|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] Scrub VNC passwords from XenD log files
On Tue, Dec 05, 2006 at 07:31:25PM +0000, Daniel P. Berrange wrote: > The XendDomainInfo and XendConfig classes both log the guest VM config data > to the /var/log/xen/xend.log in many places. Unfortunately the VNC passwords > are stored in plain text in the guest VM config files. So we end up with > plain text passwords in the xend.log file > > Now we can make /var/log/xen mode 0700 to protect them from local users, > but it is very common when debugging issues to request that a user attach > the contents of /var/log/xen/xend.log to the bug report ticket, or emails > sent to mailing lists. This will obviously compromise any VNC passwords > to essentially the while world & his dog. What's more, Google will make > it incredibly easy to search for these too. > > > There are a few potential approaches to this > > 1. Remove all logging from xend.log > 2. Change default log level to only record WARN and higher, so DEBUG > stuff is not recorded normally > 3. Scrub the passwords out of the data being logged > 4. Do nothing > > I really don't like options 1 or 2, because the stuff XenD is logging is > actually incredibly helpful when debugging end user problems. 4 is not > really a viable option either. So we're left with 3. > > Thus I am attaching a prototype patch which scrubs VNC passwords out of > the data being logged by XenD. That looks good to me -- could I have a Signed-off-by line, so I can apply it? Thanks, Ewan. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |