RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 602199 - [vdsm] [libvirt intg] spice command line security tune-ups
Summary: [vdsm] [libvirt intg] spice command line security tune-ups
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: vdsm
Version: 6.1
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Dan Kenigsberg
QA Contact: Haim
URL:
Whiteboard: vdsm & libvirt integration
Depends On:
Blocks: 581275
TreeView+ depends on / blocked
 
Reported: 2010-06-09 11:50 UTC by Haim
Modified: 2014-01-13 00:46 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-10 13:43:01 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Haim 2010-06-09 11:50:36 UTC
Description of problem:

several security tune ups are required for spice command line from vdsm perspective: 

1) password - password appears in clear text in xml - needs to be encrypted:

<graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" 

2) password expiration date is set to the past: 

passwdValidTo="1970-01-01T00:00:01" 

3) ports are set to -1  

port="-1" tlsPort="-1" type="spice">

Version-Release number of selected component (if applicable):

vdsm 4.9-8

How reproducible: start vm and set console to spice, and monitor logs.

Comment 2 RHEL Program Management 2010-06-09 12:12:55 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 4 Daniel Berrangé 2010-06-10 11:59:45 UTC
There is no support for encrypted passwords in the XML. Assuming there are appropriately configured access controls on the libvirt UNIX sockets this isn't a serious problem, because only root, or a user with privileges to connect to libvirt can see this.

A port of '-1' should only be seen on an inactive guest. It indicates that the port is allocated dynamically when the guest is booted. When the guest is running libvirt should tell you what the actual port number is when querying the XML config.

Not sure why your seeing such a password validity date. I would need to see the full original XML that the guest was booted with, and details of whether VDSM had issued the API call to update the passwd after booting

Comment 5 Haim 2010-06-10 13:07:40 UTC
This is how the XML looks like. 

<domain type="kvm">
        <name>libvirt-nfs2-desk-10</name>
        <uuid>f3abace3-c078-4d9c-81b7-2b4b8052b56c</uuid>
        <memory>524288</memory>
        <currentMemory>524288</currentMemory>
        <vcpu>1</vcpu>
        <devices>
                <disk device="disk" type="file">
                        <source file="/rhev/data-center/fb89b279-1019-456b-be42-fb4d35587970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91"/>
                        <target bus="ide" dev="hda"/>
                        <serial>59-9ebb-9c1ace60629a</serial>
                        <driver cache="none" name="qemu" type="qcow2"/>
                </disk>
                <controller index="0" ports="16" type="virtio-serial"/>
                <channel type="unix">
                        <target name="org.linux-kvm.port.0" type="virtio"/>
                        <source mode="bind" path="/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0"/>
                </channel>
                <interface type="bridge">
                        <mac address="00:1a:4a:23:71:2e"/>
                        <model type="virtio"/>
                        <source bridge="rhevm"/>
                </interface>
                <input bus="usb" type="tablet"/>
                <video>
                        <model heads="1" type="qxl" vram="65536"/>
                </video>
                <graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice">
                        <channel mode="secure" name="main"/>
                        <channel mode="secure" name="inputs"/>
                        <channel mode="secure" name="cursor"/>
                        <channel mode="secure" name="playback"/>
                        <channel mode="secure" name="record"/>
                        <channel mode="secure" name="display"/>
                </graphics>
        </devices>
        <os>
                <type arch="x86_64" machine="pc">hvm</type>
                <boot dev="hd"/>
        </os>
        <clock adjustment="10800" offset="variable"/>
        <features>
                <acpi/>
        </features>
        <cpu match="exact">
                <model>qemu64</model>
                <topology cores="1" sockets="1" threads="1"/>
                <feature name="nx" policy="disable"/>
                <feature name="sse2" policy="require"/>
                <feature name="svm" policy="disable"/>
        </cpu>
</domain>

and the qemu command from libvrt/qemu/ log: 

LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -S -M rhel6.0.0 -cpu qemu64,-svm,-nx -enable-kvm -m 51
2 -smp 1,sockets=1,cores=1,threads=1 -name libvirt-nfs2-desk-10 -uuid f3abace3-c078-4d9c-81b7-2b4b8052b56c -nodefaults -chardev socket,id=mon
itor,path=/var/lib/libvirt/qemu/libvirt-nfs2-desk-10.monitor,server,nowait -mon chardev=monitor,mode=control -rtc base=2010-5-10T16:4:59 -boo
t c -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -drive file=/rhev/data-center/fb89b279-1019-456b-be42-fb4d355
87970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91,if=none,id=drive-
ide0-0-0,boot=on,format=qcow2,serial=59-9ebb-9c1ace60629a,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -net
dev tap,fd=21,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:23:71:2e,bus=pci.0,addr=0x4 -chardev socket,id=channel0
,path=/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0,server,nowait -device virtserialport,chardev=channel0,name=org
.linux-kvm.port.0 -usb -device usb-tablet,id=input0 -spice port=5900,tls-port=5901,addr=0,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tl
s-channel=display,tls-channel=inputs,tls-channel=cursor,tls-channel=playback,tls-channel=record -k en-us -vga qxl -device virtio-balloon-pci,
id=balloon0,bus=pci.0,addr=0x3


Note You need to log in before you can comment on or make changes to this bug.