This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH] xen-2.0: privileged port connections

To: Kurt Garloff <garloff@xxxxxxx>
Subject: Re: [Xen-devel] [PATCH] xen-2.0: privileged port connections
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Wed, 23 Mar 2005 11:03:39 -0600
Cc: Xen development list <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 23 Mar 2005 17:16:02 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20050323165739.GR12479@xxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Organization: IBM
References: <20050323123639.GM12479@xxxxxxxxxxxxxxxxx> <42418E24.5070906@xxxxxxxxxx> <20050323165739.GR12479@xxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)
Kurt Garloff wrote:

Hi Anthony,

On Wed, Mar 23, 2005 at 09:41:24AM -0600, Anthony Liguori wrote:
So, here's my concerns:

1) ports < 1024 are reserved although 732 is currently unassigned
Note that NFS uses such ports without asking prior permission.
I chose 732 because it's unassigned indeed.

I know. That's one of the reasons using this port worries me. There may be nfs related conflicts.
4) you still have to find a way to deal with the consoles
Before I start working on getting the consoles under control, I 
wanted to see whether this approach is acceptable at all.

How would you extend this to consoles? Each console can't have it's own privileged port :-)
5) you still have to deal with xfrd
It seems to listen on *:8002 ... 
Is there no authentication either? Sigh.

Nope. I think there are a few options. We could use hosts.allow or something similiar, we could restrict it to subnets, or we could try and implement some sort of authentication mechanism.
Perhaps shutting it off by default and making it clear that it is 
insecure is enough.
And we probably need to look into the event channel (8001) as well.

But for Xen-2, let's try to find a pragmatic way that enables desktop
users to install and test xen without raising too many security concerns.
I full-heartedly agree.  I'll gladly help out on this effort.

Anthony Liguori


This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
Embedded(r) & Windows Mobile(tm) platforms, applications & content.  Register
by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
Xen-devel mailing list