| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
Re: [Xen-devel] [PATCH] Scrub VNC passwords from XenD log files
On Tue, Dec 05, 2006 at 07:31:25PM +0000, Daniel P. Berrange wrote:
> The XendDomainInfo and XendConfig classes both log the guest VM config data
> to the /var/log/xen/xend.log in many places. Unfortunately the VNC passwords
> are stored in plain text in the guest VM config files. So we end up with
> plain text passwords in the xend.log file
>
> Now we can make /var/log/xen mode 0700 to protect them from local users,
> but it is very common when debugging issues to request that a user attach
> the contents of /var/log/xen/xend.log to the bug report ticket, or emails
> sent to mailing lists. This will obviously compromise any VNC passwords
> to essentially the while world & his dog. What's more, Google will make
> it incredibly easy to search for these too.
>
>
> There are a few potential approaches to this
>
> 1. Remove all logging from xend.log
> 2. Change default log level to only record WARN and higher, so DEBUG
> stuff is not recorded normally
> 3. Scrub the passwords out of the data being logged
> 4. Do nothing
>
> I really don't like options 1 or 2, because the stuff XenD is logging is
> actually incredibly helpful when debugging end user problems. 4 is not
> really a viable option either. So we're left with 3.
>
> Thus I am attaching a prototype patch which scrubs VNC passwords out of
> the data being logged by XenD.
That looks good to me -- could I have a Signed-off-by line, so I can apply it?
Thanks,
Ewan.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
| |
|
Home