Bug 602199 - [vdsm] [libvirt intg] spice command line security tune-ups
Summary: [vdsm] [libvirt intg] spice command line security tune-ups
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: vdsm (Show other bugs)
(Show other bugs)
Version: 6.1
Hardware: All Linux
low
medium
Target Milestone: rc
: ---
Assignee: Dan Kenigsberg
QA Contact: Haim
URL:
Whiteboard: vdsm & libvirt integration
Keywords:
Depends On:
Blocks: 581275
TreeView+ depends on / blocked
 
Reported: 2010-06-09 11:50 UTC by Haim
Modified: 2014-01-13 00:46 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-10 13:43:01 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Haim 2010-06-09 11:50:36 UTC
Description of problem:

several security tune ups are required for spice command line from vdsm perspective: 

1) password - password appears in clear text in xml - needs to be encrypted:

<graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" 

2) password expiration date is set to the past: 

passwdValidTo="1970-01-01T00:00:01" 

3) ports are set to -1  

port="-1" tlsPort="-1" type="spice">

Version-Release number of selected component (if applicable):

vdsm 4.9-8

How reproducible: start vm and set console to spice, and monitor logs.

Comment 2 RHEL Product and Program Management 2010-06-09 12:12:55 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 4 Daniel Berrange 2010-06-10 11:59:45 UTC
There is no support for encrypted passwords in the XML. Assuming there are appropriately configured access controls on the libvirt UNIX sockets this isn't a serious problem, because only root, or a user with privileges to connect to libvirt can see this.

A port of '-1' should only be seen on an inactive guest. It indicates that the port is allocated dynamically when the guest is booted. When the guest is running libvirt should tell you what the actual port number is when querying the XML config.

Not sure why your seeing such a password validity date. I would need to see the full original XML that the guest was booted with, and details of whether VDSM had issued the API call to update the passwd after booting

Comment 5 Haim 2010-06-10 13:07:40 UTC
This is how the XML looks like. 

<domain type="kvm">
        <name>libvirt-nfs2-desk-10</name>
        <uuid>f3abace3-c078-4d9c-81b7-2b4b8052b56c</uuid>
        <memory>524288</memory>
        <currentMemory>524288</currentMemory>
        <vcpu>1</vcpu>
        <devices>
                <disk device="disk" type="file">
                        <source file="/rhev/data-center/fb89b279-1019-456b-be42-fb4d35587970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91"/>
                        <target bus="ide" dev="hda"/>
                        <serial>59-9ebb-9c1ace60629a</serial>
                        <driver cache="none" name="qemu" type="qcow2"/>
                </disk>
                <controller index="0" ports="16" type="virtio-serial"/>
                <channel type="unix">
                        <target name="org.linux-kvm.port.0" type="virtio"/>
                        <source mode="bind" path="/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0"/>
                </channel>
                <interface type="bridge">
                        <mac address="00:1a:4a:23:71:2e"/>
                        <model type="virtio"/>
                        <source bridge="rhevm"/>
                </interface>
                <input bus="usb" type="tablet"/>
                <video>
                        <model heads="1" type="qxl" vram="65536"/>
                </video>
                <graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice">
                        <channel mode="secure" name="main"/>
                        <channel mode="secure" name="inputs"/>
                        <channel mode="secure" name="cursor"/>
                        <channel mode="secure" name="playback"/>
                        <channel mode="secure" name="record"/>
                        <channel mode="secure" name="display"/>
                </graphics>
        </devices>
        <os>
                <type arch="x86_64" machine="pc">hvm</type>
                <boot dev="hd"/>
        </os>
        <clock adjustment="10800" offset="variable"/>
        <features>
                <acpi/>
        </features>
        <cpu match="exact">
                <model>qemu64</model>
                <topology cores="1" sockets="1" threads="1"/>
                <feature name="nx" policy="disable"/>
                <feature name="sse2" policy="require"/>
                <feature name="svm" policy="disable"/>
        </cpu>
</domain>

and the qemu command from libvrt/qemu/ log: 

LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -S -M rhel6.0.0 -cpu qemu64,-svm,-nx -enable-kvm -m 51
2 -smp 1,sockets=1,cores=1,threads=1 -name libvirt-nfs2-desk-10 -uuid f3abace3-c078-4d9c-81b7-2b4b8052b56c -nodefaults -chardev socket,id=mon
itor,path=/var/lib/libvirt/qemu/libvirt-nfs2-desk-10.monitor,server,nowait -mon chardev=monitor,mode=control -rtc base=2010-5-10T16:4:59 -boo
t c -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -drive file=/rhev/data-center/fb89b279-1019-456b-be42-fb4d355
87970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91,if=none,id=drive-
ide0-0-0,boot=on,format=qcow2,serial=59-9ebb-9c1ace60629a,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -net
dev tap,fd=21,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:23:71:2e,bus=pci.0,addr=0x4 -chardev socket,id=channel0
,path=/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0,server,nowait -device virtserialport,chardev=channel0,name=org
.linux-kvm.port.0 -usb -device usb-tablet,id=input0 -spice port=5900,tls-port=5901,addr=0,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tl
s-channel=display,tls-channel=inputs,tls-channel=cursor,tls-channel=playback,tls-channel=record -k en-us -vga qxl -device virtio-balloon-pci,
id=balloon0,bus=pci.0,addr=0x3


Note You need to log in before you can comment on or make changes to this bug.