On Wed, Aug 13, 2014 at 09:57:28AM +0200, Michal Privoznik wrote: > On 12.08.2014 21:09, Sean Noonan wrote: > > We're using sasl+gssapi+kerberos to do authentication for libvirt, > > including from hypervisor to hypervisor. However, the environmental > > variable filtering implemented in libvirt prevents this from working, so > > we're forced to run a locally patched version. > > > > Thoughts on the following patch to pass the location of the local > > credential cache as well? > > > > --- a/src/util/vircommand.c 2014-01-07 14:14:11.388934108 +0000 > > +++ b/src/util/vircommand.c 2014-01-07 14:18:14.725082505 +0000 > > @@ -1314,6 +1314,7 @@ > > > > virCommandAddEnvPair(cmd, "LC_ALL", "C"); > > > > + virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL); > > virCommandAddEnvPassBlockSUID(cmd, "LD_PRELOAD", NULL); > > virCommandAddEnvPassBlockSUID(cmd, "LD_LIBRARY_PATH", NULL); > > virCommandAddEnvPassBlockSUID(cmd, "PATH", "/bin:/usr/bin"); > > I've got some doubts whether this is the correct approach. This will > pass the environment variable to every command spawned. Do we really > want every command have access to kerberos tickets? On the other hand, > we've done this for a limited use case: Yeah, the reason we block nearly all env from commands by default is to ensure we have a known safe environment. So I'd prefer that we only set KRB5CCNAME in the specific places that need it. Beyond the ssh client we're spawning, which places need it ? I could see that we probably want it for auto-spawning of libvirtd itself Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list