Re: [PATCH 0/4] virsh: secret: Improve handling of secret value

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 1/21/20 10:03 AM, Peter Krempa wrote:
On Tue, Jan 21, 2020 at 09:57:22 -0300, Daniel Henrique Barboza wrote:


On 1/10/20 12:42 PM, Peter Krempa wrote:
The currently existing virsh APIs for secrets are awful for human use
and don't promote security.

Peter Krempa (4):
    virsh: secret: Add 'secret-passwd' command
    virsh: secret: Allow getting secret's value without base64 encoding
    virsh: secret: Allow setting secrets from file
    docs: secret: Unify and sanitize examples on how to set secret value

   docs/formatsecret.html.in |  86 ++++++++++++++++++----------
   docs/manpages/virsh.rst   |  26 ++++++++-
   tools/virsh-secret.c      | 116 ++++++++++++++++++++++++++++++++++++--
   3 files changed, 189 insertions(+), 39 deletions(-)



Code-wise LGTM. I have a question about the design though.

Shouldn't we ask for a password confirmation when setting the secret
via secret-passwd? This would be more on par with how 'passwd' works
in Linux, and can also help to prevent user typos when setting a
secret.

I don't really think that it's necessary. When you mess up changing of
your account password you won't be able to log in thus it's a good idea
to make more sure that you didn't miss-type it.

With libvirt secrets, it doesn't prevent you from fixing it later as you
aren't even asked for the previous value of the secret.


Those are fair points. I agree.


All patches:


Reviewed-by: Daniel Henrique Barboza <danielhb413@xxxxxxxxx>








[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux