|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] XCP: Insecure Distro ?
On May 9, 2011, at 6:29 PM, Adrien Guillon wrote:
Security updates are common, and generally do not make major interface
changes by design. I have no desire to update anything aside from
receiving fixes for buffer overflows, or other exploits that are found
in the wild. The system in question should be in production for
several years, and security patches are inevitable during that period
of time.
In Xen's case I will have to disagree. If you're trying to build an HA
cluster, you need to make sure all your nodes have precisely the same
dom0 if you want things like live migration to work properly.
Besides disrupting one single system, problems caused by updates could
potentially harm the entire pool (how do you update all dom0 nodes to
the same software version at the same time and make sure nothing will
try to be "live migrated" from one node to another in the meanwhile?)
The concern about buffer overflows is intrinsically related to
security, which is the next topic...
It likely took some effort to eliminate /etc/shadow in the first
place, as this has been standard practice for a very long time. I
will not debate the merits of storing hashes in /etc/passwd or
/etc/shadow because that debate ended a very long time ago. Quite
simply this distro has a major security flaw.
As others have pointed out, dom0 is not supposed to be accessed by
anybody other than root. I would go further and say it's not supposed
to be accessed over any public network, such as the Internet or the
wifi network you'd find in a Starbucks.
I believe the main idea is that you should isolate dom0 from the world
in all possible ways, so no matter what security flaws it might have,
they will never be exploited.
Maybe they should make it explicit like: you should always run dom0 on
a private network, controlled and secured by VPNs or any other methods.
Best regads,
Eduardo Bragatto
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|