Package: qemu-system-common
Version: 1:5.0-6
Severity: normal
Tags: upstream
The spice video options includes "password=<secret>" which is visible on the
kvm/qemu command-line.
While using SASL should solve this problem it is more complex to setup so most
people who use
password authentication for Spice access will have it visible via ps to all
users on the system.
I think it should be easy to secure systems, so something like a
"passwordfile=" option would be
good to allow easily setting a password without using SASL and without exposing
the password to
all users on the same system.
For an example of how other programs do it here's an exerpt from the mysql man
page:
Specifying a password on the command line should be considered
insecure. You can use
an option file to avoid giving the password on the command line.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages qemu-system-common depends on:
ii libaio1 0.3.112-8
ii libc6 2.30-8
ii libcap-ng0 0.7.9-2.2
ii libgbm1 20.1.2-1
ii libgcc-s1 10.1.0-4
ii libglib2.0-0 2.64.3-2
ii libgnutls30 3.6.14-2
ii libnettle7 3.5.1+really3.5.1-2
ii libpixman-1-0 0.36.0-1
ii libseccomp2 2.4.3-1+b1
ii liburing1 0.6-3
ii libvirglrenderer1 0.8.2-2
ii zlib1g 1:1.2.11.dfsg-2
qemu-system-common recommends no packages.
qemu-system-common suggests no packages.
-- no debconf information
