WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] XCP: Insecure Distro ?

from [riki] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] XCP: Insecure Distro ?
From: riki <phobie@xxxxxxxx>
Date: Mon, 09 May 2011 23:16:09 +0200
Delivery-date: Mon, 09 May 2011 14:17:33 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <BANLkTinHQJ_eUtfk+4PQudpZX8ZpoEu1yg@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <BANLkTinHQJ_eUtfk+4PQudpZX8ZpoEu1yg@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20110307 Icedove/3.0.11
Well, you are right from the multi-user point of view regarding the passwd file, but XCP is designed as appliance, xe utility or something speaking xapi is a way of interfacing it, no user other than root should access dom0.
Updates - question of stability, i hope you do not want to risk reload of all your VM`s due to libc changes or something like that :). You need to update what? Xen hypervisor? Openvswitch, xapi toolstack? Everything should be locked down on lower levels (network access to dom0, physical access to appliances).
Try to change the point of view and stop looking at it as a standard multiuser linux enviroment. 

r.

On 05/09/2011 10:41 PM, Adrien Guillon wrote:

Hello mailing list!

I have been working with XCP a little bit, and I have the impression
that this distro is insecure.  First, it does not look like update
repositories are enabled inside /etc/yum.repos.d, although I'm from an
apt background so I may be misinterpreting that.  Where will my
security updates come from?

Next, it appears that the root password hash is directly stored inside
/etc/passwd, which is set to world-readable!  There does not appear to
be an /etc/shadow file at all.

Unfortunately I am dropping the distro entirely due to security
concerns, I hope that these problems can be fixed.

AJ

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] lost root password in guest, Robert Threet
Next by Date:  Re: [Xen-users] XCP: Insecure Distro ?, Adrien Guillon
Previous by Thread:  Re: [Xen-users] XCP: Insecure Distro ?, Jonathan Tripathy
Next by Thread:  Re: [Xen-users] XCP: Insecure Distro ?, Adrien Guillon
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy