On 11/15/2011 06:37 PM, Josh Durgin wrote: >> The command line that we pass to qemu gets logged. But what happens if >> the secret was marked as ephemeral - could we be violating the premise >> of not exposing passwords to too broad an audience? Or are we already >> safe in that the log entries created by virCommand can only be exposed >> to users that already can get at the secret information by other means? > > The secret can be read from the command line of the running process, > which is even less secure than the log. I'm working on passing the > secret via the qemu monitor instead of the command line, which will > avoid both issues. > >> Maybe this means we should we be adding capabilities into virCommand to >> prevent the logging of the actual secret (whether base64-encoded or >> otherwise), and instead log an alternate string? That is, should >> virCommand be tracking parallel argv arrays; the real array passed to >> exec() but never logged, and the alternate array (normally matching the >> real one, but which can differ in this particular case of passing an >> argument that contains a password)? Given your arguments (that ps can read argv of qemu, even if we hid it from libvirt logs, and that we will be moving to a monitor command as soon as qemu supports one), I see no reason to hack up virCommand to support alternate log output. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
