[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Where does PyGrub run?

To: xen-users@xxxxxxxxxxxxx
From: "Luke S. Crawford" <lsc@xxxxxxxxx>
Date: Fri, 27 Apr 2012 23:42:18 -0400
Delivery-date: Sat, 28 Apr 2012 03:43:44 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:
> eva wrote:
> 
> >Thanks for answering. I read that part, but afterwards I read the link
> >that Luke posted that says:
> >
> >"The problem with PyGRUB is that while it's a good simulation of a
> >bootloader, it has to mount the domU partition"
> >
> >
> >http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
> >
> >..hence my confusion.
> 
> Hmm, yes. One or other of the Wiki entries is wrong then.

Technically, mine is wrong;  it uses libfsimage to pull the kernel out
of the block device, it doesn't mount it.   But that has many of the 
dangers of mounting directly.  (As someone else pointed out, I think,
libfsimage can be run as something other than root, as long as it has read
access to the block device, and that helps some, though by default I think
it does run as root.  But Pvgrub runs entirely within the guest, so there 
is no way a problem in pvgrub can lead to a dom0 compromise.)  

Note, pvgrub also protects you from, say, exploits in the code used to 
decompress the kernel; with pvgrub, the kernel is uncompressed within
the DomU.

> In that link I see the answer to your other query. In there, in 
> extolling the virtues of pvgrub, the author is hinting (but 
> explicitly stating) that he is providing a read-only volume which the 
> end user (DomU owner) cannot modify. In that read-only partition, he 
> has a basic (rescue) system which the DomU always boots "through" - 
> thus the end user can never ever completely trash his DomU to the 
> point that it won't boot anything.
> My guess is that he has GRUB installed in the rescue partition, with 
> two entries - rescue and user. Rescue boots into the rescue system, 
> user (the default) chain loads a GRUB config from the user's normal 
> partition. In normal operation, the DomU will load the read-only 
> GRUB, chainload the user's GRUB, and then boot the user's OS. If the 
> user screws it up, he can interrupt the initial GRUB, boot into the 
> rescue system, and from there fix his own system.

exactly. 



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

Follow-Ups:
- Re: [Xen-users] Where does PyGrub run?
  - From: eva

References:
- [Xen-users] Where does PyGrub run?
  - From: eva
- Re: [Xen-users] Where does PyGrub run?
  - From: Fajar A. Nugraha
- Re: [Xen-users] Where does PyGrub run?
  - From: Luke S. Crawford
- Re: [Xen-users] Where does PyGrub run?
  - From: eva
- Re: [Xen-users] Where does PyGrub run?
  - From: Simon Hobson
- Re: [Xen-users] Where does PyGrub run?
  - From: eva
- Re: [Xen-users] Where does PyGrub run?
  - From: Simon Hobson

Prev by Date: [Xen-users] Segmentation Fault when Starting domUs
Next by Date: [Xen-users] Xen VGA PassThrough NVIDIA: include pci-stub case for changeset 25240
Previous by thread: Re: [Xen-users] Where does PyGrub run?
Next by thread: Re: [Xen-users] Where does PyGrub run?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.