On May 3, 2007, at 7:39 PM, Dan Mensom wrote: > For the benefit of the archives, here is the quick rundown of what > I did, > following mostly the docs at http://fastcgi.coremail.cn/doc.htm: Thanks; I'll have to look back at your steps if I ever get around to setting up SELinux. >> Now that is a secure option, though not light-weight of course. > > Hrmm.. Not necessarily. Last I checked the Xen people were still in > the > process of hardening their kernel APIs to prevent vm guest breakout. I > don't think the process was completed for 3.0, but I could be wrong.. Well, I hope it is, because I've got a server at a Xen-based virtual hosting company containing somewhat sensitive data. Googling "xen guest breakout" doesn't turn up much. There are people saying they haven't formally proven there are no vulnerabilities in the design or implementation [1], but that's not too surprising - the same's true for the Linux kernel. I basically have to trust Linux anyway in the absence of specific bug reports, or I'd get nothing done. [1] - http://article.gmane.org/gmane.comp.emulators.xen.user/23297 -- Scott Lamb <http://www.slamb.org/>