This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] bug in dom create script regarding xenstore permission?

To: Vincent Hanquez <vincent.hanquez@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] bug in dom create script regarding xenstore permission?
From: weiming <zephyr.zhao@xxxxxxxxx>
Date: Tue, 14 Jul 2009 14:05:04 -0400
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 14 Jul 2009 11:05:53 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=/O7Q8fdcZkFJrfDfsKqphzVQrh8zqe++RN0slZGxIDU=; b=XRZdE0l2Y9BO59QgDCCA8I7P9W8n99ctQtXDL4nvRrR6EmA9QfHwC7Xv/eITAl5Bar CyMR0N9iLgqmXrOc9Ii3wD5xEA0HZHWY9KViuFGddcCzmlm47WJnW12ML4W3jTS9JGXa U/CHKBD2L1GBhCkHl+gY5qdaziccIcg3iUPXM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=g0UlggMCGwU0crVw6yY/v2cfD5kbaqXQ4cIGhKrXJCTy39CigYfME2W/B04oGkkL4p oFaWOpBtlUIgFSW8QRCuHBxGvrz0KPAAkl8ManHR5O3xYcawhufZCqtIWxJluL/fkdBH qDZYVH19DBmYiWXb931jdkFn+lfELq00NbD2o=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4A5CC423.1080604@xxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <add59a3f0907141040re927e54j9fbe311b1988c75f@xxxxxxxxxxxxxx> <4A5CC423.1080604@xxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hi Vincent,

Thanks for letting me know.

Is their any way to override this default behavior?
I have a script in domU, which is supposed to post some info to xenstore after it boots up.
Yes, I can manually grant permission after I create a guest domain, but I wish I could automated it.


On Tue, Jul 14, 2009 at 1:45 PM, Vincent Hanquez <vincent.hanquez@xxxxxxxxxxxxx> wrote:
weiming wrote:

I upgraded from xen 3.2 to xen 3.4 and found that in 3.4, I can't write xenstore in domU.
Then, I found that the owner of the /local/domain/<domid> is 0.
That is:
When I used xs_get_permissions to get the permission of "/local/domain/1", I got
(0,0), (1,1)   (dom, perm)
which implies that dom0 is the owner, and dom1 has read-only perm.

in xen 3.2, it returns (1,0), which is correct.

So I guess it might be a bug in the dom create scripts, but I can't find where.

Hi weiming,

it's not a bug. the behavior that you are seeing in 3.2 was a security issue. 3.4 got the issue fixed.


Xen-devel mailing list