Bug 602199 – [vdsm] [libvirt intg] spice command line security tune-ups

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 602199 - [vdsm] [libvirt intg] spice command line security tune-ups

Summary:	[vdsm] [libvirt intg] spice command line security tune-ups

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	vdsm (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	All Linux

Priority	low Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Dan Kenigsberg
QA Contact:	Haim
Docs Contact:

URL:
Whiteboard:	vdsm & libvirt integration
Keywords:

Depends On:
Blocks:	581275
	Show dependency tree / graph

Reported:	2010-06-09 07:50 EDT by Haim
Modified:	2014-01-12 19:46 EST (History)
CC List:	9 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-06-10 09:43:01 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Haim 2010-06-09 07:50:36 EDT

Description of problem:

several security tune ups are required for spice command line from vdsm perspective: 

1) password - password appears in clear text in xml - needs to be encrypted:

<graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" 

2) password expiration date is set to the past: 

passwdValidTo="1970-01-01T00:00:01" 

3) ports are set to -1  

port="-1" tlsPort="-1" type="spice">

Version-Release number of selected component (if applicable):

vdsm 4.9-8

How reproducible: start vm and set console to spice, and monitor logs.

Comment 2 RHEL Product and Program Management 2010-06-09 08:12:55 EDT

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 4 Daniel Berrange 2010-06-10 07:59:45 EDT

There is no support for encrypted passwords in the XML. Assuming there are appropriately configured access controls on the libvirt UNIX sockets this isn't a serious problem, because only root, or a user with privileges to connect to libvirt can see this.

A port of '-1' should only be seen on an inactive guest. It indicates that the port is allocated dynamically when the guest is booted. When the guest is running libvirt should tell you what the actual port number is when querying the XML config.

Not sure why your seeing such a password validity date. I would need to see the full original XML that the guest was booted with, and details of whether VDSM had issued the API call to update the passwd after booting

Comment 5 Haim 2010-06-10 09:07:40 EDT

This is how the XML looks like. 

<domain type="kvm">
        <name>libvirt-nfs2-desk-10</name>
        <uuid>f3abace3-c078-4d9c-81b7-2b4b8052b56c</uuid>
        <memory>524288</memory>
        <currentMemory>524288</currentMemory>
        <vcpu>1</vcpu>
        <devices>
                <disk device="disk" type="file">
                        <source file="/rhev/data-center/fb89b279-1019-456b-be42-fb4d35587970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91"/>
                        <target bus="ide" dev="hda"/>
                        <serial>59-9ebb-9c1ace60629a</serial>
                        <driver cache="none" name="qemu" type="qcow2"/>
                </disk>
                <controller index="0" ports="16" type="virtio-serial"/>
                <channel type="unix">
                        <target name="org.linux-kvm.port.0" type="virtio"/>
                        <source mode="bind" path="/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0"/>
                </channel>
                <interface type="bridge">
                        <mac address="00:1a:4a:23:71:2e"/>
                        <model type="virtio"/>
                        <source bridge="rhevm"/>
                </interface>
                <input bus="usb" type="tablet"/>
                <video>
                        <model heads="1" type="qxl" vram="65536"/>
                </video>
                <graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice">
                        <channel mode="secure" name="main"/>
                        <channel mode="secure" name="inputs"/>
                        <channel mode="secure" name="cursor"/>
                        <channel mode="secure" name="playback"/>
                        <channel mode="secure" name="record"/>
                        <channel mode="secure" name="display"/>
                </graphics>
        </devices>
        <os>
                <type arch="x86_64" machine="pc">hvm</type>
                <boot dev="hd"/>
        </os>
        <clock adjustment="10800" offset="variable"/>
        <features>
                <acpi/>
        </features>
        <cpu match="exact">
                <model>qemu64</model>
                <topology cores="1" sockets="1" threads="1"/>
                <feature name="nx" policy="disable"/>
                <feature name="sse2" policy="require"/>
                <feature name="svm" policy="disable"/>
        </cpu>
</domain>

and the qemu command from libvrt/qemu/ log: 

LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -S -M rhel6.0.0 -cpu qemu64,-svm,-nx -enable-kvm -m 51
2 -smp 1,sockets=1,cores=1,threads=1 -name libvirt-nfs2-desk-10 -uuid f3abace3-c078-4d9c-81b7-2b4b8052b56c -nodefaults -chardev socket,id=mon
itor,path=/var/lib/libvirt/qemu/libvirt-nfs2-desk-10.monitor,server,nowait -mon chardev=monitor,mode=control -rtc base=2010-5-10T16:4:59 -boo
t c -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -drive file=/rhev/data-center/fb89b279-1019-456b-be42-fb4d355
87970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91,if=none,id=drive-
ide0-0-0,boot=on,format=qcow2,serial=59-9ebb-9c1ace60629a,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -net
dev tap,fd=21,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:23:71:2e,bus=pci.0,addr=0x4 -chardev socket,id=channel0
,path=/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0,server,nowait -device virtserialport,chardev=channel0,name=org
.linux-kvm.port.0 -usb -device usb-tablet,id=input0 -spice port=5900,tls-port=5901,addr=0,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tl
s-channel=display,tls-channel=inputs,tls-channel=cursor,tls-channel=playback,tls-channel=record -k en-us -vga qxl -device virtio-balloon-pci,
id=balloon0,bus=pci.0,addr=0x3

Note You need to log in before you can comment on or make changes to this bug.