Mailing List Archive: Xen: Users

Where does PyGrub run?

Index | Next | Previous | View Threaded

evammg at gmail

Apr 24, 2012, 3:29 AM

Post #1 of 12 (474 views)
Permalink

Where does PyGrub run?

Hello,

I am still confused: does pyGrub run in dom0 as root? as it says in here:

"PyGRUB used to act as a “PV bootloader”: it runs in dom0 as root,
opens the PV disk image, reads its GRUB menu.lst, presents a GRUB-like
menu to let the user choose a kernel which it copies to the dom0
filesystem, it then closes the disk image and eventually tells the
domain builder to use that copy. Such a dom0 root process that parses
user-provided data is a potential security breach."
http://blog.xen.org/index.php/2008/08/28/xen-33-feature-pv-grub/

or does it run in domU? as it says in here:

"PyGrub enables you to start Linux domUs with a kernel inside the DomU
instead of a kernel that lies in the filesystem of the dom0."
http://wiki.xen.org/wiki/PyGrub

Isn't those definitions contradictories? Am I misunderstanding something?

Regards,

Eva

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

list at fajar

Apr 24, 2012, 3:44 AM

Post #2 of 12 (442 views)
Permalink

Re: Where does PyGrub run? [In reply to]

On Tue, Apr 24, 2012 at 5:29 PM, eva <evammg [at] gmail> wrote:
> Hello,
>
> I am still confused: does pyGrub run in dom0 as root? as it says in here:

Yes

> or does it run in domU? as it says in here:

No.

> Isn't those definitions contradictories?

No.

pygrub:
- is a python script (which, IIRC, also installs several python modules)
- runs on dom0
- extract kernel and initrd from a domU image (file, partition, LVM,
etc) and put it on dom0 (/var/lib/xen/...)
- starts domU using the above kernel and initrd

You can test it yourself btw: Run "pygrub -i /path/to/wherever/your/domU/image"

pvgrub, on the other hand, runs completely on domU. So some might say
pvgrub is "safer" than pygrub.

--
Fajar

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

evammg at gmail

Apr 24, 2012, 5:32 AM

Post #3 of 12 (438 views)
Permalink

Re: Where does PyGrub run? [In reply to]

On 24 April 2012 12:44, Fajar A. Nugraha <list [at] fajar> wrote:
> On Tue, Apr 24, 2012 at 5:29 PM, eva <evammg [at] gmail> wrote:
>> Hello,
>>
>> I am still confused: does pyGrub run in dom0 as root? as it says in here:
>
> Yes
>
>> or does it run in domU? as it says in here:
>
> No.
>
>> Isn't those definitions contradictories?
>
> No.
>
> pygrub:
> - is a python script (which, IIRC, also installs several python modules)
> - runs on dom0
> - extract kernel and initrd from a domU image (file, partition, LVM,
> etc) and put it on dom0 (/var/lib/xen/...)
> - starts domU using the above kernel and initrd
>
> You can test it yourself btw: Run "pygrub -i /path/to/wherever/your/domU/image"
>
> pvgrub, on the other hand, runs completely on domU. So some might say
> pvgrub is "safer" than pygrub.
>
> --
> Fajar

Thanks for the explanation, Fajar.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

lsc at prgmr

Apr 24, 2012, 8:37 AM

Post #4 of 12 (439 views)
Permalink

Re: Where does PyGrub run? [In reply to]

On Tue, Apr 24, 2012 at 05:44:19PM +0700, Fajar A. Nugraha wrote:
>
> pvgrub, on the other hand, runs completely on domU. So some might say
> pvgrub is "safer" than pygrub.

Pvgrub is pretty great if the DomUs are operated by people that don't
have root on the dom0. With pvgrub, it's pretty easy to set things
up so that the person that controls the DomU can never mess up the
DomU to the point that they can't boot[1], something that requires
a xm config file edit otherwise.

The big downside to pvgrub is that it wants a ext2/3 filesystem and
a grub1 format menu.lst file.

[1]http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

evammg at gmail

Apr 25, 2012, 3:59 AM

Post #5 of 12 (436 views)
Permalink

Re: Where does PyGrub run? [In reply to]

On 24 April 2012 17:37, Luke S. Crawford <lsc [at] prgmr> wrote:
>
> On Tue, Apr 24, 2012 at 05:44:19PM +0700, Fajar A. Nugraha wrote:
> >
> > pvgrub, on the other hand, runs completely on domU. So some might say
> > pvgrub is "safer" than pygrub.
>
> Pvgrub is pretty great if the DomUs are operated by people that don't
> have root on the dom0. With pvgrub, it's pretty easy to set things
> up so that the person that controls the DomU can never mess up the
> DomU to the point that they can't boot[1], something that requires
> a xm config file edit otherwise.
>
> The big downside to pvgrub is that it wants a ext2/3 filesystem and
> a grub1 format menu.lst file.
>
>
>
>
> [1]http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
>

Thanks Luke. I've been reading the link, and now I have 2 questions.

1- if pygrub needs to mount the domU, why does it says this?
http://wiki.xen.org/wiki/PyGrub

"This means that reading the guest filesystem does not require
mounting the filesystem"

2- What and where is the rescue image?

"which then means that unlike my PyGRUB setup, users can never mess up
their menu.lst to the point where they can’t get into their rescue
image."

Sorry to bother you guys, but I am trying to put it all together in my
head.......

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

list at fajar

Apr 25, 2012, 4:38 AM

Post #6 of 12 (429 views)
Permalink

Re: Where does PyGrub run? [In reply to]

On Wed, Apr 25, 2012 at 5:59 PM, eva <evammg [at] gmail> wrote:

> 1- if pygrub needs to mount the domU, why does it says this?
> http://wiki.xen.org/wiki/PyGrub
>
> "This means that reading the guest filesystem does not require
> mounting the filesystem"

It doesn't.

There are ways to read the contents of an image without mounting it.
In pygrub's case, it reads the data using libfsimage.

--
Fajar

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

linux at thehobsons

Apr 25, 2012, 11:27 AM

Post #7 of 12 (433 views)
Permalink

Re: Where does PyGrub run? [In reply to]

eva wrote:

>1- if pygrub needs to mount the domU, why does it says this?
>http://wiki.xen.org/wiki/PyGrub
>
>"This means that reading the guest filesystem does not require
>mounting the filesystem"

Read the sentence before that : "PyGrub accesses the guest filesystem
using a userspace filesystem library ..."

Ie, instead of mounting the image to copy the files, it uses a
userspace library to access the filesystem. The difference is that if
you just do a regular mount, then the filesystem is mounted by kernel
level code in Dom0 - and there is a theoretic risk that if someone
finds a vulnerability in that, they can use it to compromise Dom0
with a carefully crafted DomU filesystem. Using a userspace library
means that while there's still a risk of compromising the system,
they cannot "crash" it as they could be compromising kernel level
code.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

evammg at gmail

Apr 26, 2012, 1:40 AM

Post #8 of 12 (433 views)
Permalink

Re: Where does PyGrub run? [In reply to]

On 25 April 2012 20:27, Simon Hobson <linux [at] thehobsons> wrote:
>
> eva wrote:
>
>> 1- if pygrub needs to mount the domU, why does it says this?
>> http://wiki.xen.org/wiki/PyGrub
>>
>> "This means that reading the guest filesystem does not require
>> mounting the filesystem"
>
>
> Read the sentence before that : "PyGrub accesses the guest filesystem using a userspace filesystem library ..."
>
> Ie, instead of mounting the image to copy the files, it uses a userspace library to access the filesystem. The difference is that if you just do a regular mount, then the filesystem is mounted by kernel level code in Dom0 - and there is a theoretic risk that if someone finds a vulnerability in that, they can use it to compromise Dom0 with a carefully crafted DomU filesystem. Using a userspace library means that while there's still a risk of compromising the system, they cannot "crash" it as they could be compromising kernel level code.
>
>

Hello Simon,

Thanks for answering. I read that part, but afterwards I read the link
that Luke posted that says:

"The problem with PyGRUB is that while it’s a good simulation of a
bootloader, it has to mount the domU partition"

http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F

..hence my confusion.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

linux at thehobsons

Apr 26, 2012, 4:26 AM

Post #9 of 12 (427 views)
Permalink

Re: Where does PyGrub run? [In reply to]

eva wrote:

>Thanks for answering. I read that part, but afterwards I read the link
>that Luke posted that says:
>
>"The problem with PyGRUB is that while it's a good simulation of a
>bootloader, it has to mount the domU partition"
>
>
>http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
>
>..hence my confusion.

Hmm, yes. One or other of the Wiki entries is wrong then.

In that link I see the answer to your other query. In there, in
extolling the virtues of pvgrub, the author is hinting (but
explicitly stating) that he is providing a read-only volume which the
end user (DomU owner) cannot modify. In that read-only partition, he
has a basic (rescue) system which the DomU always boots "through" -
thus the end user can never ever completely trash his DomU to the
point that it won't boot anything.
My guess is that he has GRUB installed in the rescue partition, with
two entries - rescue and user. Rescue boots into the rescue system,
user (the default) chain loads a GRUB config from the user's normal
partition. In normal operation, the DomU will load the read-only
GRUB, chainload the user's GRUB, and then boot the user's OS. If the
user screws it up, he can interrupt the initial GRUB, boot into the
rescue system, and from there fix his own system.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

linux at thehobsons

Apr 26, 2012, 4:49 AM

Post #10 of 12 (427 views)
Permalink

Re: Where does PyGrub run? [In reply to]

I wrote:

>... the author is hinting (but explicitly stating) that ...

Oops, that should say "but *not* explicitly stating"
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

lsc at prgmr

Apr 27, 2012, 8:42 PM

Post #11 of 12 (410 views)
Permalink

Re: Where does PyGrub run? [In reply to]

On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:
> eva wrote:
>
> >Thanks for answering. I read that part, but afterwards I read the link
> >that Luke posted that says:
> >
> >"The problem with PyGRUB is that while it's a good simulation of a
> >bootloader, it has to mount the domU partition"
> >
> >
> >http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
> >
> >..hence my confusion.
>
> Hmm, yes. One or other of the Wiki entries is wrong then.

Technically, mine is wrong; it uses libfsimage to pull the kernel out
of the block device, it doesn't mount it. But that has many of the
dangers of mounting directly. (As someone else pointed out, I think,
libfsimage can be run as something other than root, as long as it has read
access to the block device, and that helps some, though by default I think
it does run as root. But Pvgrub runs entirely within the guest, so there
is no way a problem in pvgrub can lead to a dom0 compromise.)

Note, pvgrub also protects you from, say, exploits in the code used to
decompress the kernel; with pvgrub, the kernel is uncompressed within
the DomU.

> In that link I see the answer to your other query. In there, in
> extolling the virtues of pvgrub, the author is hinting (but
> explicitly stating) that he is providing a read-only volume which the
> end user (DomU owner) cannot modify. In that read-only partition, he
> has a basic (rescue) system which the DomU always boots "through" -
> thus the end user can never ever completely trash his DomU to the
> point that it won't boot anything.
> My guess is that he has GRUB installed in the rescue partition, with
> two entries - rescue and user. Rescue boots into the rescue system,
> user (the default) chain loads a GRUB config from the user's normal
> partition. In normal operation, the DomU will load the read-only
> GRUB, chainload the user's GRUB, and then boot the user's OS. If the
> user screws it up, he can interrupt the initial GRUB, boot into the
> rescue system, and from there fix his own system.

exactly.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

evammg at gmail

Apr 30, 2012, 2:06 AM

Post #12 of 12 (402 views)
Permalink

Re: Where does PyGrub run? [In reply to]

On 28 April 2012 05:42, Luke S. Crawford <lsc [at] prgmr> wrote:

> On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:
> > eva wrote:
> >
> > >Thanks for answering. I read that part, but afterwards I read the link
> > >that Luke posted that says:
> > >
> > >"The problem with PyGRUB is that while it's a good simulation of a
> > >bootloader, it has to mount the domU partition"
> > >
> > >
> > >
> http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
> > >
> > >..hence my confusion.
> >
> > Hmm, yes. One or other of the Wiki entries is wrong then.
>
> Technically, mine is wrong; it uses libfsimage to pull the kernel out
> of the block device, it doesn't mount it. But that has many of the
> dangers of mounting directly. (As someone else pointed out, I think,
> libfsimage can be run as something other than root, as long as it has read
> access to the block device, and that helps some, though by default I think
> it does run as root. But Pvgrub runs entirely within the guest, so there
> is no way a problem in pvgrub can lead to a dom0 compromise.)
>
> Note, pvgrub also protects you from, say, exploits in the code used to
> decompress the kernel; with pvgrub, the kernel is uncompressed within
> the DomU.
>
> > In that link I see the answer to your other query. In there, in
> > extolling the virtues of pvgrub, the author is hinting (but
> > explicitly stating) that he is providing a read-only volume which the
> > end user (DomU owner) cannot modify. In that read-only partition, he
> > has a basic (rescue) system which the DomU always boots "through" -
> > thus the end user can never ever completely trash his DomU to the
> > point that it won't boot anything.
> > My guess is that he has GRUB installed in the rescue partition, with
> > two entries - rescue and user. Rescue boots into the rescue system,
> > user (the default) chain loads a GRUB config from the user's normal
> > partition. In normal operation, the DomU will load the read-only
> > GRUB, chainload the user's GRUB, and then boot the user's OS. If the
> > user screws it up, he can interrupt the initial GRUB, boot into the
> > rescue system, and from there fix his own system.
>
> exactly.
>
>
>
Thank you guys to help me to clarify this point.

Regards, Eva

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads