thr3ads.net - Xen devel - [Xen-devel] [PATCH] Scrub vnc password for vfb [Feb 2008]

If this information is useful, please help other people find it:
Share via:

Masaki Kanno

2008-Feb-05 07:47 UTC

[Xen-devel] [PATCH] Scrub vnc password for vfb

Hi,

I saw the vnc password in xend.log as follows. 

[2008-02-05 10:35:08 6412] DEBUG (DevController:119) DevController: 
writing {''vncunused'': ''1'',
''domain'': ''rhel4VTI'',
''frontend'': ''/local/
domain/1/device/vfb/0'', ''uuid'':
''e8e7f9db-e104-7d4a-36bd-d5f09ab34378'',
''vncpasswd'': ''test'',
''state'': ''1'', ''online'':
''1'', ''frontend-id'': ''1'',
''type'': ''vnc''} to
/local/domain/0/backend/vfb/1/0.

This patch scrubs it as follows. 

[2008-02-05 16:23:23 11188] DEBUG (DevController:120) DevController: 
writing {''vncunused'': ''1'',
''domain'': ''rhel4VTI'',
''frontend'': ''/local/
domain/2/device/vfb/0'', ''uuid'':
''53f05d3f-9994-bdd7-2293-d60c22b0568b'',
''vncpasswd'': ''XXXXXXXX'',
''state'': ''1'', ''online'':
''1'', ''frontend-id'': ''2'',
''type'': ''vnc''} to
/local/domain/0/backend/vfb/2/0.


Signed-off-by: Masaki Kanno <kanno.masaki@jp.fujitsu.com>

Best regards,
 Kan



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Keir Fraser

2008-Feb-05 08:45 UTC

head link

Re: [Xen-devel] [PATCH] Scrub vnc password for vfb

This leads to a question -- should xend.log (and our other log files) be
world readable in the first place?

If we want to change it we may have to hack the logging package a bit, as it
seems that Python''s open() function calls fopen() which does not allow
you
to manually specify access permissions. Although we could have xend set its
umask to 0770. Maybe that would break other stuff though?

 -- Keir

On 5/2/08 07:47, "Masaki Kanno" <kanno.masaki@jp.fujitsu.com>
wrote:
> Hi,
> 
> I saw the vnc password in xend.log as follows.
> 
> [2008-02-05 10:35:08 6412] DEBUG (DevController:119) DevController:
> writing {''vncunused'': ''1'',
''domain'': ''rhel4VTI'',
''frontend'': ''/local/
> domain/1/device/vfb/0'', ''uuid'':
''e8e7f9db-e104-7d4a-36bd-d5f09ab34378'',
> ''vncpasswd'': ''test'',
''state'': ''1'', ''online'':
''1'', ''frontend-id'': ''1'',
> ''type'': ''vnc''} to
/local/domain/0/backend/vfb/1/0.
> 
> This patch scrubs it as follows.
> 
> [2008-02-05 16:23:23 11188] DEBUG (DevController:120) DevController:
> writing {''vncunused'': ''1'',
''domain'': ''rhel4VTI'',
''frontend'': ''/local/
> domain/2/device/vfb/0'', ''uuid'':
''53f05d3f-9994-bdd7-2293-d60c22b0568b'',
> ''vncpasswd'': ''XXXXXXXX'',
''state'': ''1'', ''online'':
''1'', ''frontend-id'': ''2'',
> ''type'': ''vnc''} to
/local/domain/0/backend/vfb/2/0.
> 
> 
> Signed-off-by: Masaki Kanno <kanno.masaki@jp.fujitsu.com>
> 
> Best regards,
>  Kan
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Ian Jackson

2008-Feb-05 10:38 UTC

head link

Re: [Xen-devel] [PATCH] Scrub vnc password for vfb

Keir Fraser writes ("Re: [Xen-devel] [PATCH] Scrub vnc password for
vfb"):> This leads to a question -- should xend.log (and our other log files) be
> world readable in the first place?
This is a decision for distributors I think.  The default isn''t all
that important but I would personally prefer them to be readable.
Most setups have a dedicated dom0.

So we should launder things that go into logfiles.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Daniel P. Berrange

2008-Feb-05 14:06 UTC

head link

Re: [Xen-devel] [PATCH] Scrub vnc password for vfb

On Tue, Feb 05, 2008 at 08:45:10AM +0000, Keir Fraser
wrote:> This leads to a question -- should xend.log (and our other log files) be
> world readable in the first place?
In Fedora & RHEL  /etc/xen and /var/log/xen are both mode 0700
> If we want to change it we may have to hack the logging package a bit, as
it
> seems that Python''s open() function calls fopen() which does not
allow you
> to manually specify access permissions. Although we could have xend set its
> umask to 0770. Maybe that would break other stuff though?
The permissions of the logfile don''t really matter once you set the
directory
permissions - and this gives the admin flexibility to chmod/chgrp the dir
to allow selected users acccess to the logs


The main reason for scrubbing the logs is to protect users'' passwords
when
they post logfiles to mailing lists / bug trackers :-)

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Xen devel - Feb 2008 - [PATCH] Scrub vnc password for vfb

[Xen-devel] [PATCH] Scrub vnc password for vfb

Re: [Xen-devel] [PATCH] Scrub vnc password for vfb

Re: [Xen-devel] [PATCH] Scrub vnc password for vfb

Re: [Xen-devel] [PATCH] Scrub vnc password for vfb