9 messages in com.xensource.lists.xen-develRe: [Xen-devel] RE: [Xen-staging] [xe...| From | Sent On | Attachments |
|---|---|---|
| Christian Limpach | 27 Mar 2007 14:06 | |
| Daniel P. Berrange | 27 Mar 2007 14:18 | |
| Anthony Liguori | 27 Mar 2007 14:24 | |
| Christian Limpach | 27 Mar 2007 14:31 | |
| Christian Limpach | 27 Mar 2007 14:41 | |
| Anthony Liguori | 27 Mar 2007 14:56 | |
| Daniel P. Berrange | 27 Mar 2007 15:28 | |
| Christian Limpach | 27 Mar 2007 15:40 | |
| Daniel P. Berrange | 27 Mar 2007 15:47 |
| Subject: | Re: [Xen-devel] RE: [Xen-staging] [xen-unstable] hvm: Remove access to QEMU monitor inVNC server |
|---|---|
| From: | Daniel P. Berrange (berr...@redhat.com) |
| Date: | 03/27/2007 02:18:03 PM |
| List: | com.xensource.lists.xen-devel |
On Tue, Mar 27, 2007 at 02:06:42PM -0700, Christian Limpach wrote:
hvm: Remove access to QEMU monitor in VNC server
This fixes a RHEL5 errata and CVE-2007-0998.
The monitor is still accessible in debug builds of ioemu (debug=y).
Signed-off-by: Daniel P. Berrange <berr...@redhat.com>
This change is quite weird since it doesn't disable monitor access when using SDL.
Well SDL isn't exposed to the network directly - to access the monitor via the SDL console, you'd need to first access the X server desktop in question. Unprivileged local users, or remote user can't typically get access to X desktop of the person who started the VM, so its not neccessary to disable it.
Also, the additional virtual consoles can be used for giving access to things without security implications, like serial ports.
The console enables the users to map the virtual serial port onto a physical device. Not a huge issue, but still basically a privilege escalation because it lets users access hardware they'd not otherwise be able to.
I think a much better fix for the security issue would be to change the default monitor output not to be a virtual console.
Yes, long term I expect that if we want to avoid Xen forking still further from QEMU then we'll need XenD itself to own the monitor channel, because the monitor is becoming the official way to reconfig stuff on the fly. So if XenD redirected the monitor to a STDIN/SDOUT then it could safely have complete control over it & not expose it to the user. This is the approach we already take in libvirt for managing QEMU & KVM guests & it works quite well. I didn't do that myself because its much more work & I was prioritizing the security fix.
NB, this fix is slightly different from what we actually put in RHEL. The RHEL version removed the code completely - this version allows it to be toggled at build time because Keir wanted to keep access for developers who are doing debugging of HVM guests.
Regards, Dan.
-- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
_______________________________________________ Xen-devel mailing list Xen-...@lists.xensource.com http://lists.xensource.com/xen-devel