[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Where does PyGrub run?

  • To: xen-users@xxxxxxxxxxxxx
  • From: "Luke S. Crawford" <lsc@xxxxxxxxx>
  • Date: Fri, 27 Apr 2012 23:42:18 -0400
  • Delivery-date: Sat, 28 Apr 2012 03:43:44 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>

On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:
> eva wrote:
> >Thanks for answering. I read that part, but afterwards I read the link
> >that Luke posted that says:
> >
> >"The problem with PyGRUB is that while it's a good simulation of a
> >bootloader, it has to mount the domU partition"
> >
> >
> >http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
> >
> >..hence my confusion.
> Hmm, yes. One or other of the Wiki entries is wrong then.

Technically, mine is wrong;  it uses libfsimage to pull the kernel out
of the block device, it doesn't mount it.   But that has many of the 
dangers of mounting directly.  (As someone else pointed out, I think,
libfsimage can be run as something other than root, as long as it has read
access to the block device, and that helps some, though by default I think
it does run as root.  But Pvgrub runs entirely within the guest, so there 
is no way a problem in pvgrub can lead to a dom0 compromise.)  

Note, pvgrub also protects you from, say, exploits in the code used to 
decompress the kernel; with pvgrub, the kernel is uncompressed within
the DomU.

> In that link I see the answer to your other query. In there, in 
> extolling the virtues of pvgrub, the author is hinting (but 
> explicitly stating) that he is providing a read-only volume which the 
> end user (DomU owner) cannot modify. In that read-only partition, he 
> has a basic (rescue) system which the DomU always boots "through" - 
> thus the end user can never ever completely trash his DomU to the 
> point that it won't boot anything.
> My guess is that he has GRUB installed in the rescue partition, with 
> two entries - rescue and user. Rescue boots into the rescue system, 
> user (the default) chain loads a GRUB config from the user's normal 
> partition. In normal operation, the DomU will load the read-only 
> GRUB, chainload the user's GRUB, and then boot the user's OS. If the 
> user screws it up, he can interrupt the initial GRUB, boot into the 
> rescue system, and from there fix his own system.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.