Re: Pass additional environmental variables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 13, 2014 at 09:57:28AM +0200, Michal Privoznik wrote:
> On 12.08.2014 21:09, Sean Noonan wrote:
> > We're using sasl+gssapi+kerberos to do authentication for libvirt, 
> > including from hypervisor to hypervisor.  However, the environmental 
> > variable filtering implemented in libvirt prevents this from working, so 
> > we're forced to run a locally patched version.
> > 
> > Thoughts on the following patch to pass the location of the local 
> > credential cache as well?
> > 
> > --- a/src/util/vircommand.c    2014-01-07 14:14:11.388934108 +0000
> > +++ b/src/util/vircommand.c    2014-01-07 14:18:14.725082505 +0000
> > @@ -1314,6 +1314,7 @@
> > 
> >       virCommandAddEnvPair(cmd, "LC_ALL", "C");
> > 
> > +    virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
> >       virCommandAddEnvPassBlockSUID(cmd, "LD_PRELOAD", NULL);
> >       virCommandAddEnvPassBlockSUID(cmd, "LD_LIBRARY_PATH", NULL);
> >       virCommandAddEnvPassBlockSUID(cmd, "PATH", "/bin:/usr/bin");
> 
> I've got some doubts whether this is the correct approach. This will
> pass the environment variable to every command spawned. Do we really
> want every command have access to kerberos tickets? On the other hand,
> we've done this for a limited use case:

Yeah, the reason we block nearly all env from commands by default
is to ensure we have a known safe environment. So I'd prefer that
we only set KRB5CCNAME in the specific places that need it. Beyond
the ssh client we're spawning, which places need it ?  I could
see that we probably want it for auto-spawning of libvirtd itself

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]