[Libosinfo] [libosinfo PATCH 2/2] tools, install-script: Do not accept user & admin password via --config
Fabiano Fidêncio
fidencio at redhat.com
Mon Jul 8 06:36:23 UTC 2019
On Fri, Jul 5, 2019 at 5:54 PM Daniel P. Berrangé <berrange at redhat.com> wrote:
>
> On Fri, Jul 05, 2019 at 10:27:20AM +0200, Fabiano Fidêncio wrote:
> > As passing user & admin password via command line is a low impact CVE,
> > let's error out when it's done and advertise the users to use
> > --config-file instead.
> >
> > Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
> > ---
> > tools/osinfo-install-script.c | 11 +++++++++++
> > 1 file changed, 11 insertions(+)
> >
> > diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c
> > index efa96ee..3da4a69 100644
> > --- a/tools/osinfo-install-script.c
> > +++ b/tools/osinfo-install-script.c
> > @@ -85,6 +85,15 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED,
> > val++;
> > key = g_strndup(value, len);
> >
> > + if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) ||
> > + g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) {
> > + g_set_error(error, OSINFO_ERROR, 0,
> > + _("When setting user or admin password, use "
> > + "--config-file instead.\n"));
> > + g_free(key);
> > + return FALSE;
> > + }
>
> If we make this a hard error then we are pretty much forcing everyone
> to use the --config-file arg, because with this CLI tool there is no
> way to see the auto-generated password.
>
> I think perhaps we should do
>
> 1. Deprecate --config for all uses
> 2. Print a warning mesage if used for admin/user password
> 3. 1 year later delete --config entirely
>
Agreed.
>
> > +
> > osinfo_entity_set_param(OSINFO_ENTITY(config),
> > key,
> > val);
> > @@ -520,6 +529,8 @@ script. Defaults to C<media>, but can also be C<network>.
> >
> > Set the configuration parameter C<key> to C<value>.
> >
> > +Note: this option has been deprecated, use B<--config-file=> instead.
> > +
> > =item B<--config-file=config-file>
> >
> > Set the configurations parameters according to the config-file passed.
> > --
> > 2.21.0
> >
> > _______________________________________________
> > Libosinfo mailing list
> > Libosinfo at redhat.com
> > https://www.redhat.com/mailman/listinfo/libosinfo
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the Libosinfo
mailing list