On Mon, Jan 27, 2020 at 09:59:01 +0100, Peter Krempa wrote:
> On Fri, Jan 24, 2020 at 10:41:00 -0600, Eric Blake wrote:
> > On 1/24/20 10:08 AM, Peter Krempa wrote:
> > > Discourage passing secrets as commandline arguments.
> > >
> > > Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
> > > ---
> > > docs/formatsecret.html.in | 88 +++++++++++++++++++++++++--------------
> > > 1 file changed, 57 insertions(+), 31 deletions(-)
> > >
> >
> > >
> > > + <h2><a id="settingSecrets">Setting secret values in virsh</a></h2>
> > > +
> >
> > > + </pre>
> > > +
> > > + <p>
> > > + The secret can also be set via an argument, but note that other users
> > > + may see it in the process listing output. The secret must be base64
> > > + encoded.
> >
> > Is this last sentence still accurate, given that you can pass --plain to
> > avoid base64 encoding?
>
> I didn't allow to use --plain together with passing it on the command
> line. --plain works only in conjunction with --file. I didn't see a
> point of adding new features to an insecure way of doing things.
>
> > Should the note use <b> or other formatting to call attention to the
> > security risk of doing it this way?
>
> Yeah, I can add it.
>
I propose the following change to emphasize the fact that it's insecure:
diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in
index 6c2d5e02a6..695370e150 100644
--- a/docs/formatsecret.html.in
+++ b/docs/formatsecret.html.in
@@ -398,9 +398,10 @@ Secret value set
</pre>
<p>
- The secret can also be set via an argument, but note that other users
- may see it in the process listing output. The secret must be base64
- encoded.
+ <b>WARNING</b>The following approach is <b>insecure</b> and deprecated.
+ The secret can also be set via an argument. Note that other users may see
+ the actual secret in the process listing!
+ The secret must be base64 encoded.
</p>
Attachment:
signature.asc
Description: PGP signature
