ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    XenServer Disable Root

    Scheduled Pinned Locked Moved IT Discussion
    78 Posts 8 Posters 15.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • travisdh1T
      travisdh1 @stacksofplates
      last edited by gjacobse

      @stacksofplates said in XenServer Disable Root:

      @travisdh1 said in XenServer Disable Root:

      @stacksofplates said in XenServer Disable Root:

      @travisdh1 said in XenServer Disable Root:

      Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

      Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

      So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

      I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

      So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

      stacksofplatesS 1 Reply Last reply Reply Quote 1
      • stacksofplatesS
        stacksofplates @travisdh1
        last edited by stacksofplates

        @travisdh1 said in XenServer Disable Root:

        @stacksofplates said in XenServer Disable Root:

        @travisdh1 said in XenServer Disable Root:

        @stacksofplates said in XenServer Disable Root:

        @travisdh1 said in XenServer Disable Root:

        Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

        Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

        So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

        I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

        So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

        Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

        travisdh1T 1 Reply Last reply Reply Quote 0
        • travisdh1T
          travisdh1 @stacksofplates
          last edited by gjacobse

          @stacksofplates said in XenServer Disable Root:

          @travisdh1 said in XenServer Disable Root:

          @stacksofplates said in XenServer Disable Root:

          @travisdh1 said in XenServer Disable Root:

          @stacksofplates said in XenServer Disable Root:

          @travisdh1 said in XenServer Disable Root:

          Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

          Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

          So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

          I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

          So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

          Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

          I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.

          stacksofplatesS 1 Reply Last reply Reply Quote -1
          • stacksofplatesS
            stacksofplates @travisdh1
            last edited by stacksofplates

            @travisdh1 said in XenServer Disable Root:

            @stacksofplates said in XenServer Disable Root:

            @travisdh1 said in XenServer Disable Root:

            @stacksofplates said in XenServer Disable Root:

            @travisdh1 said in XenServer Disable Root:

            @stacksofplates said in XenServer Disable Root:

            @travisdh1 said in XenServer Disable Root:

            Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

            Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

            So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

            I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

            So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

            Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

            I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.

            Ah I see what you were saying. I guess what I was saying was we have people who we don't want to have root access to be able to control and change some VMs. So even on a management VLAN, if we give them a non-sudo account and they use that account in XenCenter they now have root access no matter what.

            I guess you could say only give it to people you trust, but that kind of undermines the whole point of role based permissions.

            DustinB3403D 1 Reply Last reply Reply Quote 0
            • DustinB3403D
              DustinB3403 @stacksofplates
              last edited by gjacobse

              @stacksofplates said in XenServer Disable Root:

              @travisdh1 said in XenServer Disable Root:

              @stacksofplates said in XenServer Disable Root:

              @travisdh1 said in XenServer Disable Root:

              @stacksofplates said in XenServer Disable Root:

              @travisdh1 said in XenServer Disable Root:

              @stacksofplates said in XenServer Disable Root:

              @travisdh1 said in XenServer Disable Root:

              Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

              Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

              So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

              I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

              So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

              Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

              I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.

              Ah I see what you were saying. I guess what I was saying was we have people who we don't want to have root access to be able to control and change some VMs. So even on a management VLAN, if we give them a non-sudo account and they use that account in XenCenter they now have root access no matter what.

              I guess you could say only give it to people you trust, but that kind of undermines the whole point of role based permissions.

              Or you don't install XenCenter for them and configure users to only be able to manage specific VM's on Xen Orchestra.

              coliverC 1 Reply Last reply Reply Quote 1
              • coliverC
                coliver @DustinB3403
                last edited by gjacobse

                @DustinB3403 said in XenServer Disable Root:

                @stacksofplates said in XenServer Disable Root:

                @travisdh1 said in XenServer Disable Root:

                @stacksofplates said in XenServer Disable Root:

                @travisdh1 said in XenServer Disable Root:

                @stacksofplates said in XenServer Disable Root:

                @travisdh1 said in XenServer Disable Root:

                @stacksofplates said in XenServer Disable Root:

                @travisdh1 said in XenServer Disable Root:

                Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

                So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

                Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

                I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.

                Ah I see what you were saying. I guess what I was saying was we have people who we don't want to have root access to be able to control and change some VMs. So even on a management VLAN, if we give them a non-sudo account and they use that account in XenCenter they now have root access no matter what.

                I guess you could say only give it to people you trust, but that kind of undermines the whole point of role based permissions.

                Or you don't install XenCenter for them and configure users to only be able to manage specific VM's on Xen Orchestra.

                This, who is going to have XenCenter access? If an errant user installs it they shouldn't be able to navigate to the VLAN that hosts it. XenCenter, at this point, should only be used to get Xen Orchestra setup.

                1 Reply Last reply Reply Quote 1
                • stacksofplatesS
                  stacksofplates
                  last edited by stacksofplates

                  A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up. Stuff has to be physically moved to this network. No outside access of any kind on the whole thing makes everything take much longer. So while yes, cloning the git repo is easy, I still have to hand it off to a dedicated person to scan the contents and make sure nothing is malicious and then it has to be moved from there into a repository. Then I go in and move it to where I need it.

                  scottalanmillerS coliverC 2 Replies Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @stacksofplates
                    last edited by gjacobse

                    @stacksofplates said in XenServer Disable Root:

                    A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up.

                    Is that not also true with XenCenter?

                    stacksofplatesS 1 Reply Last reply Reply Quote 1
                    • stacksofplatesS
                      stacksofplates @scottalanmiller
                      last edited by stacksofplates

                      @scottalanmiller said in XenServer Disable Root:

                      @stacksofplates said in XenServer Disable Root:

                      A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up.

                      Is that not also true with XenCenter?

                      Yes. Which is why I'm kind of leaning towards KVM because updates would all be done from Red Hat. Then everything would be on the same schedule.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • coliverC
                        coliver @stacksofplates
                        last edited by gjacobse

                        @stacksofplates said in XenServer Disable Root:

                        A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up. Stuff has to be physically moved to this network. No outside access of any kind on the whole thing makes everything take much longer. So while yes, cloning the git repo is easy, I still have to hand it off to a dedicated person to scan the contents and make sure nothing is malicious and then it has to be moved from there into a repository. Then I go in and move it to where I need it.

                        So you've solved your issue? XenCenter will want to do updates as well. So you'll manage them in the same way.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @stacksofplates
                          last edited by

                          @johnhooks said in XenServer Disable Root:

                          @scottalanmiller said in XenServer Disable Root:

                          @johnhooks said in XenServer Disable Root:

                          A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up.

                          Is that not also true with XenCenter?

                          Yes. Which is why I'm kind of leaning towards KVM because updates would all be done from Red Hat. Then everything would be on the same schedule.

                          or Xen from one of the major vendors as well.

                          stacksofplatesS 1 Reply Last reply Reply Quote 0
                          • stacksofplatesS
                            stacksofplates @scottalanmiller
                            last edited by stacksofplates

                            @scottalanmiller said in XenServer Disable Root:

                            @stacksofplates said in XenServer Disable Root:

                            @scottalanmiller said in XenServer Disable Root:

                            @stacksofplates said in XenServer Disable Root:

                            A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up.

                            Is that not also true with XenCenter?

                            Yes. Which is why I'm kind of leaning towards KVM because updates would all be done from Red Hat. Then everything would be on the same schedule.

                            or Xen from one of the major vendors as well.

                            Ya Xen would work also. KVM makes it really easy as it's just a role you can enable. Plus I have a lot more experience with it than Xen. And we can get support from Red Hat for it since we are already paying for that anyway.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @stacksofplates
                              last edited by

                              @johnhooks said in XenServer Disable Root:

                              Ya Xen would work also. KVM makes it really easy as it's just a role you can enable. Plus I have a lot more experience with it than Xen. And we can get support from Red Hat for it since we are already paying for that anyway.

                              It's the same for Xen. You'd just use Suse, for example.

                              stacksofplatesS 1 Reply Last reply Reply Quote 1
                              • stacksofplatesS
                                stacksofplates @scottalanmiller
                                last edited by stacksofplates

                                @scottalanmiller said in XenServer Disable Root:

                                @stacksofplates said in XenServer Disable Root:

                                Ya Xen would work also. KVM makes it really easy as it's just a role you can enable. Plus I have a lot more experience with it than Xen. And we can get support from Red Hat for it since we are already paying for that anyway.

                                It's the same for Xen. You'd just use Suse, for example.

                                If I can get them to use it then we would do that. Right now we are just Red Hat. So there's a decent amount of work to add something else in the mix, but I'm working on adding other Linux environments.

                                1 Reply Last reply Reply Quote 1
                                • DashrenderD
                                  Dashrender @stacksofplates
                                  last edited by

                                  @johnhooks said in XenServer Disable Root:

                                  @travisdh1 said in XenServer Disable Root:

                                  Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                                  Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                                  This seems weird to me. You're saying that XC gives any XS user full root if they are using XC, just because it's XC?

                                  That would be like saying, let me hook up this TTY terminal to a serial port on the server, and then any user who logs into it has root, regardless of what username/password combo they use.

                                  What am I missing/misunderstanding?

                                  scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    And we are back.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in XenServer Disable Root:

                                      This seems weird to me. You're saying that XC gives any XS user full root if they are using XC, just because it's XC?

                                      Basically, yes. XC gives blanket console access. Console access = physical access FAIAP and physical access = root access. So, by extension.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in XenServer Disable Root:

                                        That would be like saying, let me hook up this TTY terminal to a serial port on the server, and then any user who logs into it has root, regardless of what username/password combo they use.

                                        What am I missing/misunderstanding?

                                        That if you do this they essentially can always root your box. But it is more than just the serial connection, it is ALSO the power switch, DVD drive, boot priorities, BIOS settings, etc.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          Plus the ability to clone, copy, etc.

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            Sure I understand it's like standing in front of the box - though I'm not sure why EVERY SINGLE USER in XC gets that level of access - it is truly remote access after all, so why aren't there levels of granted access?

                                            I do understand someone physically standing in front of a server can own it, can root it via booting into other tools, but assuming they can't boot to other tools, aren't allowed to boot it period - how do they get around the logon prompt to get root access?

                                            If I have a linux box in front of me, assuming I'm not allowed to reboot it, how do I get root? all I have is my own personal non root logon name.. now what? Does console access itself somehow grant me some extra permission?

                                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 4 / 4
                                            • First post
                                              Last post