Re: [PATCH 04/11] virStorageBackendISCSISetAuth: Don't bother securely erasing password
On Fri, Dec 09, 2022 at 05:28:56PM +0100, Peter Krempa wrote:
We fetch the password via RPC so it's already contained in an
un-sanitized buffer and pass it to 'iscsiadm' via virCommand where it's
in another un-sanitized buffer (and on the commandline!!).
Just because there are other places in the code which are not
perfect, doesn't mean we should delete this.
Note, if iscsiadm really forces us to pass secrets on the CLI, that
is a significant flaw in its design, that really needs to be reported
as a security bug against iscsiadm IMHO. They need to provide a secure
channel to receiving passwords.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|