Bug 1410030

Summary: plain password should not be displayed in logs
Product: Red Hat Enterprise Linux 7 Reporter: Xiaodai Wang <xiaodwan>
Component: virt-viewerAssignee: Pavel Grunt <pgrunt>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: dblechte, juzhou, kuwei, mxie, mzhan, pgrunt, rbalakri, tzheng
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: virt-viewer-5.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1410031 (view as bug list) Environment:
Last Closed: 2017-08-01 15:04:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1410031    

Description Xiaodai Wang 2017-01-04 09:32:05 UTC 
Description of problem:
plain password should not be displayed in logs

Version-Release number of selected component (if applicable):
virt-viewer-2.0-13.el7

How reproducible:
100%

Steps to Reproduce:
1. Enable "auth_unix_rw='sasl'" in /etc/libvirt/libvirtd.conf.
add auth_unix_rw="sasl" in the /etc/libvirt/libvirtd.conf
2. Add sasl user
# saslpasswd2 -a libvirt xiaodwan
(input your passwd)
3. Restart libvirtd service
# service libvirtd restart
4. Connect to a vm by qemu+unix and --attach and --debug option.
# virt-viewer -c qemu+unix:///system demo -a --debug

Actual results:
Plain password is printed.

(virt-viewer:25350): virt-viewer-DEBUG: Got libvirt credential request for 2 credential(s)
(virt-viewer:25350): virt-viewer-DEBUG: Got 'xiaodwan' 8 2
(virt-viewer:25350): virt-viewer-DEBUG: Got 'xxxx' 6 5

Expected results:
plain password should not be printed.

Additional info:
Comment 1 Pavel Grunt 2017-01-04 09:59:07 UTC 
Posted: https://www.redhat.com/archives/virt-tools-list/2017-January/msg00008.html

I don't see this debug message interesting/helpful
Comment 2 Pavel Grunt 2017-02-07 16:35:03 UTC 
Fixed upstream in https://pagure.io/virt-viewer/c/b7f8644429e034523ec91ab18c53b82f7cceb553?branch=master
Comment 4 Xiaodai Wang 2017-03-22 06:19:12 UTC 
I verified this bug with virt-viewer-5.0-2.el7.x86_64, the plain password isn't displayed in debug log.

(virt-viewer:5348): virt-viewer-DEBUG: connecting ...
(virt-viewer:5348): virt-viewer-DEBUG: Opening connection to libvirt with URI <null>
(virt-viewer:5348): virt-viewer-DEBUG: Got libvirt credential request for 2 credential(s)
(virt-viewer:5348): virt-viewer-DEBUG: Got Identify to authorize as 'xiaodwan' 2
(virt-viewer:5348): virt-viewer-DEBUG: Got Passphrase secret '*****' 5
(virt-viewer:5348): virt-viewer-DEBUG: Return 0

so move the bug from ON_QA to  VERIFIED.
Comment 5 errata-xmlrpc 2017-08-01 15:04:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1849