Re: [Qemu-devel] [PATCH] vnc: Fix password expiration through 'change vnc ""'

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Anthony Liguori <anthony@codemonkey.ws>
Cc: Neil Wilson <neil@aldur.co.uk>,
	qemu-devel@nongnu.org, Gerd Hoffman <kraxel@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] vnc: Fix password expiration through 'change vnc ""'
Date: Mon, 31 Jan 2011 15:32:51 -0600	[thread overview]
Message-ID: <4D472A83.4070907@codemonkey.ws> (raw)
In-Reply-To: <1296506599-7126-1-git-send-email-aliguori@us.ibm.com>

On 01/31/2011 02:43 PM, Anthony Liguori wrote:
> commit 52c18be9e99dabe295321153fda7fce9f76647ac introduced a regression in the
> change vnc password command that changed the behavior of setting the VNC
> password to an empty string from disabling login to disabling authentication.
>
> This commit refactors the code to eliminate this overloaded semantics in
> vnc_display_password and instead introduces the vnc_display_disable_login.   The
> monitor implementation then determines the behavior of an empty or missing
> string.
>
> Recently, a set_password command was added that allows both the Spice and VNC
> password to be set.  This command has not shown up in a release yet so the
> behavior is not yet defined.
>
> This patch proposes that an empty password be treated as an empty password with
> no special handling.  For specifically disabling login, I believe a new command
> should be introduced instead of overloading semantics.
>
> I'm not sure how Spice handles this but I would recommend that we have Spice
> and VNC have consistent semantics here for the 0.14.0 release.
>
> Reported-by: Neil Wilson<neil@aldur.co.uk>
> Signed-off-by: Anthony Liguori<aliguori@us.ibm.com>
>
> diff --git a/console.h b/console.h
> index 3157330..f4e4741 100644
> --- a/console.h
> +++ b/console.h
> @@ -369,6 +369,7 @@ void vnc_display_init(DisplayState *ds);
>   void vnc_display_close(DisplayState *ds);
>   int vnc_display_open(DisplayState *ds, const char *display);
>   int vnc_display_password(DisplayState *ds, const char *password);
> +int vnc_display_disable_login(DisplayState *ds);
>   int vnc_display_pw_expire(DisplayState *ds, time_t expires);
>   void do_info_vnc_print(Monitor *mon, const QObject *data);
>   void do_info_vnc(Monitor *mon, QObject **ret_data);
> diff --git a/monitor.c b/monitor.c
> index c5f54f4..24ed971 100644
> --- a/monitor.c
> +++ b/monitor.c
> @@ -1018,6 +1018,13 @@ static int do_quit(Monitor *mon, const QDict *qdict, QObject **ret_data)
>
>   static int change_vnc_password(const char *password)
>   {
> +    if (!password || !password[0]) {
> +        if (vnc_display_disable_login(NULL)) {
> +            qerror_report(QERR_SET_PASSWD_FAILED);
> +            return -1;
> +        }
>    

Missing return 0;

However, since there is a check in the password handlign in VNC for 
empty password too, this still ended up working as expected.  I've 
removed that additional check locally and then added the return 0; such 
that I could confirm the functionality again.

Regards,

Anthony Liguori

> +    }
> +
>       if (vnc_display_password(NULL, password)<  0) {
>           qerror_report(QERR_SET_PASSWD_FAILED);
>           return -1;
> @@ -1117,6 +1124,8 @@ static int set_password(Monitor *mon, const QDict *qdict, QObject **ret_data)
>               qerror_report(QERR_INVALID_PARAMETER, "connected");
>               return -1;
>           }
> +        /* Note that setting an empty password will not disable login through
> +         * this interface. */
>           rc = vnc_display_password(NULL, password);
>           if (rc != 0) {
>               qerror_report(QERR_SET_PASSWD_FAILED);
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 495d6d6..73e7ffa 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2484,6 +2484,24 @@ void vnc_display_close(DisplayState *ds)
>   #endif
>   }
>
> +int vnc_display_disable_login(DisplayState *ds)
> +{
> +    VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
> +
> +    if (!vs) {
> +        return -1;
> +    }
> +
> +    if (vs->password) {
> +        qemu_free(vs->password);
> +    }
> +
> +    vs->password = NULL;
> +    vs->auth = VNC_AUTH_VNC;
> +
> +    return 0;
> +}
> +
>   int vnc_display_password(DisplayState *ds, const char *password)
>   {
>       VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
> @@ -2492,19 +2510,18 @@ int vnc_display_password(DisplayState *ds, const char *password)
>           return -1;
>       }
>
> +    if (!password) {
> +        /* This is not the intention of this interface but err on the side
> +           of being safe */
> +        return vnc_display_disable_login(ds);
> +    }
> +
>       if (vs->password) {
>           qemu_free(vs->password);
>           vs->password = NULL;
>       }
> -    if (password&&  password[0]) {
> -        if (!(vs->password = qemu_strdup(password)))
> -            return -1;
> -        if (vs->auth == VNC_AUTH_NONE) {
> -            vs->auth = VNC_AUTH_VNC;
> -        }
> -    } else {
> -        vs->auth = VNC_AUTH_NONE;
> -    }
> +    vs->password = qemu_strdup(password);
> +    vs->auth = VNC_AUTH_VNC;
>
>       return 0;
>   }
>

next prev parent reply	other threads:[~2011-01-31 21:34 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-01-31 20:43 [Qemu-devel] [PATCH] vnc: Fix password expiration through 'change vnc ""' Anthony Liguori
2011-01-31 21:32 ` Anthony Liguori [this message]
2011-02-03 16:29 ` [Qemu-devel] " Daniel P. Berrange
2011-02-03 16:35   ` Anthony Liguori
2011-02-03 17:02     ` Daniel P. Berrange
2011-02-03 17:16       ` Anthony Liguori
2011-02-04  8:56         ` Markus Armbruster
2011-02-14 10:57 ` Gerd Hoffmann
2011-02-14 12:10   ` Anthony Liguori
2011-02-14 12:24     ` Daniel P. Berrange
2011-02-14 14:14       ` Anthony Liguori
2011-02-14 14:47         ` Daniel P. Berrange
2011-02-14 13:56     ` Gerd Hoffmann
2011-02-14 14:16       ` Anthony Liguori

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D472A83.4070907@codemonkey.ws \
    --to=anthony@codemonkey.ws \
    --cc=kraxel@redhat.com \
    --cc=neil@aldur.co.uk \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).