[v2] daemon: Don't initialize SASL context if not necessary

[libvirt] [PATCH v2] daemon: Don't initialize SASL context if not necessary

Posted by Peter Krempa 6 years, 10 months ago

SASL context would be initialized even if the corresponding TCP or TLS
sockets are not enabled.

fe772f24a68 attempted to fix the symptom by commenting out the settings,
but that did not fix the root cause. 3c647ee4bbb later reverted those
changes so that the more secure algorithm is used.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1450095
---
v2:
Fix the message also if SASL authentication and the TCP/TLS sockets are
explicitly enabled in config bug --listen is not specified.

 daemon/libvirtd.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 891238bcb..bac4bc1b6 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -613,11 +613,11 @@ daemonSetupNetworking(virNetServerPtr srv,

 #if WITH_SASL
     if (config->auth_unix_rw == REMOTE_AUTH_SASL ||
-        config->auth_unix_ro == REMOTE_AUTH_SASL ||
+        (sock_path_ro && config->auth_unix_ro == REMOTE_AUTH_SASL) ||
 # if WITH_GNUTLS
-        config->auth_tls == REMOTE_AUTH_SASL ||
+        (ipsock && config->listen_tls && config->auth_tls == REMOTE_AUTH_SASL) ||
 # endif
-        config->auth_tcp == REMOTE_AUTH_SASL) {
+        (ipsock && config->listen_tcp && config->auth_tcp == REMOTE_AUTH_SASL)) {
         saslCtxt = virNetSASLContextNewServer(
             (const char *const*)config->sasl_allowed_username_list);
         if (!saslCtxt)
-- 
2.12.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2] daemon: Don't initialize SASL context if not necessary

Posted by Daniel P. Berrange 6 years, 10 months ago

On Fri, Jun 02, 2017 at 02:53:28PM +0200, Peter Krempa wrote:
> SASL context would be initialized even if the corresponding TCP or TLS
> sockets are not enabled.
> 
> fe772f24a68 attempted to fix the symptom by commenting out the settings,
> but that did not fix the root cause. 3c647ee4bbb later reverted those
> changes so that the more secure algorithm is used.
> 
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1450095
> ---
> v2:
> Fix the message also if SASL authentication and the TCP/TLS sockets are
> explicitly enabled in config bug --listen is not specified.
> 
>  daemon/libvirtd.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
> index 891238bcb..bac4bc1b6 100644
> --- a/daemon/libvirtd.c
> +++ b/daemon/libvirtd.c
> @@ -613,11 +613,11 @@ daemonSetupNetworking(virNetServerPtr srv,
> 
>  #if WITH_SASL
>      if (config->auth_unix_rw == REMOTE_AUTH_SASL ||
> -        config->auth_unix_ro == REMOTE_AUTH_SASL ||
> +        (sock_path_ro && config->auth_unix_ro == REMOTE_AUTH_SASL) ||
>  # if WITH_GNUTLS
> -        config->auth_tls == REMOTE_AUTH_SASL ||
> +        (ipsock && config->listen_tls && config->auth_tls == REMOTE_AUTH_SASL) ||
>  # endif
> -        config->auth_tcp == REMOTE_AUTH_SASL) {
> +        (ipsock && config->listen_tcp && config->auth_tcp == REMOTE_AUTH_SASL)) {
>          saslCtxt = virNetSASLContextNewServer(
>              (const char *const*)config->sasl_allowed_username_list);
>          if (!saslCtxt)


Reviewed-by: Daniel P. Berrange <berrange@redhat.com>

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list