Skip to content

Security concerns

Jump to bottom Edit New page
Nowaker edited this page Feb 16, 2013 · 30 revisions

This page will document all security concerns related to Archipel. It's a must-read if Archipel is going to be used by more people than just you.

"define" and "xmldesc" permissions on the virtual machine

Untrusted user should not be given the "define" permission. It allows user to edit the XML descriptor of the virtual machine where they can set all they want. In worst case, local disk on host (e.g. /dev/sda) can be mounted read-only to virtual machine and all the data can be read.

"xmldesc" permission is about reading the virtual machine XML descriptor. That is, user won't be able to access the "Definition" tab if not given an "xmldesc" permission.

  • "define" and "xmldesc" - user is able to define the virtual machine as they want
  • "xmldesc" only - user can access the Definition tab in read-only mode
  • "define" only - user can't access the Definition tab, as they can't access the XML

There is also enable_block_device_access setting in /etc/archipel/archipel.conf but it doesn't do anything useful while the user can edit the XML directly.

Encrypted XMPP

All XMPP traffic on ports 5222, 5269 and 5280 should be encrypted. If using ejabberd_xmlrpc and the hypervisors are not inside the trusted network, port 4560 should be encrypted as well.

User needs to remember changing the BOSH proxy URL when accessing Archipel client for the first time. "https" should be used, not "http". (e.g. https://xmpp.example.com:5280/http-bind)

Use this draft ejabberd config to encrypt all channels. (This has not yet been confirmed by my security auditor, I will update when it's confirmed.)

{listen, [
  %% If you have compiled the ejabberd-xmlrpc, uncomment the following line
  {4560, ejabberd_xmlrpc, [
    starttls,
    {certfile, "/etc/ejabberd/cert.pem"}
  ]},

  {5222, ejabberd_c2s, [
    {access, c2s},
    starttls,
    {certfile, "/etc/ejabberd/cert.pem"},
    {max_stanza_size, 65536000}
  ]},

  {5269, ejabberd_s2s_in, [
    {max_stanza_size, 65536000}
  ]},
  {5280, ejabberd_http, [
    http_bind,
    http_poll,
    web_admin,
    tls,
    {certfile, "/etc/ejabberd/cert.pem"}
  ]}
]}.

{route_subdomains, s2s}.
{s2s_use_starttls, true}.
{s2s_default_policy, allow}.    
{s2s_certfile, "/etc/ejabberd/cert.pem"}.

Encrypted VNC

TBD

Running Archipel agent as non-root

TBD. Please read page Installation-serviceuser for instructions.

Add a custom footer
Add a custom sidebar
Clone this wiki locally