From: Eric Blake <eblake@redhat.com>
To: Nir Soffer <nirsof@gmail.com>, qemu-devel@nongnu.org
Cc: pbonzini@redhat.com, kwolf@redhat.com, mreitz@redhat.com,
rjones@redhat.com, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 1/3] nbd: Add option to disallow listing exports
Date: Tue, 17 Apr 2018 14:41:35 -0500 [thread overview]
Message-ID: <ab4f8d4f-c451-181e-e8b5-72a9335f988b@redhat.com> (raw)
In-Reply-To: <20180413192605.2145-2-nirsof@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1973 bytes --]
On 04/13/2018 02:26 PM, Nir Soffer wrote:
> When a management application expose images using qemu-nbd, it needs a
> secure way to allow temporary access to the disk. Using a random export
> name can solve this problem:
>
> nbd://server:10809/22965f19-9ab5-4d18-94e1-cbeb321fa433
I share Dan's concerns that you are trying to protect information
without requiring TLS. If you would just use TLS, then only clients
that can authenticate can list the export names; the fact that the name
leaks at all means you aren't using TLS, so you are just as vulnerable
to a man-in-the-middle attack as you are to the information leak.
>
> Assuming that the url is passed to the user in a secure way, and the
> user is using TLS to access the image.
>
> However, since qemu-nbd implements NBD_OPT_LIST, anyone can easily find
> the secret export:
>
> $ nbd-client -l server 10809
> Negotiation: ..
> 22965f19-9ab5-4d18-94e1-cbeb321fa433
If the server requires TLS, then 'nbd-client -l' already cannot list
names without first negotiating TLS (all commands other than
NBD_OPT_STARTTLS are rejected with NBD_REP_ERR_TLS_REQD if the server
required TLS). Your example is thus invalidating your above assumption
that the user is using TLS.
>
> Add a new --nolist option, disabling listing, similar the "allowlist"
> nbd-server configuration option.
This may still make sense to implement, but not necessarily for the
reasons you are giving.
> @@ -86,6 +88,7 @@ static void usage(const char *name)
> " -v, --verbose display extra debugging information\n"
> " -x, --export-name=NAME expose export by name\n"
> " -D, --description=TEXT with -x, also export a human-readable description\n"
> +" --nolist do not list export\n"
s/export/exports/
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]
next prev parent reply other threads:[~2018-04-17 19:41 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-13 19:26 [Qemu-devel] [PATCH 0/3] qemu-nbd: Disallow listing exports Nir Soffer
2018-04-13 19:26 ` [Qemu-devel] [PATCH 1/3] nbd: Add option to disallow " Nir Soffer
2018-04-13 21:07 ` Richard W.M. Jones
2018-04-16 10:31 ` Daniel P. Berrangé
2018-04-16 10:53 ` Richard W.M. Jones
2018-04-16 11:00 ` Daniel P. Berrangé
2018-04-17 19:47 ` Eric Blake
2018-04-17 19:41 ` Eric Blake [this message]
2018-04-13 19:26 ` [Qemu-devel] [PATCH 2/3] iotests.py: Add helper for running commands Nir Soffer
2018-04-13 19:26 ` [Qemu-devel] [PATCH 3/3] qemu-iotests: Test new qemu-nbd --nolist option Nir Soffer
2018-04-17 19:56 ` Eric Blake
2018-04-18 9:43 ` Vladimir Sementsov-Ogievskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ab4f8d4f-c451-181e-e8b5-72a9335f988b@redhat.com \
--to=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=nirsof@gmail.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).