WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Should applications be running on Dom0

from [Simon Hobson] [Permanent Link][Original]
To: Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Should applications be running on Dom0
From: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Date: Wed, 18 Aug 2010 07:48:02 +0100
Cc:
Delivery-date: Tue, 17 Aug 2010 23:58:42 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C6AF9AD.505@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AANLkTik_z=795d6SMJMLvvEwO-xcBXZoFCVdXr9bo1hy@xxxxxxxxxxxxxx> <46C13AA90DB8844DAB79680243857F0F0AFE3E@xxxxxxxxxxxxxxxxxxx> <8C26A4FDAE599041A13EB499117D3C28164832D6@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1282076412.2362.134.camel@xxxxxxxxxxxxxxxxxxxxxxxx> <4C6AF9AD.505@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Joseph M. Deming wrote:


1)  Applications running on DomO could, theoretically, compromise
security between the Dom0 boxes and the DomU's by providing further
handles that could be leveraged if a security loophole is exploited in
Xen.  In other words, by keeping the DomO as a nice clean, minimal
install you minimize the vector of attacks possible that would be
possible by gaining access to the Dom0 kernel or communication between
Dom0's and DomU devices.


At 22:05 +0100 17/8/10, Jonathan Tripathy wrote:
Much more simple: Dom0 has access to all disks of all DomUs - no exploits required :)
Indeed, there is no "theoretically" involved. Anything running on Dom0 has access to everything - it can shut down a DomU, it can alter the contents of their disks as well as read them.
So in a way the argument is the same as for running services chroot'd on a single server - if they get compromised then it limits the damage they can do. It's not something you **must** do, it's something you as administrator decide to do or not depending on what you believe the risks to be, and what your tolerance for risk is.
The difference with Dom0 is that you are giving someone the opportunity to compromise not just the one 'machine', but potentially a whole virtual rack of machines.
I'm with the other, for a production machine exposed to the big bad internet, then it makes sense to keep Dom0 lean and clean. For education purposes and experimentation, I'd see nothing wrong with running your desktop in Dom0.
Just remember, there is no such thing as "no risk" or "safe". You just have to assess the risks and minimise them as far as is reasonable/practical for **your** application. 

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] [resolved] xend does not start, Olivier B.
Next by Date:  Re: [Xen-users] Did anyone succeeded in installing xen 4.0.0 on Debian Lenny?, Jean Baptiste FAVRE
Previous by Thread:  Re: [Xen-users] Should applications be running on Dom0, Jonathan Tripathy
Next by Thread:  RE: [Xen-users] Should applications be running on Dom0, Jeff Sturm
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy