I want to confirm a couple things about Xen Orchestra and NFS backups.
- Running Mount from XOA
When I go to Settings -> Remotes and try to add an NFS remote, it looks like Xen Orchestra wants to run
mount on the XOA VM to mount it. That implies that the web server is running as
root or the web server has the ability to invoke commands as root, because only root can mount filesystems. That seems decidedly suboptimal from a security point of view. If I run xo-web as root and there's an input validation error, then I not only have command injection, but I have commands injected that are running as root.
Imagine someone types
ver=3; echo blah | tee -a /etc/shadow; : or similar as their options on the NFS remote. That potentially executes as root and does something nasty (where
blah is a correctly formatted /etc/shadow entry).
I could potentially create a rule in my
/etc/sudoers file to allow the unprivileged
www user to invoke
/bin/mount as root with no password, but I'm still not sure how exposed I would be to command injection. The risk is limited to that one command, but it's still sorta there. We'd have to change the mount command that is executed to be
sudo mount, instead of
If I follow the flow, the hypervisor will transmit the VM's data for backup to my XOA VM, who in turn writes it out to the NFS volume. If my XOA instance is not on the same network or host, that's a bad idea, right? I mean: it would be better for the host to do the NFS mount from the hypervisor and write the data out to the NFS share directly, wouldn't it? Even if my XOA VM is on the same host, the data is transmitted into the VM and back out again. Do I understand this correctly?