On Tue, Jul 09, 2019 at 07:53:15AM +0200, Markus Armbruster wrote: > Daniel P. Berrangé <berra...@redhat.com> writes: > > > On Mon, Jul 08, 2019 at 12:27:12PM +0200, Philippe Mathieu-Daudé wrote: > [...] > >> Anyway, to stop bikeshedding this thread, can you add few lines about > >> why not use getenv() in the HACKING? > > > > I don't actually think the getenv thing is a security issue in any case. > > If there was a security problem exploitable via getenv, then the bug would > > lie in the application invoking QEMU for not ensuring the ENV contents > > were safe before exec'ing QEMU. > > Correct. > > > Libvirt is paranoid by default and scrubs > > QEMU's env only keeping a specific sanitized whitelist for exactly these > > reasons. > > Must have for running programs with different privileges. > > Corrollary: a program that does not use getenv() at all is slightly > harder to misuse with different privileges. Irrelevant in practice, > because libraries use getenv(), starting with ld.so.
I'll reiterate that I'm happy to merge this but would first like to know if Philippe is satisfied with adding it just to qtest? Let's just add it to qtest if that is enough. Otherwise let's bring it into QEMU proper. Stefan
signature.asc
Description: PGP signature
