Bug 1410030 - plain password should not be displayed in logs
Summary: plain password should not be displayed in logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: virt-viewer
Version: 7.4
Hardware: x86_64
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Pavel Grunt
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1410031
TreeView+ depends on / blocked
 
Reported: 2017-01-04 09:32 UTC by Xiaodai Wang
Modified: 2017-08-01 15:04 UTC (History)
8 users (show)

Fixed In Version: virt-viewer-5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1410031 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:04:11 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1849 0 normal SHIPPED_LIVE virt-viewer bug fix and enhancement update 2017-08-01 17:49:46 UTC

Description Xiaodai Wang 2017-01-04 09:32:05 UTC
Description of problem:
plain password should not be displayed in logs

Version-Release number of selected component (if applicable):
virt-viewer-2.0-13.el7

How reproducible:
100%

Steps to Reproduce:
1. Enable "auth_unix_rw='sasl'" in /etc/libvirt/libvirtd.conf.
add auth_unix_rw="sasl" in the /etc/libvirt/libvirtd.conf
2. Add sasl user
# saslpasswd2 -a libvirt xiaodwan
(input your passwd)
3. Restart libvirtd service
# service libvirtd restart
4. Connect to a vm by qemu+unix and --attach and --debug option.
# virt-viewer -c qemu+unix:///system demo -a --debug

Actual results:
Plain password is printed.

(virt-viewer:25350): virt-viewer-DEBUG: Got libvirt credential request for 2 credential(s)
(virt-viewer:25350): virt-viewer-DEBUG: Got 'xiaodwan' 8 2
(virt-viewer:25350): virt-viewer-DEBUG: Got 'xxxx' 6 5

Expected results:
plain password should not be printed.

Additional info:

Comment 1 Pavel Grunt 2017-01-04 09:59:07 UTC
Posted: https://www.redhat.com/archives/virt-tools-list/2017-January/msg00008.html

I don't see this debug message interesting/helpful

Comment 4 Xiaodai Wang 2017-03-22 06:19:12 UTC
I verified this bug with virt-viewer-5.0-2.el7.x86_64, the plain password isn't displayed in debug log.

(virt-viewer:5348): virt-viewer-DEBUG: connecting ...
(virt-viewer:5348): virt-viewer-DEBUG: Opening connection to libvirt with URI <null>
(virt-viewer:5348): virt-viewer-DEBUG: Got libvirt credential request for 2 credential(s)
(virt-viewer:5348): virt-viewer-DEBUG: Got Identify to authorize as 'xiaodwan' 2
(virt-viewer:5348): virt-viewer-DEBUG: Got Passphrase secret '*****' 5
(virt-viewer:5348): virt-viewer-DEBUG: Return 0

so move the bug from ON_QA to  VERIFIED.

Comment 5 errata-xmlrpc 2017-08-01 15:04:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1849


Note You need to log in before you can comment on or make changes to this bug.