Daniel P. Berrangé <berra...@redhat.com> writes: > On Mon, Jul 08, 2019 at 12:27:12PM +0200, Philippe Mathieu-Daudé wrote: [...] >> Anyway, to stop bikeshedding this thread, can you add few lines about >> why not use getenv() in the HACKING? > > I don't actually think the getenv thing is a security issue in any case. > If there was a security problem exploitable via getenv, then the bug would > lie in the application invoking QEMU for not ensuring the ENV contents > were safe before exec'ing QEMU.
Correct. > Libvirt is paranoid by default and scrubs > QEMU's env only keeping a specific sanitized whitelist for exactly these > reasons. Must have for running programs with different privileges. Corrollary: a program that does not use getenv() at all is slightly harder to misuse with different privileges. Irrelevant in practice, because libraries use getenv(), starting with ld.so.
