Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Xen>
  3. Users
Is using w! safe to share data between domains?
jsullivan at opensourcedevel
May 19, 2005, 2:37 AM
Post #1 of 13 (1841 views)
Permalink
I have a slightly unusual situation where I need to pass data from one
domain to another but, for security reasons, one of the domains will not
be on the network. I would like to pass the data via a shared disk
partition. I would like to know if what I have done is safe.

I created a disk partition named /dev/VG1/pkipass.
Each domU disk definition contains: 'phy:VG1/pkipass,sda3,w!'
None of the domUs automatically mounts this device.

When one domU needs to deposit data for another domU to pick up (this
exchange is always a manual effort to first deposit the shared data and
then retrieve the shared data), we do the following:

The depositing domU mounts sda3 read-only.
It looks for a tag file -- this tag file is created when a domU has
mounted the partition as read-write
If the tag-file exists {
it unmounts the partition
it sleeps briefly
it retries
}
else {
it remounts the partition read-write
it creates the tag file
it deposits the data
it deletes the tag fie
it unmounts the partition
}

A similar process is used to retrieve the data.

Is this safe?

Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Is using w! safe to share data between domains? [ In reply to ]
aliguori at us
May 19, 2005, 8:11 AM
Post #2 of 13 (1821 views)
Permalink
Your scheme has a race condition in it. Suppose that a partition has
opened sda3 read-only and right between after seeing the tag-file
doesn't exist and re-mounting the partition, someone else comes in and
creates the tag file. You know have to partitions that have followed
your rules and have simultaneously opened the partition read-write.

Even if you eliminated the race condition, in general, it's probably not
a good idea to open a file system (even if it's read-only) while someone
else has it open read-write. There's no guarantee the meta-data is
going to be in a consistent state.

Your best bet is probably to use networking to share data between
partitions.

Regards,

Anthony Liguori
John A. Sullivan III wrote:

>I have a slightly unusual situation where I need to pass data from one
>domain to another but, for security reasons, one of the domains will not
>be on the network. I would like to pass the data via a shared disk
>partition. I would like to know if what I have done is safe.
>
>I created a disk partition named /dev/VG1/pkipass.
>Each domU disk definition contains: 'phy:VG1/pkipass,sda3,w!'
>None of the domUs automatically mounts this device.
>
>When one domU needs to deposit data for another domU to pick up (this
>exchange is always a manual effort to first deposit the shared data and
>then retrieve the shared data), we do the following:
>
>The depositing domU mounts sda3 read-only.
>It looks for a tag file -- this tag file is created when a domU has
>mounted the partition as read-write
>If the tag-file exists {
> it unmounts the partition
> it sleeps briefly
> it retries
>}
>else {
> it remounts the partition read-write
> it creates the tag file
> it deposits the data
> it deletes the tag fie
> it unmounts the partition
>}
>
>A similar process is used to retrieve the data.
>
>Is this safe?
>
>Thanks - John
>
>


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Is using w! safe to share data between domains? [ In reply to ]
mark.williamson at cl
May 19, 2005, 8:18 AM
Post #3 of 13 (1818 views)
Permalink
> Even if you eliminated the race condition, in general, it's probably not
> a good idea to open a file system (even if it's read-only) while someone
> else has it open read-write. There's no guarantee the meta-data is
> going to be in a consistent state.

If you open a filesystem read only whilst there's another writer, the read
only domain will detect filesystem corruption and get upset. It's not
inconceivable that the reader would actually crash but I haven't actually
heard of this happening.

Cheers,
Mark

> Your best bet is probably to use networking to share data between
> partitions.
>
> Regards,
>
> Anthony Liguori
>
> John A. Sullivan III wrote:
> >I have a slightly unusual situation where I need to pass data from one
> >domain to another but, for security reasons, one of the domains will not
> >be on the network. I would like to pass the data via a shared disk
> >partition. I would like to know if what I have done is safe.
> >
> >I created a disk partition named /dev/VG1/pkipass.
> >Each domU disk definition contains: 'phy:VG1/pkipass,sda3,w!'
> >None of the domUs automatically mounts this device.
> >
> >When one domU needs to deposit data for another domU to pick up (this
> >exchange is always a manual effort to first deposit the shared data and
> >then retrieve the shared data), we do the following:
> >
> >The depositing domU mounts sda3 read-only.
> >It looks for a tag file -- this tag file is created when a domU has
> >mounted the partition as read-write
> >If the tag-file exists {
> > it unmounts the partition
> > it sleeps briefly
> > it retries
> >}
> >else {
> > it remounts the partition read-write
> > it creates the tag file
> > it deposits the data
> > it deletes the tag fie
> > it unmounts the partition
> >}
> >
> >A similar process is used to retrieve the data.
> >
> >Is this safe?
> >
> >Thanks - John
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Is using w! safe to share data between domains? [ In reply to ]
mark.williamson at cl
May 19, 2005, 8:21 AM
Post #4 of 13 (1827 views)
Permalink
On Thursday 19 May 2005 10:37, John A. Sullivan III wrote:
> I have a slightly unusual situation where I need to pass data from one
> domain to another but, for security reasons, one of the domains will not
> be on the network. I would like to pass the data via a shared disk
> partition. I would like to know if what I have done is safe.

Have you considered giving the networkless domain a vif but firewalling it off
from everything you don't trust? Having network available would make this
kind of sharing much easier, since you could use NFS (purely networked), GFS
or OCFS2 (both disk-based but require a network component to work).

Cheers,
Mark

> I created a disk partition named /dev/VG1/pkipass.
> Each domU disk definition contains: 'phy:VG1/pkipass,sda3,w!'
> None of the domUs automatically mounts this device.
>
> When one domU needs to deposit data for another domU to pick up (this
> exchange is always a manual effort to first deposit the shared data and
> then retrieve the shared data), we do the following:
>
> The depositing domU mounts sda3 read-only.
> It looks for a tag file -- this tag file is created when a domU has
> mounted the partition as read-write
> If the tag-file exists {
> it unmounts the partition
> it sleeps briefly
> it retries
> }
> else {
> it remounts the partition read-write
> it creates the tag file
> it deposits the data
> it deletes the tag fie
> it unmounts the partition
> }
>
> A similar process is used to retrieve the data.
>
> Is this safe?
>
> Thanks - John

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Is using w! safe to share data between domains? [ In reply to ]
jsullivan at opensourcedevel
May 19, 2005, 9:48 AM
Post #5 of 13 (1827 views)
Permalink
On Thu, 2005-05-19 at 16:21 +0100, Mark Williamson wrote:
> On Thursday 19 May 2005 10:37, John A. Sullivan III wrote:
> > I have a slightly unusual situation where I need to pass data from one
> > domain to another but, for security reasons, one of the domains will not
> > be on the network. I would like to pass the data via a shared disk
> > partition. I would like to know if what I have done is safe.
>
> Have you considered giving the networkless domain a vif but firewalling it off
> from everything you don't trust? Having network available would make this
> kind of sharing much easier, since you could use NFS (purely networked), GFS
> or OCFS2 (both disk-based but require a network component to work).
>
<snip>
Yes, that was the second choice. We are trying to protect our
Certificate Authorities as much as possible. Thanks to everyone for
their help - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
RE: Is using w! safe to share data between domains? [ In reply to ]
m+Ian.Pratt at cl
May 19, 2005, 10:47 AM
Post #6 of 13 (1823 views)
Permalink
I suspect that in reality you'll get away with periodically mounting the
partition read-only, copying out the data you want, then unmounting it.
You can leave it mounted rw in the other domain the whole time.

Ian

> On Thu, 2005-05-19 at 16:21 +0100, Mark Williamson wrote:
> > On Thursday 19 May 2005 10:37, John A. Sullivan III wrote:
> > > I have a slightly unusual situation where I need to pass
> data from
> > > one domain to another but, for security reasons, one of
> the domains
> > > will not be on the network. I would like to pass the data via a
> > > shared disk partition. I would like to know if what I
> have done is safe.
> >
> > Have you considered giving the networkless domain a vif but
> > firewalling it off from everything you don't trust? Having network
> > available would make this kind of sharing much easier,
> since you could
> > use NFS (purely networked), GFS or OCFS2 (both disk-based
> but require a network component to work).
> >
> <snip>
> Yes, that was the second choice. We are trying to protect
> our Certificate Authorities as much as possible. Thanks to
> everyone for their help - John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> If you would like to participate in the development of an
> open source enterprise class network security management
> system, please visit http://iscs.sourceforge.net
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
RE: Is using w! safe to share data between domains? [ In reply to ]
jsullivan at opensourcedevel
May 19, 2005, 12:09 PM
Post #7 of 13 (1824 views)
Permalink
Hmmm . . . well, I really would prefer to do that although I was
suspicious of the race condition someone else pointed out. The data
exchange is bidirectional. That's why, at some point, multiple devices
must mount it rw though none at the same time unless accidentally.

Should I assume that if one system was always rw and the other ro, that
I could get away with it but, if I must change back and forth, I asking
for trouble?

Thanks very much - and by the way, thanks for such a great product -
John

On Thu, 2005-05-19 at 18:47 +0100, Ian Pratt wrote:
> I suspect that in reality you'll get away with periodically mounting the
> partition read-only, copying out the data you want, then unmounting it.
> You can leave it mounted rw in the other domain the whole time.
>
> Ian
>
> > On Thu, 2005-05-19 at 16:21 +0100, Mark Williamson wrote:
> > > On Thursday 19 May 2005 10:37, John A. Sullivan III wrote:
> > > > I have a slightly unusual situation where I need to pass
> > data from
> > > > one domain to another but, for security reasons, one of
> > the domains
> > > > will not be on the network. I would like to pass the data via a
> > > > shared disk partition. I would like to know if what I
> > have done is safe.
> > >
> > > Have you considered giving the networkless domain a vif but
> > > firewalling it off from everything you don't trust? Having network
> > > available would make this kind of sharing much easier,
> > since you could
> > > use NFS (purely networked), GFS or OCFS2 (both disk-based
> > but require a network component to work).
> > >
> > <snip>
> > Yes, that was the second choice. We are trying to protect
> > our Certificate Authorities as much as possible. Thanks to
> > everyone for their help - John
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> >
> > If you would like to participate in the development of an
> > open source enterprise class network security management
> > system, please visit http://iscs.sourceforge.net
> >
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
> >
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
RE: Is using w! safe to share data between domains? [ In reply to ]
m+Ian.Pratt at cl
May 19, 2005, 12:19 PM
Post #8 of 13 (1824 views)
Permalink
> Hmmm . . . well, I really would prefer to do that although I
> was suspicious of the race condition someone else pointed
> out. The data exchange is bidirectional. That's why, at
> some point, multiple devices must mount it rw though none at
> the same time unless accidentally.
>
> Should I assume that if one system was always rw and the
> other ro, that I could get away with it but, if I must change
> back and forth, I asking for trouble?

Why not use two partitions, one domain 'owning' each?

Alternatively, if you NTP sync the machines, you could co-ordinate when
they were going to mount the partition. This is a higher risk than the
alternative, though.

If you've only got one writer, the only risk is the reader's kernel
getting confused, but if you've just done a fresh mount of the file
system, read the data out and then unmount I suspect you'll get away
with it in practice.

Ian


> Thanks very much - and by the way, thanks for such a great
> product - John
>
> On Thu, 2005-05-19 at 18:47 +0100, Ian Pratt wrote:
> > I suspect that in reality you'll get away with periodically
> mounting
> > the partition read-only, copying out the data you want,
> then unmounting it.
> > You can leave it mounted rw in the other domain the whole time.
> >
> > Ian
> >
> > > On Thu, 2005-05-19 at 16:21 +0100, Mark Williamson wrote:
> > > > On Thursday 19 May 2005 10:37, John A. Sullivan III wrote:
> > > > > I have a slightly unusual situation where I need to pass
> > > data from
> > > > > one domain to another but, for security reasons, one of
> > > the domains
> > > > > will not be on the network. I would like to pass the
> data via a
> > > > > shared disk partition. I would like to know if what I
> > > have done is safe.
> > > >
> > > > Have you considered giving the networkless domain a vif but
> > > > firewalling it off from everything you don't trust? Having
> > > > network available would make this kind of sharing much easier,
> > > since you could
> > > > use NFS (purely networked), GFS or OCFS2 (both disk-based
> > > but require a network component to work).
> > > >
> > > <snip>
> > > Yes, that was the second choice. We are trying to protect our
> > > Certificate Authorities as much as possible. Thanks to
> everyone for
> > > their help - John
> > > --
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > >
> > > If you would like to participate in the development of an open
> > > source enterprise class network security management
> system, please
> > > visit http://iscs.sourceforge.net
> > >
> > >
> > > _______________________________________________
> > > Xen-users mailing list
> > > Xen-users@lists.xensource.com
> > > http://lists.xensource.com/xen-users
> > >
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> Financially sustainable open source development
> http://www.opensourcedevel.com
>
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
RE: Is using w! safe to share data between domains? [ In reply to ]
jsullivan at opensourcedevel
May 19, 2005, 4:49 PM
Post #9 of 13 (1827 views)
Permalink
Ah, perhaps I didn't make something sufficiently clear. Although
several domUs will have access to the partition, only one should have it
mounted at any time. In other words, the system first mounts it read
only simply to check to see if anyone else has it mounted and, if they
do not, they remount it as rw. There is the possibility that, in
between the check and the remount as rw, something could sneak in. And
there is the brief moment when it is mounted ro that another device
could be writing to it in which case it is immediately unmounted.

Network exchange with a big firewall does sound technically safer from
corruption even if less safe from intrusion. Thanks - John

On Thu, 2005-05-19 at 20:19 +0100, Ian Pratt wrote:
> > Hmmm . . . well, I really would prefer to do that although I
> > was suspicious of the race condition someone else pointed
> > out. The data exchange is bidirectional. That's why, at
> > some point, multiple devices must mount it rw though none at
> > the same time unless accidentally.
> >
> > Should I assume that if one system was always rw and the
> > other ro, that I could get away with it but, if I must change
> > back and forth, I asking for trouble?
>
> Why not use two partitions, one domain 'owning' each?
>
> Alternatively, if you NTP sync the machines, you could co-ordinate when
> they were going to mount the partition. This is a higher risk than the
> alternative, though.
>
> If you've only got one writer, the only risk is the reader's kernel
> getting confused, but if you've just done a fresh mount of the file
> system, read the data out and then unmount I suspect you'll get away
> with it in practice.
>
> Ian
>
>
> > Thanks very much - and by the way, thanks for such a great
> > product - John
> >
> > On Thu, 2005-05-19 at 18:47 +0100, Ian Pratt wrote:
> > > I suspect that in reality you'll get away with periodically
> > mounting
> > > the partition read-only, copying out the data you want,
> > then unmounting it.
> > > You can leave it mounted rw in the other domain the whole time.
> > >
> > > Ian
> > >
> > > > On Thu, 2005-05-19 at 16:21 +0100, Mark Williamson wrote:
> > > > > On Thursday 19 May 2005 10:37, John A. Sullivan III wrote:
> > > > > > I have a slightly unusual situation where I need to pass
> > > > data from
> > > > > > one domain to another but, for security reasons, one of
> > > > the domains
> > > > > > will not be on the network. I would like to pass the
> > data via a
> > > > > > shared disk partition. I would like to know if what I
> > > > have done is safe.
> > > > >
> > > > > Have you considered giving the networkless domain a vif but
> > > > > firewalling it off from everything you don't trust? Having
> > > > > network available would make this kind of sharing much easier,
> > > > since you could
> > > > > use NFS (purely networked), GFS or OCFS2 (both disk-based
> > > > but require a network component to work).
> > > > >
> > > > <snip>
> > > > Yes, that was the second choice. We are trying to protect our
> > > > Certificate Authorities as much as possible. Thanks to
> > everyone for
> > > > their help - John
> > > > --
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@opensourcedevel.com
> > > >
> > > > If you would like to participate in the development of an open
> > > > source enterprise class network security management
> > system, please
> > > > visit http://iscs.sourceforge.net
> > > >
> > > >
> > > > _______________________________________________
> > > > Xen-users mailing list
> > > > Xen-users@lists.xensource.com
> > > > http://lists.xensource.com/xen-users
> > > >
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> >
> > Financially sustainable open source development
> > http://www.opensourcedevel.com
> >
> >
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Is using w! safe to share data between domains? [ In reply to ]
davidh.davidh at gmail
May 19, 2005, 5:32 PM
Post #10 of 13 (1821 views)
Permalink
Since the domains will keep the same time you could write your scripts
to do the following:

1. Figure out how long a domain will need the fs (for this example
we'll use 4min).
2. Configure each domain to mount the fs ro and check for "tag-file"
file every other minutes (odd/even).
3. If domain 1 needs the file system it waits it's turn then mounts
the fs ro, checks for the tag-file, remounts rw writes the tag-file,
unmounts the fs, sleeps 2 minutes .
4. Domain 2 mounts the fs ro check for the tag-file, finds it, unmount
the fs, and sleeps 7 minutes.
5. Domain 1 after waiting two minutes mounts the fs rw does it's work,
deletes the tag-file, and unmounts the fs.

As long as the clocks stay in sync and processing completes in the
alloted time the two domains never mount the fs at the same time.

David


On 5/19/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> Ah, perhaps I didn't make something sufficiently clear. Although
> several domUs will have access to the partition, only one should have it
> mounted at any time. In other words, the system first mounts it read
> only simply to check to see if anyone else has it mounted and, if they
> do not, they remount it as rw. There is the possibility that, in
> between the check and the remount as rw, something could sneak in. And
> there is the brief moment when it is mounted ro that another device
> could be writing to it in which case it is immediately unmounted.
>
> Network exchange with a big firewall does sound technically safer from
> corruption even if less safe from intrusion. Thanks - John
>
> On Thu, 2005-05-19 at 20:19 +0100, Ian Pratt wrote:
> > > Hmmm . . . well, I really would prefer to do that although I
> > > was suspicious of the race condition someone else pointed
> > > out. The data exchange is bidirectional. That's why, at
> > > some point, multiple devices must mount it rw though none at
> > > the same time unless accidentally.
> > >
> > > Should I assume that if one system was always rw and the
> > > other ro, that I could get away with it but, if I must change
> > > back and forth, I asking for trouble?
> >
> > Why not use two partitions, one domain 'owning' each?
> >
> > Alternatively, if you NTP sync the machines, you could co-ordinate when
> > they were going to mount the partition. This is a higher risk than the
> > alternative, though.
> >
> > If you've only got one writer, the only risk is the reader's kernel
> > getting confused, but if you've just done a fresh mount of the file
> > system, read the data out and then unmount I suspect you'll get away
> > with it in practice.
> >
> > Ian
> >
> >
> > > Thanks very much - and by the way, thanks for such a great
> > > product - John
> > >
> > > On Thu, 2005-05-19 at 18:47 +0100, Ian Pratt wrote:
> > > > I suspect that in reality you'll get away with periodically
> > > mounting
> > > > the partition read-only, copying out the data you want,
> > > then unmounting it.
> > > > You can leave it mounted rw in the other domain the whole time.
> > > >
> > > > Ian
> > > >
> > > > > On Thu, 2005-05-19 at 16:21 +0100, Mark Williamson wrote:
> > > > > > On Thursday 19 May 2005 10:37, John A. Sullivan III wrote:
> > > > > > > I have a slightly unusual situation where I need to pass
> > > > > data from
> > > > > > > one domain to another but, for security reasons, one of
> > > > > the domains
> > > > > > > will not be on the network. I would like to pass the
> > > data via a
> > > > > > > shared disk partition. I would like to know if what I
> > > > > have done is safe.
> > > > > >
> > > > > > Have you considered giving the networkless domain a vif but
> > > > > > firewalling it off from everything you don't trust? Having
> > > > > > network available would make this kind of sharing much easier,
> > > > > since you could
> > > > > > use NFS (purely networked), GFS or OCFS2 (both disk-based
> > > > > but require a network component to work).
> > > > > >
> > > > > <snip>
> > > > > Yes, that was the second choice. We are trying to protect our
> > > > > Certificate Authorities as much as possible. Thanks to
> > > everyone for
> > > > > their help - John
> > > > > --
> > > > > John A. Sullivan III
> > > > > Open Source Development Corporation
> > > > > +1 207-985-7880
> > > > > jsullivan@opensourcedevel.com
> > > > >
> > > > > If you would like to participate in the development of an open
> > > > > source enterprise class network security management
> > > system, please
> > > > > visit http://iscs.sourceforge.net
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Xen-users mailing list
> > > > > Xen-users@lists.xensource.com
> > > > > http://lists.xensource.com/xen-users
> > > > >
> > > --
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > >
> > > Financially sustainable open source development
> > > http://www.opensourcedevel.com
> > >
> > >
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> Financially sustainable open source development
> http://www.opensourcedevel.com
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
RE: Is using w! safe to share data between domains? [ In reply to ]
xen-users at nils
May 19, 2005, 5:42 PM
Post #11 of 13 (1823 views)
Permalink
Am Donnerstag, den 19.05.2005, 19:49 -0400 schrieb John A. Sullivan III:
> Ah, perhaps I didn't make something sufficiently clear. Although
> several domUs will have access to the partition, only one should have it
> mounted at any time. In other words, the system first mounts it read
> only simply to check to see if anyone else has it mounted and, if they
> do not, they remount it as rw. There is the possibility that, in
> between the check and the remount as rw, something could sneak in. And
> there is the brief moment when it is mounted ro that another device
> could be writing to it in which case it is immediately unmounted.
>
> Network exchange with a big firewall does sound technically safer from
> corruption even if less safe from intrusion. Thanks - John
[...]
Do you want to protect the CA domU only from the outside world, or has
it to be protected from the other (networked, hence potentially r00ted)
domUs (with which the CA domU exchanges data), too?

In the latter case, the other domU could try to attack the filesystem
driver of the CA domU by writing malicious fs metadata (like currupt
inode tables/superblocks/whatever) to that partition. I'd consider a nfs
relay between them safer!

And you could make firewalling much easier if you use a "virtual DMZ"
toppology (all interfaces marked with a * shall use private rfc1918 ip
addresses):

evil internet
|
|
dom0-eth0
|
|xen-br0
|
dom1-eth0
networked domU, maybe compromised, has to exchange data with dom3
dom1-eth1*
|
|xen-br1 (has no ip in dom0)
|
dom2-eth0*
nfs-server, no ip-forwarding
dom2-eth1*
|
|xen-br2 (has no ip in dom0)
|
dom3-eth0*
CA-domU

Even without any firewalling: to break into the CA domU, an attacker has
to overtake dom1, then the nfs-service on dom2 and finally the nfs-
client on dom3.

I think it would be easier to attack the sshd on dom0 to compromise them
all ;)

/nils.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Is using w! safe to share data between domains? [ In reply to ]
fernando.souto.maior at gmail
May 20, 2005, 11:55 AM
Post #12 of 13 (1823 views)
Permalink
On 5/19/05, Nils Toedtmann <xen-users@nils.toedtmann.net> wrote:
> Am Donnerstag, den 19.05.2005, 19:49 -0400 schrieb John A. Sullivan III:
> > Ah, perhaps I didn't make something sufficiently clear. Although
> > several domUs will have access to the partition, only one should have it
> > mounted at any time. In other words, the system first mounts it read
> > only simply to check to see if anyone else has it mounted and, if they
> > do not, they remount it as rw. There is the possibility that, in
> > between the check and the remount as rw, something could sneak in. And
> > there is the brief moment when it is mounted ro that another device
> > could be writing to it in which case it is immediately unmounted.
> >
> > Network exchange with a big firewall does sound technically safer from
> > corruption even if less safe from intrusion. Thanks - John
> [...]
> Do you want to protect the CA domU only from the outside world, or has
> it to be protected from the other (networked, hence potentially r00ted)
> domUs (with which the CA domU exchanges data), too?
>
> In the latter case, the other domU could try to attack the filesystem
> driver of the CA domU by writing malicious fs metadata (like currupt
> inode tables/superblocks/whatever) to that partition. I'd consider a nfs
> relay between them safer!
>
> And you could make firewalling much easier if you use a "virtual DMZ"
> toppology (all interfaces marked with a * shall use private rfc1918 ip
> addresses):
>
> evil internet
> |
> |
> dom0-eth0
> |
> |xen-br0
> |
> dom1-eth0
> networked domU, maybe compromised, has to exchange data with dom3
> dom1-eth1*
> |
> |xen-br1 (has no ip in dom0)
> |
> dom2-eth0*
> nfs-server, no ip-forwarding
> dom2-eth1*
> |
> |xen-br2 (has no ip in dom0)
> |
> dom3-eth0*
> CA-domU
>
> Even without any firewalling: to break into the CA domU, an attacker has
> to overtake dom1, then the nfs-service on dom2 and finally the nfs-
> client on dom3.
>
> I think it would be easier to attack the sshd on dom0 to compromise them
> all ;)
>
> /nils.
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

Excuse my lack of knowledge, but I believe there is another
way to get to the thing done.

You want:

1) A number o domUs to write files to a place;
2) Make sure to have the most secure way to do it.

What if...

You set up a one bridge without IP number {
brctl addbr xen-sw1
brctl stp xen-sw1 off
brctl setfd xen-sw1 0
sleep 3
ifconfig xen-sw1 up
}

Then you config your domUs to connect to the bridge,
each one implementing a RFC 1918 ip number and
same network for all of them. You see, any one can
see the other, but no one can reach dom0 or the LAN.

Now you configure a vsftpd to allow just one connection
at any time. You will NOT have more then one domU
accessing that file, for sure. And you enhance the security
with all features on vsftpd you can, so making it very
restricted.

And you configure a firewall on each domU, accepting
NO input/forward on the ethernet connected to the
bridged. Except for the domU where you have vsftpd,
which can be opened ONLY for ftpclients.

Is that good?
--
Bye,
Fernando Maior
LPIC/1 31908

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Is using w! safe to share data between domains? [ In reply to ]
fernando.souto.maior at gmail
May 20, 2005, 11:57 AM
Post #13 of 13 (1823 views)
Permalink
On 5/20/05, Fernando Maior <fernando.souto.maior@gmail.com> wrote:
> On 5/19/05, Nils Toedtmann <xen-users@nils.toedtmann.net> wrote:
> > Am Donnerstag, den 19.05.2005, 19:49 -0400 schrieb John A. Sullivan III:
> > > Ah, perhaps I didn't make something sufficiently clear. Although
> > > several domUs will have access to the partition, only one should have it
> > > mounted at any time. In other words, the system first mounts it read
> > > only simply to check to see if anyone else has it mounted and, if they
> > > do not, they remount it as rw. There is the possibility that, in
> > > between the check and the remount as rw, something could sneak in. And
> > > there is the brief moment when it is mounted ro that another device
> > > could be writing to it in which case it is immediately unmounted.
> > >
> > > Network exchange with a big firewall does sound technically safer from
> > > corruption even if less safe from intrusion. Thanks - John
> > [...]
> > Do you want to protect the CA domU only from the outside world, or has
> > it to be protected from the other (networked, hence potentially r00ted)
> > domUs (with which the CA domU exchanges data), too?
> >
> > In the latter case, the other domU could try to attack the filesystem
> > driver of the CA domU by writing malicious fs metadata (like currupt
> > inode tables/superblocks/whatever) to that partition. I'd consider a nfs
> > relay between them safer!
> >
> > And you could make firewalling much easier if you use a "virtual DMZ"
> > toppology (all interfaces marked with a * shall use private rfc1918 ip
> > addresses):
> >
> > evil internet
> > |
> > |
> > dom0-eth0
> > |
> > |xen-br0
> > |
> > dom1-eth0
> > networked domU, maybe compromised, has to exchange data with dom3
> > dom1-eth1*
> > |
> > |xen-br1 (has no ip in dom0)
> > |
> > dom2-eth0*
> > nfs-server, no ip-forwarding
> > dom2-eth1*
> > |
> > |xen-br2 (has no ip in dom0)
> > |
> > dom3-eth0*
> > CA-domU
> >
> > Even without any firewalling: to break into the CA domU, an attacker has
> > to overtake dom1, then the nfs-service on dom2 and finally the nfs-
> > client on dom3.
> >
> > I think it would be easier to attack the sshd on dom0 to compromise them
> > all ;)
> >
> > /nils.
> >
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
> >
>
> Excuse my lack of knowledge, but I believe there is another
> way to get to the thing done.
>
> You want:
>
> 1) A number o domUs to write files to a place;
> 2) Make sure to have the most secure way to do it.
>
> What if...
>
> You set up a one bridge without IP number {
> brctl addbr xen-sw1
> brctl stp xen-sw1 off
> brctl setfd xen-sw1 0
> sleep 3
> ifconfig xen-sw1 up
> }
>
> Then you config your domUs to connect to the bridge,
> each one implementing a RFC 1918 ip number and
> same network for all of them. You see, any one can
> see the other, but no one can reach dom0 or the LAN.
>
> Now you configure a vsftpd to allow just one connection
> at any time. You will NOT have more then one domU
> accessing that file, for sure. And you enhance the security
> with all features on vsftpd you can, so making it very
> restricted.
>
> And you configure a firewall on each domU, accepting
> NO input/forward on the ethernet connected to the
> bridged. Except for the domU where you have vsftpd,
> which can be opened ONLY for ftpclients.
>
> Is that good?
> --
> Bye,
> Fernando Maior
> LPIC/1 31908
>

To enhance security on domUs that are ftpclients, you can
make iptables filter out any packets not related to the
domU that is the ftpserver.

--
Bye,
Fernando Maior
LPIC/1 31908

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal