pathes with PATH=:.: plus doing an FTP
connection from dom0 (history of root in dom0, showed "ftp hackers.home.domain").
Ok I can confirm, that dom0 can be exposed to hacking by putting the kernel into domU.

Now the big question is: how can I install a Centos domU on Centos dom0 and have the kernel OUTSIDE domU ?

..and has already somebody installed xen-shell on Centos 5 dom0 ?


Christian Horn wrote:
On Sun, Oct 14, 2007 at 08:49:19PM -0400, IDAGroup - R.W.Muller wrote:
Wow, if that is true then is CentOS making a big mistake.

Nah, they probably took the pros and cons into account and then made 
the same decision as suse did for SLES: put it all into the discfile.
Xen needs a bit more work than vmware, and this is a step to make the
handling of domUs simpler.

Steve Wray wrote:
You forgot the con.

cons: Security. You now have a domU in which a local exploit could 
result in code being executed in dom0 at the next boot of that domU. 
By the way, this actually happened. See CVE-2007-4993
Right, its a con. Just couldnt think of at the time of writing ;)


Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>