This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] bug in dom create script regarding xenstore permission?

To: weiming <zephyr.zhao@xxxxxxxxx>
Subject: Re: [Xen-devel] bug in dom create script regarding xenstore permission?
From: Vincent Hanquez <vincent.hanquez@xxxxxxxxxxxxx>
Date: Tue, 14 Jul 2009 18:45:07 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 14 Jul 2009 10:46:40 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <add59a3f0907141040re927e54j9fbe311b1988c75f@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <add59a3f0907141040re927e54j9fbe311b1988c75f@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla-Thunderbird (X11/20090701)
weiming wrote:

I upgraded from xen 3.2 to xen 3.4 and found that in 3.4, I can't write xenstore in domU.
Then, I found that the owner of the /local/domain/<domid> is 0.
That is:
When I used xs_get_permissions to get the permission of "/local/domain/1", I got
(0,0), (1,1)   (dom, perm)
which implies that dom0 is the owner, and dom1 has read-only perm.

in xen 3.2, it returns (1,0), which is correct.

So I guess it might be a bug in the dom create scripts, but I can't find where.

Hi weiming,

it's not a bug. the behavior that you are seeing in 3.2 was a security issue. 3.4 got the issue fixed.


Xen-devel mailing list