[Libguestfs] [PATCH 1/2] sysprep: remove ca certificates in the guest
Daniel P. Berrange
berrange at redhat.com
Wed May 9 11:48:06 UTC 2012
On Wed, May 09, 2012 at 12:45:50PM +0100, Richard W.M. Jones wrote:
> On Wed, May 09, 2012 at 06:08:54PM +0800, Wanlong Gao wrote:
> > Remove the ca certificates.
> >
> > Signed-off-by: Wanlong Gao <gaowanlong at cn.fujitsu.com>
> > ---
> > sysprep/Makefile.am | 2 +
> > sysprep/sysprep_operation_ca_certificates.ml | 62 ++++++++++++++++++++++++++
> > 2 files changed, 64 insertions(+)
> > create mode 100644 sysprep/sysprep_operation_ca_certificates.ml
> >
> > diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am
> > index d82e5ae..c6292cc 100644
> > --- a/sysprep/Makefile.am
> > +++ b/sysprep/Makefile.am
> > @@ -35,6 +35,7 @@ SOURCES = \
> > sysprep_operation.ml \
> > sysprep_operation.mli \
> > sysprep_operation_bash_history.ml \
> > + sysprep_operation_ca_certificates.ml \
> > sysprep_operation_cron_spool.ml \
> > sysprep_operation_dhcp_client_state.ml \
> > sysprep_operation_dhcp_server_state.ml \
> > @@ -68,6 +69,7 @@ OBJECTS = \
> > utils.cmx \
> > sysprep_operation.cmx \
> > sysprep_operation_bash_history.cmx \
> > + sysprep_operation_ca_certificates.cmx \
> > sysprep_operation_cron_spool.cmx \
> > sysprep_operation_dhcp_client_state.cmx \
> > sysprep_operation_dhcp_server_state.cmx \
> > diff --git a/sysprep/sysprep_operation_ca_certificates.ml b/sysprep/sysprep_operation_ca_certificates.ml
> > new file mode 100644
> > index 0000000..82b4189
> > --- /dev/null
> > +++ b/sysprep/sysprep_operation_ca_certificates.ml
> > @@ -0,0 +1,62 @@
> > +(* virt-sysprep
> > + * Copyright (C) 2012 FUJITSU LIMITED
> > + *
> > + * This program is free software; you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License as published by
> > + * the Free Software Foundation; either version 2 of the License, or
> > + * (at your option) any later version.
> > + *
> > + * This program is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > + * GNU General Public License for more details.
> > + *
> > + * You should have received a copy of the GNU General Public License along
> > + * with this program; if not, write to the Free Software Foundation, Inc.,
> > + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> > + *)
> > +
> > +open Sysprep_operation
> > +open Sysprep_gettext.Gettext
> > +
> > +module G = Guestfs
> > +
> > +let ca_certificates_perform g root =
> > + let typ = g#inspect_get_type root in
> > + if typ <> "windows" then (
> > + let paths = [ "/etc/pki/CA/certs/*";
> > + "/etc/pki/CA/crl/*";
> > + "/etc/pki/CA/newcerts/*";
> > + "/etc/pki/CA/private/*";
> > + "/etc/pki/tls/private/*";
> > + "/etc/pki/tls/certs/*.crt"; ] in
> > + let excepts = [ "/etc/pki/tls/certs/ca-bundle.crt";
> > + "/etc/pki/tls/certs/ca-bundle.trust.crt"; ] in
>
> I've no idea if it is correct to remove these files. These
> directories on my machines are all empty. Also what happens if a user
> adds a custom certificate to a machine? Perhaps this operation should
> be included in sysprep but disabled by default?
If we're going to do this, then we need to distinguish between
CA certificates and server/client certificates. The latter are
issued per machine/user and should be removed, the former are
global per organization & should be left untouched.
While considering this area, we should also kill off any kerberos
host principals.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Libguestfs
mailing list