[libvirt] [PATCH v5 4/4] qemu/rbd: improve rbd device specification

Eric Blake eblake at redhat.com
Wed Nov 16 15:40:14 UTC 2011


On 11/15/2011 06:37 PM, Josh Durgin wrote:
>> The command line that we pass to qemu gets logged.  But what happens if
>> the secret was marked as ephemeral - could we be violating the premise
>> of not exposing passwords to too broad an audience?  Or are we already
>> safe in that the log entries created by virCommand can only be exposed
>> to users that already can get at the secret information by other means?
> 
> The secret can be read from the command line of the running process,
> which is even less secure than the log. I'm working on passing the
> secret via the qemu monitor instead of the command line, which will
> avoid both issues.
> 
>> Maybe this means we should we be adding capabilities into virCommand to
>> prevent the logging of the actual secret (whether base64-encoded or
>> otherwise), and instead log an alternate string?  That is, should
>> virCommand be tracking parallel argv arrays; the real array passed to
>> exec() but never logged, and the alternate array (normally matching the
>> real one, but which can differ in this particular case of passing an
>> argument that contains a password)?

Given your arguments (that ps can read argv of qemu, even if we hid it
from libvirt logs, and that we will be moving to a monitor command as
soon as qemu supports one), I see no reason to hack up virCommand to
support alternate log output.

-- 
Eric Blake   eblake at redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20111116/fed30adb/attachment-0001.sig>


More information about the libvir-list mailing list