[PATCH v2 9/9] docs: secret: Unify and sanitize examples on how to set secret value
Daniel P. Berrangé
berrange at redhat.com
Tue Jan 28 14:59:32 UTC 2020
On Mon, Jan 27, 2020 at 02:16:43PM +0100, Peter Krempa wrote:
> On Mon, Jan 27, 2020 at 09:59:01 +0100, Peter Krempa wrote:
> > On Fri, Jan 24, 2020 at 10:41:00 -0600, Eric Blake wrote:
> > > On 1/24/20 10:08 AM, Peter Krempa wrote:
> > > > Discourage passing secrets as commandline arguments.
> > > >
> > > > Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> > > > ---
> > > > docs/formatsecret.html.in | 88 +++++++++++++++++++++++++--------------
> > > > 1 file changed, 57 insertions(+), 31 deletions(-)
> > > >
> > >
> > > >
> > > > + <h2><a id="settingSecrets">Setting secret values in virsh</a></h2>
> > > > +
> > >
> > > > + </pre>
> > > > +
> > > > + <p>
> > > > + The secret can also be set via an argument, but note that other users
> > > > + may see it in the process listing output. The secret must be base64
> > > > + encoded.
> > >
> > > Is this last sentence still accurate, given that you can pass --plain to
> > > avoid base64 encoding?
> >
> > I didn't allow to use --plain together with passing it on the command
> > line. --plain works only in conjunction with --file. I didn't see a
> > point of adding new features to an insecure way of doing things.
> >
> > > Should the note use <b> or other formatting to call attention to the
> > > security risk of doing it this way?
> >
> > Yeah, I can add it.
> >
>
> I propose the following change to emphasize the fact that it's insecure:
>
> diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in
> index 6c2d5e02a6..695370e150 100644
> --- a/docs/formatsecret.html.in
> +++ b/docs/formatsecret.html.in
> @@ -398,9 +398,10 @@ Secret value set
> </pre>
>
> <p>
> - The secret can also be set via an argument, but note that other users
> - may see it in the process listing output. The secret must be base64
> - encoded.
> + <b>WARNING</b>The following approach is <b>insecure</b> and deprecated.
> + The secret can also be set via an argument. Note that other users may see
> + the actual secret in the process listing!
> + The secret must be base64 encoded.
> </p>
Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list