From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33803)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1Y9NKR-00078F-Nv
	for qemu-devel@nongnu.org; Thu, 08 Jan 2015 19:21:28 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1Y9NKO-0000aS-FO
	for qemu-devel@nongnu.org; Thu, 08 Jan 2015 19:21:27 -0500
Received: from e34.co.us.ibm.com ([32.97.110.152]:48500)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1Y9NKO-0000aM-8V
	for qemu-devel@nongnu.org; Thu, 08 Jan 2015 19:21:24 -0500
Received: from /spool/local
	by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>;
	Thu, 8 Jan 2015 17:21:23 -0700
Received: from b03cxnp08026.gho.boulder.ibm.com
	(b03cxnp08026.gho.boulder.ibm.com [9.17.130.18])
	by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 711B03E4003F
	for <qemu-devel@nongnu.org>; Thu,  8 Jan 2015 17:21:20 -0700 (MST)
Received: from d03av03.boulder.ibm.com (d03av03.boulder.ibm.com [9.17.195.169])
	by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id t090Lpk748038140
	for <qemu-devel@nongnu.org>; Thu, 8 Jan 2015 17:21:51 -0700
Received: from d03av03.boulder.ibm.com (localhost [127.0.0.1])
	by d03av03.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP
	id t090LKgI003411
	for <qemu-devel@nongnu.org>; Thu, 8 Jan 2015 17:21:20 -0700
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Michael Roth <mdroth@linux.vnet.ibm.com>
In-Reply-To: <1418647666-18771-1-git-send-email-berrange@redhat.com>
References: <1418647666-18771-1-git-send-email-berrange@redhat.com>
Message-ID: <20150109002119.22996.46864@loki>
Date: Thu, 08 Jan 2015 18:21:19 -0600
Subject: Re: [Qemu-devel] [PATCH] qga: add guest-set-admin-password command
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org

Quoting Daniel P. Berrange (2014-12-15 06:47:46)
> Add a new 'guest-set-admin-password' command for changing the
> root/administrator password. This command is needed to allow
> OpenStack to support its API for changing the admin password
> on a running guest.
> =

> Accepts either the raw password string:
> =

> $ virsh -c qemu:///system  qemu-agent-command f21x86_64 \
>    '{ "execute": "guest-set-admin-password", "arguments":
>      { "crypted": false, "password": "12345678" } }'
>   {"return":{}}
> =

> Or a pre-encrypted string (recommended)
> =

> $ virsh -c qemu:///system  qemu-agent-command f21x86_64 \
>    '{ "execute": "guest-set-admin-password", "arguments":
>      { "crypted": true, "password":
>         "$6$T9O/j/aGPrE...snip....rQoRN4F0.GG0MPjNUNyml." } }'
> =

> NB windows support is desirable, but not implemented in this
> patch.
> =

> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  qga/commands-posix.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++=
++++++
>  qga/commands-win32.c |  6 ++++
>  qga/qapi-schema.json | 13 ++++++++
>  3 files changed, 108 insertions(+)
> =

> diff --git a/qga/commands-posix.c b/qga/commands-posix.c
> index f6f3e3c..3c3998a 100644
> --- a/qga/commands-posix.c
> +++ b/qga/commands-posix.c
> @@ -1875,6 +1875,89 @@ int64_t qmp_guest_set_vcpus(GuestLogicalProcessorL=
ist *vcpus, Error **errp)
>      return processed;
>  }
> =

> +void qmp_guest_set_admin_password(bool crypted, const char *password,
> +                                  Error **errp)
> +{
> +    Error *local_err =3D NULL;
> +    char *passwd_path =3D NULL;
> +    pid_t pid;
> +    int status;
> +    int datafd[2] =3D { -1, -1 };
> +    char *acctpw =3D g_strdup_printf("root:%s\n", password);
> +
> +    if (strchr(password, '\n')) {
> +        error_setg(errp, "forbidden characters in new password");
> +        goto out;
> +    }
> +
> +    passwd_path =3D g_find_program_in_path("chpasswd");
> +
> +    if (!passwd_path) {
> +        error_setg(errp, "cannot find 'passwd' program in PATH");
> +        goto out;
> +    }
> +
> +    if (pipe(datafd) < 0) {
> +        error_setg(errp, "cannot create pipe FDs");
> +        goto out;
> +    }
> +
> +    pid =3D fork();
> +    if (pid =3D=3D 0) {
> +        close(datafd[1]);
> +        /* child */
> +        setsid();
> +        dup2(datafd[0], 0);
> +        reopen_fd_to_null(1);
> +        reopen_fd_to_null(2);
> +
> +        if (crypted) {
> +            execle(passwd_path, "chpasswd", "-e", NULL, environ);
> +        } else {
> +            execle(passwd_path, "chpasswd", NULL, environ);
> +        }
> +        _exit(EXIT_FAILURE);
> +    } else if (pid < 0) {
> +        error_setg_errno(errp, errno, "failed to create child process");
> +        goto out;
> +    }
> +    close(datafd[0]);
> +    datafd[0] =3D -1;
> +
> +    if (write(datafd[1], acctpw, strlen(acctpw)) !=3D strlen(acctpw)) {
> +        error_setg(errp, "cannot write new account password");
> +        goto out;
> +    }

We should probably retry on EINTR, and for cases where -1 is returned I
think error_setg_errno() would be useful.

> +    close(datafd[1]);
> +    datafd[1] =3D -1;
> +
> +    ga_wait_child(pid, &status, &local_err);
> +    if (local_err) {
> +        error_propagate(errp, local_err);
> +        goto out;
> +    }
> +
> +    if (!WIFEXITED(status)) {
> +        error_setg(errp, "child process has terminated abnormally");
> +        goto out;
> +    }
> +
> +    if (WEXITSTATUS(status)) {
> +        error_setg(errp, "child process has failed to suspend");

"... has failed to set admin password" or somesuch

> +        goto out;
> +    }
> +
> +out:
> +    g_free(acctpw);
> +    g_free(passwd_path);
> +    if (datafd[0] !=3D -1) {
> +        close(datafd[0]);
> +    }
> +    if (datafd[1] !=3D -1) {
> +        close(datafd[1]);
> +    }
> +}
> +
>  #else /* defined(__linux__) */
> =

>  void qmp_guest_suspend_disk(Error **errp)
> @@ -1910,6 +1993,12 @@ int64_t qmp_guest_set_vcpus(GuestLogicalProcessorL=
ist *vcpus, Error **errp)
>      return -1;
>  }
> =

> +void qmp_guest_set_admin_password(bool crypted, const char *password,
> +                                  Error **errp)
> +{
> +    error_set(errp, QERR_UNSUPPORTED);
> +}
> +
>  #endif
> =

>  #if !defined(CONFIG_FSFREEZE)
> diff --git a/qga/commands-win32.c b/qga/commands-win32.c
> index 3bcbeae..56854d5 100644
> --- a/qga/commands-win32.c
> +++ b/qga/commands-win32.c
> @@ -446,6 +446,12 @@ int64_t qmp_guest_set_vcpus(GuestLogicalProcessorLis=
t *vcpus, Error **errp)
>      return -1;
>  }
> =

> +void qmp_guest_set_admin_password(bool crypted, const char *password,
> +                                  Error **errp)
> +{
> +    error_set(errp, QERR_UNSUPPORTED);
> +}
> +
>  /* add unsupported commands to the blacklist */
>  GList *ga_command_blacklist_init(GList *blacklist)
>  {
> diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
> index 376e79f..202d3be 100644
> --- a/qga/qapi-schema.json
> +++ b/qga/qapi-schema.json
> @@ -738,3 +738,16 @@
>  ##
>  { 'command': 'guest-get-fsinfo',
>    'returns': ['GuestFilesystemInfo'] }
> +
> +##
> +# @guest-set-admin-password
> +#
> +# @crypted: true if password is already crypt()d, false if raw

Should we have some sort of note about what sort of encryption
scheme is expected, or a way to query for it?

> +# @password: the new password entry
> +#
> +# Returns: Nothing on success.
> +#
> +# Since 2.3
> +##
> +{ 'command': 'guest-set-admin-password',
> +  'data': { 'crypted': 'bool', 'password': 'str' } }
> -- =

> 2.1.0