WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] XCP: Insecure Distro ?

To: Randy Katz <rkatz@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] XCP: Insecure Distro ?
From: Christopher J Petrolino <cpetrolino@xxxxxxxxx>
Date: Mon, 9 May 2011 21:40:28 -0400
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 09 May 2011 18:42:13 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=sBBLDd2J7QVxL23URmHuLT/4uAr+u9/tZ/UXmu21jF0=; b=xjaiGywIWj2cSmsq8RVpzr/4YUVgCDY2KjVszTOjHILKub6EbUnJeRdWHJ9rtKwJVk ATswJ7EPHoBWg6KXBkOyM1PUyW/FtJsbN13OiXQjPga/r9oK89MaXNao6qkPWjoXjUJo oVHK9GSGmUJDORe+7J7zo9HWKhhchXfREPYvM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Ualu3VXA8OXZnhkvQZrV19m5FQLWBHtg3+ZYPFIOBNlwa23vHAcK4ZmECxu3ejxgWI mEwbxevvj6UF3vYzXivI8CZqQltvLKM5Q5awa31T9a3BPhdyxVuISzBF0BiVZD9gPer3 N/TqFjo8k6qKZKAsRXr6fu69nFIYD+KEsbCE4=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4DC88632.1070100@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <BANLkTinHQJ_eUtfk+4PQudpZX8ZpoEu1yg@xxxxxxxxxxxxxx> <4DC85999.8020407@xxxxxxxx> <BANLkTi=jZGRZ=w+tFBxD0pJ5WKYuirPuRw@xxxxxxxxxxxxxx> <1549157327245455469@unknownmsgid> <4DC88632.1070100@xxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
I don't think anyone is intentionally trying to be a flamer here but I
also don't think it is the most productive to send a message to the
list that says "XCP is missing  X and Y so I'm not going to use it. I
too have found several things that are important to me lacking from
XCP, but I also see the amazing potential and appreciate all the hard
work that has been put into it so far. Anyway back to what the OP
brought up -

1. /etc/shadow is still not present in XenServer 5.6 fp1 as far as I
can tell. See here -
http://forums.citrix.com/message.jspa?messageID=1552977

2. It certainly would be nice to see dedicated XCP repositories
created, but my hunch is that there are probably a lot of reasons why
it hasn't happened yet.



On Mon, May 9, 2011 at 8:26 PM, Randy Katz <rkatz@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Why is flaming always the first line with you people? He brought up 2 very
> important issues in the
> form of questions which should be addressed:
>
> 1. Security flaw in XCP?
> 2. Where are the patches/updates going to come from and how?
>
> If you want to flame someone go ahead and flame me, but Adrien's questions
> seem sincere and important!
>
> Regards,
> Randy Katz
>
> On 5/9/2011 2:51 PM, Chris Petrolino wrote:
>>
>> Do you know how many "commercial" Linux based appliances there are out
>> there? How many of them follow the patch cycle of the Linux flavor
>> they are based on?
>>
>> Have you offered the community any suggestions on how to improve the
>> security model of XCP? We are all ears.
>>
>> As for updates not having the potential to break things, I strongly
>> disagree.
>>
>> Kind Regards,
>>
>> Christopher James Petrolino
>>
>>
>> On May 9, 2011, at 5:30 PM, Adrien Guillon<aj.guillon@xxxxxxxxx>  wrote:
>>
>>> Security updates are common, and generally do not make major interface
>>> changes by design.  I have no desire to update anything aside from
>>> receiving fixes for buffer overflows, or other exploits that are found
>>> in the wild.  The system in question should be in production for
>>> several years, and security patches are inevitable during that period
>>> of time.
>>>
>>> It likely took some effort to eliminate /etc/shadow in the first
>>> place, as this has been standard practice for a very long time.  I
>>> will not debate the merits of storing hashes in /etc/passwd or
>>> /etc/shadow because that debate ended a very long time ago.  Quite
>>> simply this distro has a major security flaw.
>>>
>>>
>>> On Mon, May 9, 2011 at 5:16 PM, riki<phobie@xxxxxxxx>  wrote:
>>>>
>>>> Well, you are right from the multi-user point of view regarding the
>>>> passwd
>>>> file, but XCP is designed as appliance, xe utility or something speaking
>>>> xapi is a way of interfacing it, no user other than root should access
>>>> dom0.
>>>>
>>>> Updates - question of stability, i hope you do not want to risk reload
>>>> of
>>>> all your VM`s due to libc changes or something like that :).  You need
>>>> to
>>>> update what? Xen hypervisor? Openvswitch, xapi toolstack? Everything
>>>> should
>>>> be locked down on lower levels (network access to dom0, physical access
>>>> to
>>>> appliances).
>>>>
>>>> Try to change the point of view and stop looking at it as a standard
>>>> multiuser linux enviroment.
>>>>
>>>> r.
>>>>
>>>> On 05/09/2011 10:41 PM, Adrien Guillon wrote:
>>>>>
>>>>> Hello mailing list!
>>>>>
>>>>> I have been working with XCP a little bit, and I have the impression
>>>>> that this distro is insecure.  First, it does not look like update
>>>>> repositories are enabled inside /etc/yum.repos.d, although I'm from an
>>>>> apt background so I may be misinterpreting that.  Where will my
>>>>> security updates come from?
>>>>>
>>>>> Next, it appears that the root password hash is directly stored inside
>>>>> /etc/passwd, which is set to world-readable!  There does not appear to
>>>>> be an /etc/shadow file at all.
>>>>>
>>>>> Unfortunately I am dropping the distro entirely due to security
>>>>> concerns, I hope that these problems can be fixed.
>>>>>
>>>>> AJ
>>>>>
>>>>> _______________________________________________
>>>>> Xen-users mailing list
>>>>> Xen-users@xxxxxxxxxxxxxxxxxxx
>>>>> http://lists.xensource.com/xen-users
>>>>
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@xxxxxxxxxxxxxxxxxxx
>>>> http://lists.xensource.com/xen-users
>>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@xxxxxxxxxxxxxxxxxxx
>>> http://lists.xensource.com/xen-users
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@xxxxxxxxxxxxxxxxxxx
>> http://lists.xensource.com/xen-users
>>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users