[virt-tools-list] [virt-manager PATCH 2/2] unattended: Don't log user & admin passwords
Fabiano Fidêncio
fidencio at redhat.com
Tue Jul 2 19:21:45 UTC 2019
Logging user & admin passwords in the command-line is a security issue,
let's avoid doing so by:
- Not printing the values set by the user when setting up the
install-script config file;
- Removing the values used in the install-scripts, when printing their
content;
'CVE-2019-10183' has been assigned to the virt-install --unattended
admin-password=xxx disclosure issue.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
---
virtinst/install/unattended.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/virtinst/install/unattended.py b/virtinst/install/unattended.py
index 4f311296..04758563 100644
--- a/virtinst/install/unattended.py
+++ b/virtinst/install/unattended.py
@@ -97,8 +97,6 @@ def _make_installconfig(script, osobj, unattended_data, arch, hostname, url):
log.debug("InstallScriptConfig created with the following params:")
log.debug("username: %s", config.get_user_login())
log.debug("realname: %s", config.get_user_realname())
- log.debug("user password: %s", config.get_user_password())
- log.debug("admin password: %s", config.get_admin_password())
log.debug("target disk: %s", config.get_target_disk())
log.debug("hardware arch: %s", config.get_hardware_arch())
log.debug("hostname: %s", config.get_hostname())
@@ -195,6 +193,14 @@ class OSInstallScript:
content = self.generate()
open(scriptpath, "w").write(content)
+ user_password = self._config.get_user_password()
+ if user_password:
+ content = content.replace(user_password, "[SCRUBBED]")
+
+ admin_password = self._config.get_admin_password()
+ if admin_password:
+ content = content.replace(admin_password, "[SCRUBBED]")
+
log.debug("Generated unattended script: %s", scriptpath)
log.debug("Generated script contents:\n%s", content)
--
2.21.0
More information about the virt-tools-list
mailing list