From: Peter Lieven <pl@kamp.de>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: kwolf@redhat.com, ronniesahlberg@gmail.com,
qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [Qemu-block] [PATCH] block/nfs: add support for setting debug level
Date: Thu, 25 Jun 2015 15:26:46 +0200 [thread overview]
Message-ID: <558C0196.1050208@kamp.de> (raw)
In-Reply-To: <20150625131806.GG4419@stefanha-thinkpad.redhat.com>
Am 25.06.2015 um 15:18 schrieb Stefan Hajnoczi:
> On Tue, Jun 23, 2015 at 10:12:15AM +0200, Peter Lieven wrote:
>> upcoming libnfs versions will support logging debug messages. Add
>> support for it in qemu through an URL parameter.
>>
>> Signed-off-by: Peter Lieven <pl@kamp.de>
>> ---
>> block/nfs.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/block/nfs.c b/block/nfs.c
>> index ca9e24e..f7388a3 100644
>> --- a/block/nfs.c
>> +++ b/block/nfs.c
>> @@ -329,6 +329,10 @@ static int64_t nfs_client_open(NFSClient *client, const char *filename,
>> } else if (!strcmp(qp->p[i].name, "readahead")) {
>> nfs_set_readahead(client->context, val);
>> #endif
>> +#ifdef LIBNFS_FEATURE_DEBUG
>> + } else if (!strcmp(qp->p[i].name, "debug")) {
>> + nfs_set_debug(client->context, val);
>> +#endif
>> } else {
>> error_setg(errp, "Unknown NFS parameter name: %s",
>> qp->p[i].name);
> Untrusted users may be able to set these options since they are encoded
> in the URI. I'm imagining a hosting or cloud scenario like OpenStack.
>
> A verbose debug level spams stderr and could consume a lot of disk
> space.
>
> (The uid and gid options are probably okay since the NFS server cannot
> trust the uid/gid coming from QEMU anyway.)
>
> I think we can merge this patch for QEMU 2.4 but I'd like to have a
> discussion about the security risk of encoding libnfs options in the
> URI.
>
> CCed Eric Blake in case libvirt is affected.
>
> Has anyone thought about this and what are the rules?
Good point. In general I think there should be some kind of sanitization of the parameters
before they are passed on to Qemu. In our use case the user cannot pass any kind of URIs himself,
but this might be different in other backends. The readahead value is as dangerous as well
if not sanitized.
I had a discussion with Ronnie in the past if we should encode parameters in the URI or via environment
like it is done in libiscsi. If I remember correctly we came up with the URI parameters for better usability,
but hadn't attack scenarios in mind.
I am also open to only allow uncritical parameters in the URI and pass others via a new -nfs cmdline option.
Or limit max readahead and max debug level settable via URI.
Peter
next prev parent reply other threads:[~2015-06-25 13:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-23 8:12 [Qemu-devel] [PATCH] block/nfs: add support for setting debug level Peter Lieven
2015-06-25 13:18 ` [Qemu-devel] [Qemu-block] " Stefan Hajnoczi
2015-06-25 13:26 ` Peter Lieven [this message]
2015-06-26 9:14 ` Stefan Hajnoczi
2015-06-26 9:23 ` Peter Lieven
2015-09-22 6:13 ` Peter Lieven
2015-10-22 6:37 ` Peter Lieven
2015-10-26 10:45 ` Stefan Hajnoczi
2015-10-26 10:53 ` Peter Lieven
2015-09-22 16:07 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=558C0196.1050208@kamp.de \
--to=pl@kamp.de \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=ronniesahlberg@gmail.com \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).