Xen users - Apr 2012 - Where does PyGrub run?

Hello,

I am still confused: does pyGrub run in dom0 as root? as it says in here:

"PyGRUB used to act as a “PV bootloader”: it runs in dom0 as root,
opens the PV disk image, reads its GRUB menu.lst, presents a GRUB-like
menu to let the user choose a kernel which it copies to the dom0
filesystem, it then closes the disk image and eventually tells the
domain builder to use that copy.  Such a dom0 root process that parses
user-provided data is a potential security breach."
http://blog.xen.org/index.php/2008/08/28/xen-33-feature-pv-grub/

or does it run in domU? as it says in here:

"PyGrub enables you to start Linux domUs with a kernel inside the DomU
instead of a kernel that lies in the filesystem of the dom0."
http://wiki.xen.org/wiki/PyGrub

Isn''t those definitions contradictories? Am I misunderstanding
something?

Regards,

Eva

On Tue, Apr 24, 2012 at 5:29 PM, eva <evammg@gmail.com>
wrote:
> Hello,
>
> I am still confused: does pyGrub run in dom0 as root? as it says in here:
Yes
> or does it run in domU? as it says in here:
No.
> Isn''t those definitions contradictories?
No.

pygrub:
- is a python script (which, IIRC, also installs several python modules)
- runs on dom0
- extract kernel and initrd from a domU image (file, partition, LVM,
etc) and put it on dom0 (/var/lib/xen/...)
- starts domU using the above kernel and initrd

You can test it yourself btw: Run "pygrub -i
/path/to/wherever/your/domU/image"

pvgrub, on the other hand, runs completely on domU. So some might say
pvgrub is "safer" than pygrub.

-- 
Fajar

On 24 April 2012 12:44, Fajar A. Nugraha <list@fajar.net>
wrote:
> On Tue, Apr 24, 2012 at 5:29 PM, eva <evammg@gmail.com> wrote:
>> Hello,
>>
>> I am still confused: does pyGrub run in dom0 as root? as it says in
here:
>
> Yes
>
>> or does it run in domU? as it says in here:
>
> No.
>
>> Isn''t those definitions contradictories?
>
> No.
>
> pygrub:
> - is a python script (which, IIRC, also installs several python modules)
> - runs on dom0
> - extract kernel and initrd from a domU image (file, partition, LVM,
> etc) and put it on dom0 (/var/lib/xen/...)
> - starts domU using the above kernel and initrd
>
> You can test it yourself btw: Run "pygrub -i
/path/to/wherever/your/domU/image"
>
> pvgrub, on the other hand, runs completely on domU. So some might say
> pvgrub is "safer" than pygrub.
>
> --
> Fajar
Thanks for the explanation, Fajar.

On Tue, Apr 24, 2012 at 05:44:19PM +0700, Fajar A. Nugraha
wrote:
> 
> pvgrub, on the other hand, runs completely on domU. So some might say
> pvgrub is "safer" than pygrub.
Pvgrub is pretty great if the DomUs are operated by people that don''t
have root on the dom0.  With pvgrub, it''s pretty easy to set things
up so that the person that controls the DomU can never mess up the 
DomU to the point that they can''t boot[1], something that requires 
a xm config file edit otherwise.

The big downside to pvgrub is that it wants a ext2/3 filesystem and
a grub1 format menu.lst file.  




[1]http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F

On 24 April 2012 17:37, Luke S. Crawford <lsc@prgmr.com>
wrote:
>
> On Tue, Apr 24, 2012 at 05:44:19PM +0700, Fajar A. Nugraha wrote:
> >
> > pvgrub, on the other hand, runs completely on domU. So some might say
> > pvgrub is "safer" than pygrub.
>
> Pvgrub is pretty great if the DomUs are operated by people that
don''t
> have root on the dom0.  With pvgrub, it''s pretty easy to set
things
> up so that the person that controls the DomU can never mess up the
> DomU to the point that they can''t boot[1], something that requires
> a xm config file edit otherwise.
>
> The big downside to pvgrub is that it wants a ext2/3 filesystem and
> a grub1 format menu.lst file.
>
>
>
>
>
[1]http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
>

Thanks Luke. I''ve been reading the link, and now I have 2 questions.

1- if pygrub needs to mount the domU, why does it says this?
http://wiki.xen.org/wiki/PyGrub

"This means that reading the guest filesystem does not require
mounting the filesystem"

2- What and where is the rescue image?

"which then means that unlike my PyGRUB setup, users can never mess up
their menu.lst to the point where they can’t get into their rescue
image."

Sorry to bother you guys, but I am trying to put it all together in my
head.......

On Wed, Apr 25, 2012 at 5:59 PM, eva <evammg@gmail.com> wrote:
> 1- if pygrub needs to mount the domU, why does it says this?
> http://wiki.xen.org/wiki/PyGrub
>
> "This means that reading the guest filesystem does not require
> mounting the filesystem"
It doesn''t.

There are ways to read the contents of an image without mounting it.
In pygrub''s case, it reads the data using libfsimage.

-- 
Fajar

eva wrote:
>1- if pygrub needs to mount the domU, why does it says this?
>http://wiki.xen.org/wiki/PyGrub
>
>"This means that reading the guest filesystem does not require
>mounting the filesystem"
Read the sentence before that : "PyGrub accesses the guest filesystem 
using a userspace filesystem library ..."

Ie, instead of mounting the image to copy the files, it uses a 
userspace library to access the filesystem. The difference is that if 
you just do a regular mount, then the filesystem is mounted by kernel 
level code in Dom0 - and there is a theoretic risk that if someone 
finds a vulnerability in that, they can use it to compromise Dom0 
with a carefully crafted DomU filesystem. Using a userspace library 
means that while there''s still a risk of compromising the system, 
they cannot "crash" it as they could be compromising kernel level 
code.


-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

On 25 April 2012 20:27, Simon Hobson <linux@thehobsons.co.uk>
wrote:
>
> eva wrote:
>
>> 1- if pygrub needs to mount the domU, why does it says this?
>> http://wiki.xen.org/wiki/PyGrub
>>
>> "This means that reading the guest filesystem does not require
>> mounting the filesystem"
>
>
> Read the sentence before that : "PyGrub accesses the guest filesystem
using a userspace filesystem library ..."
>
> Ie, instead of mounting the image to copy the files, it uses a userspace
library to access the filesystem. The difference is that if you just do a
regular mount, then the filesystem is mounted by kernel level code in Dom0 - and
there is a theoretic risk that if someone finds a vulnerability in that, they
can use it to compromise Dom0 with a carefully crafted DomU filesystem. Using a
userspace library means that while there''s still a risk of compromising
the system, they cannot "crash" it as they could be compromising
kernel level code.
>
>
Hello Simon,

Thanks for answering. I read that part, but afterwards I read the link
that Luke posted that says:

"The problem with PyGRUB is that while it’s a good simulation of a
bootloader, it has to mount the domU partition"

 http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F

..hence my confusion.

eva wrote:
>Thanks for answering. I read that part, but afterwards I read the link
>that Luke posted that says:
>
>"The problem with PyGRUB is that while it''s a good simulation
of a
>bootloader, it has to mount the domU partition"
>
> 
>http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
>
>..hence my confusion.
Hmm, yes. One or other of the Wiki entries is wrong then.

In that link I see the answer to your other query. In there, in 
extolling the virtues of pvgrub, the author is hinting (but 
explicitly stating) that he is providing a read-only volume which the 
end user (DomU owner) cannot modify. In that read-only partition, he 
has a basic (rescue) system which the DomU always boots "through" - 
thus the end user can never ever completely trash his DomU to the 
point that it won''t boot anything.
My guess is that he has GRUB installed in the rescue partition, with 
two entries - rescue and user. Rescue boots into the rescue system, 
user (the default) chain loads a GRUB config from the user''s normal 
partition. In normal operation, the DomU will load the read-only 
GRUB, chainload the user''s GRUB, and then boot the user''s OS.
If the
user screws it up, he can interrupt the initial GRUB, boot into the 
rescue system, and from there fix his own system.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

I wrote:
>... the author is hinting (but explicitly stating) that ...
Oops, that should say "but *not* explicitly stating"
-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson
wrote:
> eva wrote:
> 
> >Thanks for answering. I read that part, but afterwards I read the link
> >that Luke posted that says:
> >
> >"The problem with PyGRUB is that while it''s a good
simulation of a
> >bootloader, it has to mount the domU partition"
> >
> >
>
>http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
> >
> >..hence my confusion.
> 
> Hmm, yes. One or other of the Wiki entries is wrong then.
Technically, mine is wrong;  it uses libfsimage to pull the kernel out
of the block device, it doesn''t mount it.   But that has many of the 
dangers of mounting directly.  (As someone else pointed out, I think,
libfsimage can be run as something other than root, as long as it has read
access to the block device, and that helps some, though by default I think
it does run as root.  But Pvgrub runs entirely within the guest, so there 
is no way a problem in pvgrub can lead to a dom0 compromise.)  

Note, pvgrub also protects you from, say, exploits in the code used to 
decompress the kernel; with pvgrub, the kernel is uncompressed within
the DomU.
> In that link I see the answer to your other query. In there, in 
> extolling the virtues of pvgrub, the author is hinting (but 
> explicitly stating) that he is providing a read-only volume which the 
> end user (DomU owner) cannot modify. In that read-only partition, he 
> has a basic (rescue) system which the DomU always boots "through"
-
> thus the end user can never ever completely trash his DomU to the 
> point that it won''t boot anything.
> My guess is that he has GRUB installed in the rescue partition, with 
> two entries - rescue and user. Rescue boots into the rescue system, 
> user (the default) chain loads a GRUB config from the user''s
normal
> partition. In normal operation, the DomU will load the read-only 
> GRUB, chainload the user''s GRUB, and then boot the user''s
OS. If the
> user screws it up, he can interrupt the initial GRUB, boot into the 
> rescue system, and from there fix his own system.
exactly.

On 28 April 2012 05:42, Luke S. Crawford <lsc@prgmr.com> wrote:
> On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:
> > eva wrote:
> >
> > >Thanks for answering. I read that part, but afterwards I read the
link
> > >that Luke posted that says:
> > >
> > >"The problem with PyGRUB is that while it''s a good
simulation of a
> > >bootloader, it has to mount the domU partition"
> > >
> > >
> > >
>
http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
> > >
> > >..hence my confusion.
> >
> > Hmm, yes. One or other of the Wiki entries is wrong then.
>
> Technically, mine is wrong;  it uses libfsimage to pull the kernel out
> of the block device, it doesn''t mount it.   But that has many of
the
> dangers of mounting directly.  (As someone else pointed out, I think,
> libfsimage can be run as something other than root, as long as it has read
> access to the block device, and that helps some, though by default I think
> it does run as root.  But Pvgrub runs entirely within the guest, so there
> is no way a problem in pvgrub can lead to a dom0 compromise.)
>
> Note, pvgrub also protects you from, say, exploits in the code used to
> decompress the kernel; with pvgrub, the kernel is uncompressed within
> the DomU.
>
> > In that link I see the answer to your other query. In there, in
> > extolling the virtues of pvgrub, the author is hinting (but
> > explicitly stating) that he is providing a read-only volume which the
> > end user (DomU owner) cannot modify. In that read-only partition, he
> > has a basic (rescue) system which the DomU always boots
"through" -
> > thus the end user can never ever completely trash his DomU to the
> > point that it won''t boot anything.
> > My guess is that he has GRUB installed in the rescue partition, with
> > two entries - rescue and user. Rescue boots into the rescue system,
> > user (the default) chain loads a GRUB config from the user''s
normal
> > partition. In normal operation, the DomU will load the read-only
> > GRUB, chainload the user''s GRUB, and then boot the
user''s OS. If the
> > user screws it up, he can interrupt the initial GRUB, boot into the
> > rescue system, and from there fix his own system.
>
> exactly.
>
>
>
Thank you guys to help me to clarify this point.

Regards, Eva


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users