This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to Q

To: Christian Limpach <Christian.Limpach@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server
From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Date: Tue, 27 Mar 2007 22:18:26 +0100
Cc: xen-staging@xxxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 27 Mar 2007 14:17:26 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <0326530267625D42A4E36594FDD0D1432EBA8A@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <200703271524.l2RFOMNg003926@xxxxxxxxxxxxxxxxxxxxxxx> <0326530267625D42A4E36594FDD0D1432EBA8A@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.1i
On Tue, Mar 27, 2007 at 02:06:42PM -0700, Christian Limpach wrote:
> > hvm: Remove access to QEMU monitor in VNC server
> > 
> > This fixes a RHEL5 errata and CVE-2007-0998.
> > 
> > The monitor is still accessible in debug builds of ioemu (debug=y).
> > 
> > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> This change is quite weird since it doesn't disable monitor access when
> using SDL.

Well SDL isn't exposed to the network directly - to access the monitor
via the SDL console, you'd need to first access the X server desktop in
question. Unprivileged local users, or remote user can't typically get 
access to X desktop of the person who started the VM, so its not neccessary
to disable it.

> Also, the additional virtual consoles can be used for giving access to
> things without security implications, like serial ports.

The console enables the users to map the virtual serial port onto a physical
device. Not a huge issue, but still basically a privilege escalation because
it lets users access hardware they'd not otherwise be able to.

> I think a much better fix for the security issue would be to change the
> default monitor output not to be a virtual console.

Yes, long term I expect that if we want to avoid Xen forking still further
from QEMU then we'll need XenD itself to own the monitor channel, because
the monitor is becoming the official way to reconfig stuff on the fly. So
if XenD redirected the monitor to a STDIN/SDOUT then it could safely have
complete control over it & not expose it to the user. This is the approach
we already take in libvirt for managing QEMU & KVM guests & it works quite
well. I didn't do that myself because its much more work & I was prioritizing
the security fix. 

NB, this fix is slightly different from what we actually put in RHEL. The
RHEL version removed the code completely - this version allows it to be
toggled at build time because Keir wanted to keep access for developers
who are doing debugging of HVM guests.

|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

Xen-devel mailing list