On Tue, Mar 23, 2021 at 15:19:44 +0100, Michal Privoznik wrote: > On 3/23/21 3:04 PM, Peter Krempa wrote: > > On Tue, Mar 23, 2021 at 14:50:09 +0100, Michal Privoznik wrote: > > > On 3/23/21 2:42 PM, Daniel P. Berrangé wrote: > > > > On Tue, Mar 23, 2021 at 02:36:19PM +0100, Michal Privoznik wrote: [...] > > The only thing that IMO should be removed but I didn't for compatibility > > is the 'secret-set-value's 'base64' parameter as that is insecure. There > > isn't a compatible replacement though. > > > > That's debatable. Its not much worse than reading from a file. I mean, who > has access to my $HISTFILE? Only me and root and in both cases the secret It's not about HISTFILE, but about the process listing. On a default linux box, all users can list all other user's processes. If your password is an argument for a command, it will be readable for other users without the access to your directory. Arguably, the lifetime of virsh is very short, so it's extremely unlikely for anyone to notice, but it's insecure regardless. > can be changed or read from the file (if the file is not deleted right away, > and even then it could be recovered). Many tools accept passwords in clear > text on cmd line (e.g. curl, wget). If anything, we could document why You should avoid use of those arguments if you are on a multi-user box. > --base64 is dangerous (if we haven't done so yet). It is documented as such and also prints a warning as pointed out in the other reply.