From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: [PATCH] Scrub VNC passwords from XenD log files
Date: Wed, 6 Dec 2006 17:16:03 +0000
Message-ID: <20061206171603.GA13126@redhat.com>
References: <20061205193125.GF21067@redhat.com>
	<20061206122520.GE17323@leeni.uk.xensource.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
In-Reply-To: <20061206122520.GE17323@leeni.uk.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Ewan Mellor <ewan@xensource.com>
Cc: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

On Wed, Dec 06, 2006 at 12:25:20PM +0000, Ewan Mellor wrote:
> On Tue, Dec 05, 2006 at 07:31:25PM +0000, Daniel P. Berrange wrote:
> 
> > The XendDomainInfo and XendConfig classes both log the guest VM config data
> > to the /var/log/xen/xend.log  in many places. Unfortunately the VNC passwords
> > are stored in plain text in the guest VM config files. So we end up with 
> > plain text passwords in the xend.log file
> > 
> > Now we can make /var/log/xen  mode 0700 to protect them from local users,
> > but it is very common when debugging issues to request that a user attach
> > the contents of /var/log/xen/xend.log to the bug report ticket, or emails
> > sent to mailing lists. This will obviously compromise any VNC passwords
> > to essentially the while world & his dog. What's more, Google will make 
> > it incredibly easy to search for these too.
> > 
> > 
> > There are a few potential approaches to this
> > 
> >  1. Remove all logging from xend.log
> >  2. Change default log level to only record WARN and higher, so DEBUG
> >     stuff is not recorded normally
> >  3. Scrub the passwords out of the data being logged
> >  4. Do nothing
> > 
> > I really don't like options 1 or 2, because the stuff XenD is logging is
> > actually incredibly helpful when debugging end user problems. 4 is not
> > really a viable option either. So we're left with 3.
> > 
> > Thus I am attaching a prototype patch which scrubs VNC passwords out of
> > the data being logged by XenD.
> 
> That looks good to me -- could I have a Signed-off-by line, so I can apply it?

I didn't add the signed-off-by because the patch isn't finished - I really 
just wanted to see if people were amenable to this kind of approach before
doing more work on it. Since you like it, I'll finish it off shortly - there
just a couple more test cases I need to go through - suspend/restore & inactive
domains - to verify passwords are always scrubbed correctly. I'll post a final
version of the patch by the end of today if all goes to plan.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|