WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] protecting xen startup

To: Charles Coffing <ccoffing@xxxxxxxxxx>
Subject: Re: [Xen-devel] protecting xen startup
From: Mike Wray <mike.wray@xxxxxxxxxx>
Date: Tue, 23 Nov 2004 17:58:23 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, lkcl@xxxxxxxx
Delivery-date: Tue, 23 Nov 2004 18:01:48 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: <s1a31208.035@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <s1a31208.035@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.9 (Windows/20041103)
Charles Coffing wrote:
Right, xend is just an HTTP interface to Xen via system calls or ioctls (xend <--> linux <--> Xen).

There's also a daemon (xfrd) running on 8002.

There currently is no authentication on either port.

In the source tree, look at docs/misc/xend.tex, although some details
are out of date.


Correct, though you can configure the interface listened to by xend
in the xend config. The default is open. To disable network access
configure 'localhost'. See 'xend-address' in '/etc/xen/xend-config.sxp'.

Xend is implemented using the Twisted framework in Python, and this
supports configuring https and authentication in front of web
services - we just haven't got around to it.

There's currently no security on port 8002 for the transfer daemon (xfrd).
There are various things that could be done. For example xfrd
could be set to listen on loopback only and you could use ssh or stunnel
to secure the comms and forward ports. I'm hoping to get around to securing
this.


HTH,
Charles
Luke Kenneth Casson Leighton <lkcl@xxxxxxxx> 11/23/04 10:05 am >>>

hi, i notice that there's a management interface on port 8000. i seek to protect this interface such that nothing but a trusted program

(think selinux) may run, manage, start up or shut down xen oses. so: where can i find out information about the structure of the xen management interface? is the port 8000 stuff just providing a web server (/etc/init.d/xend) front-end to some extra system calls? is the port 8000 stuff actually running in the xen boot-up stuff? if it's some extra system calls that's very good because it will be possible to add selinux security hooks to protect each system call. ta, l.

Mike




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>