Isn't it bad, that compromized vm can create any number of dispVMs?
40 views
Skip to first unread message
Arqwer
Aug 25, 2016, 6:53:49 AM8/25/16
to qubes-users
Command
qvm-run '$dispvm' xterm
if called from an appVM will run xterm in a new dispVM. If attacker gained access to an appvm, he possibly can run script, that will create thousands of new dispVMs and freeze my computer. I don't like this. May be it's better to disable this functionality by default?
qvm-run '$dispvm' xterm
if called from an appVM will run xterm in a new dispVM. If attacker gained access to an appvm, he possibly can run script, that will create thousands of new dispVMs and freeze my computer. I don't like this. May be it's better to disable this functionality by default?
Alex
Aug 25, 2016, 6:56:26 AM8/25/16
to qubes...@googlegroups.com
dispVM that can be launched (e.g. per hour/appvm?) before some
confirmation from dom0 is needed to open any more. This way actual
functionality is not broken nor reverted, and the denial of service
scenario is prevented.
--
Alex
Andrew David Wong
Aug 25, 2016, 5:12:57 PM8/25/16
to Arqwer, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-08-25 03:53, Arqwer wrote:
> Command qvm-run '$dispvm' xterm if called from an appVM will run xterm in
> a new dispVM. If attacker gained access to an appvm, he possibly can run
> script, that will create thousands of new dispVMs and freeze my computer.
> I don't like this.
You can configure this easily by editing this file in dom0:
/etc/qubes-rpc/policy/qubes.VMShell
Find this line:
$anyvm $dispvm allow
Change "allow" to "ask". You will now be prompted (by an unspoofable dialog
box in dom0) whenever a VM tries to create a DispVM.
> May be it's better to disable this functionality by default?
Added the suggestion here:
https://github.com/QubesOS/qubes-issues/issues/2269
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXv19KAAoJENtN07w5UDAwAtMP/jGeUnFbPN9GN8ashNmwLdlA
A5iCiWf9w2xF1XojvE+Wg4NCrs+xS1INpxkEKZzqEA/7xyKakufxkwvHsql/0RMx
NfAiHnKCmcg7HV9tQZDOnmz6pl9Com+jmNxEv9LKMyZy0FMvdwTQTxWJOES/b0Ly
VgdtOuuPBaMq46xNHFYzGauc6gwsnOlR2KzyCInzw+LCsnjo66+/uv7dt5dkPoPf
Jv/yTj3awSEnwnGjCYSuP97kT/lMT+1Rl+lwNEKkNmFcgCD9hT96X8SshR6wVmpP
EgZLOB9e7Y6WDflzd+e2azyH4xf7RKVLpdIvLuPyErGPn+r3uKjfH9NNeKSgZEi9
FNsOscKKG1wMy2DvuQbB+AQc3TIhPDHexlsobH0lWreCrGIzDiNFAwCekO80fKAs
12erZfGS0sq8vCW0k5SOWkFIG+JVnBjvp8XQx9/SExTCoUGUwX36PHdZ6653EdfT
qeupYt3NFRoTFusB62WFJAKOBtd1LmDPkS5MZLfh22lcIibXLdnEQcwdxPC+XR4b
LenH0uMz1EXc44lP7p44l3QZU9+ME1CvEz33TzlpoiVY7Tpia8WsYf01H2I1Dohm
3CVOkgclKr7ZxAsZe93aTKxLyaF49DbmeMSPJWQtEj9SCI7U7SYvuAHob5PDq60M
nRwLYkMgnnO68ktFME3Y
=xD2n
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-08-25 03:53, Arqwer wrote:
> Command qvm-run '$dispvm' xterm if called from an appVM will run xterm in
> a new dispVM. If attacker gained access to an appvm, he possibly can run
> script, that will create thousands of new dispVMs and freeze my computer.
> I don't like this.
/etc/qubes-rpc/policy/qubes.VMShell
Find this line:
$anyvm $dispvm allow
Change "allow" to "ask". You will now be prompted (by an unspoofable dialog
box in dom0) whenever a VM tries to create a DispVM.
> May be it's better to disable this functionality by default?
https://github.com/QubesOS/qubes-issues/issues/2269
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXv19KAAoJENtN07w5UDAwAtMP/jGeUnFbPN9GN8ashNmwLdlA
A5iCiWf9w2xF1XojvE+Wg4NCrs+xS1INpxkEKZzqEA/7xyKakufxkwvHsql/0RMx
NfAiHnKCmcg7HV9tQZDOnmz6pl9Com+jmNxEv9LKMyZy0FMvdwTQTxWJOES/b0Ly
VgdtOuuPBaMq46xNHFYzGauc6gwsnOlR2KzyCInzw+LCsnjo66+/uv7dt5dkPoPf
Jv/yTj3awSEnwnGjCYSuP97kT/lMT+1Rl+lwNEKkNmFcgCD9hT96X8SshR6wVmpP
EgZLOB9e7Y6WDflzd+e2azyH4xf7RKVLpdIvLuPyErGPn+r3uKjfH9NNeKSgZEi9
FNsOscKKG1wMy2DvuQbB+AQc3TIhPDHexlsobH0lWreCrGIzDiNFAwCekO80fKAs
12erZfGS0sq8vCW0k5SOWkFIG+JVnBjvp8XQx9/SExTCoUGUwX36PHdZ6653EdfT
qeupYt3NFRoTFusB62WFJAKOBtd1LmDPkS5MZLfh22lcIibXLdnEQcwdxPC+XR4b
LenH0uMz1EXc44lP7p44l3QZU9+ME1CvEz33TzlpoiVY7Tpia8WsYf01H2I1Dohm
3CVOkgclKr7ZxAsZe93aTKxLyaF49DbmeMSPJWQtEj9SCI7U7SYvuAHob5PDq60M
nRwLYkMgnnO68ktFME3Y
=xD2n
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Aug 29, 2016, 10:19:38 PM8/29/16
to Alex, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
In fact the number of DispVMs is already limited - by available RAM.
Further attempts will simply fail.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXxO00AAoJENuP0xzK19csQDQH/i+NEnY4EATTYbqZ7dijrrrV
jyQ/QqOBZtKyhJ24TuLJC6UYyNri5DEvlu6S50O4ubvwzGmA4lsgJl6fDCiwX+VK
4j13CXw21xI5eZfagZZ1ZIHn8Nior2N/K2s+CGZUwhee1urmYlvAAuFSHYMePoFg
akvZgonKCyshTATePglRhkTG0WFS91FZHMAbpZs6DGUZ+jB/ZVgQbTfAJg0A25ya
RiLgoFA3mAPeUFZuCtSgUNXeR/NazmpW7wGx4SY4cUUAmrcB30sq4a/jVXOi9os0
42wJGnomQIS1b2cmnjSYpXNQhkAlrYdegcRmcwMgcSnG2Zs6iDpLppYidP+Li8E=
=f2KL
-----END PGP SIGNATURE-----
Hash: SHA256
Further attempts will simply fail.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXxO00AAoJENuP0xzK19csQDQH/i+NEnY4EATTYbqZ7dijrrrV
jyQ/QqOBZtKyhJ24TuLJC6UYyNri5DEvlu6S50O4ubvwzGmA4lsgJl6fDCiwX+VK
4j13CXw21xI5eZfagZZ1ZIHn8Nior2N/K2s+CGZUwhee1urmYlvAAuFSHYMePoFg
akvZgonKCyshTATePglRhkTG0WFS91FZHMAbpZs6DGUZ+jB/ZVgQbTfAJg0A25ya
RiLgoFA3mAPeUFZuCtSgUNXeR/NazmpW7wGx4SY4cUUAmrcB30sq4a/jVXOi9os0
42wJGnomQIS1b2cmnjSYpXNQhkAlrYdegcRmcwMgcSnG2Zs6iDpLppYidP+Li8E=
=f2KL
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages