| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
[Xen-devel] Re: Module loading in unpriveledged domains
David Hopwood <david.nospam.hopwood <at> blueyonder.co.uk> writes:
>
> Ian Pratt wrote:
> >>Ian Pratt wrote:
> >>
> >>>>Is there any security risk in enabling loadable module support in the
> >>>>linux
> >>>>kernel used for the unpriveledged domains? I ask this question in the
context of
> >>>>a virtual private server hosting provider.
> >>>
> >>>There shouldn't be any security risk at all -- Xen should provide
> >>>all the isolation you need (modulo any bugs).
> >>
> >>So the answer to the original question is, "yes, enabling loadable module
> >>support will increase your exposure to security risks due to any weaknesses
> >>in Xen's isolation." Xen hasn't had particularly extensive security review
> >>yet.
> >
> > I don't think that preventing loadable module support is going to
> > buy you anything. If your users have root they can write to the
> > domain's memory image and hence in practice do anything that they
> > could if they had kernel modules.
>
> True, unless there are bugs that cause different behaviour depending
> on whether a module is compiled-in or loaded (such as
> <http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
> Nevertheless enabling loadable modules may allow a greater proportion
> of script kiddies to be capable of exploiting any given bug.
>
> This is all the same as in standard Linux, so perhaps I should have
> said: enable loadable modules iff you would do so in standard Linux.
>
> > Xen has been designed to provide secure isolation between
> > guests. It has undergone code review by a bunch of different
> > people. It may have security bugs, but at least they're
> > relatively obscure...
>
> I remain skeptical.
>
So from what I can gather, the user of an unpriveledged domain is entirely
capable of destroying their own domain?. If this is the case, it is entirely
acceptable. What I'm more concerned with however, is the impact one
unpriveledged domain can have on another. I don't want one domain able to
adversely affect other domains running on the node. I understand that the point
of weakness for this is only xen itself which, being opensource and backed by a
great community, I am more than comfortable with.
I'm becoming more and more familiar with xen as the days go by, and am very
happy with my decision to use it over other, similar products.
As an aside, I've been trying to join this mailing list for some days now,
however the sourceforge mail server is rejecting the confirmation email on the
grounds that my mail server is incorrectly configured (no postmaster account,
which I know is not true). Has anyone else had a similar experience?
Scott.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
|
|
|
| |
|
Home