[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Pass additional environmental variables



On Wed, Aug 13, 2014 at 09:57:28AM +0200, Michal Privoznik wrote:
> On 12.08.2014 21:09, Sean Noonan wrote:
> > We're using sasl+gssapi+kerberos to do authentication for libvirt, 
> > including from hypervisor to hypervisor.  However, the environmental 
> > variable filtering implemented in libvirt prevents this from working, so 
> > we're forced to run a locally patched version.
> > 
> > Thoughts on the following patch to pass the location of the local 
> > credential cache as well?
> > 
> > --- a/src/util/vircommand.c    2014-01-07 14:14:11.388934108 +0000
> > +++ b/src/util/vircommand.c    2014-01-07 14:18:14.725082505 +0000
> > @@ -1314,6 +1314,7 @@
> > 
> >       virCommandAddEnvPair(cmd, "LC_ALL", "C");
> > 
> > +    virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
> >       virCommandAddEnvPassBlockSUID(cmd, "LD_PRELOAD", NULL);
> >       virCommandAddEnvPassBlockSUID(cmd, "LD_LIBRARY_PATH", NULL);
> >       virCommandAddEnvPassBlockSUID(cmd, "PATH", "/bin:/usr/bin");
> 
> I've got some doubts whether this is the correct approach. This will
> pass the environment variable to every command spawned. Do we really
> want every command have access to kerberos tickets? On the other hand,
> we've done this for a limited use case:

Yeah, the reason we block nearly all env from commands by default
is to ensure we have a known safe environment. So I'd prefer that
we only set KRB5CCNAME in the specific places that need it. Beyond
the ssh client we're spawning, which places need it ?  I could
see that we probably want it for auto-spawning of libvirtd itself

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]