Print a warning if users pass in secrets as command line arguments and mention it in the man page.
Signed-off-by: Peter Krempa <[email protected]> --- docs/manpages/virsh.rst | 3 +++ tools/virsh-secret.c | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst index a7551b9709..823f130f1c 100644 --- a/docs/manpages/virsh.rst +++ b/docs/manpages/virsh.rst @@ -6571,6 +6571,9 @@ Base64-encoded value *base64* or Base-64-encoded contents of file named Note that *--file* and *base64* options are mutually exclusive. +Passing secrets via the *base64* option on command line is INSECURE and +deprecated. Use the *--file* option instead. + secret-get-value ---------------- diff --git a/tools/virsh-secret.c b/tools/virsh-secret.c index 66852173b5..0ca08bc133 100644 --- a/tools/virsh-secret.c +++ b/tools/virsh-secret.c @@ -217,6 +217,10 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd) return false; } + /* warn users that the --base64 option passed from command line is wrong */ + if (base64) + vshError(ctl, _("Passing secret value as command-line argument is insecure!")); + if (filename) { ssize_t read_ret; if ((read_ret = virFileReadAll(filename, 1024, &file_buf)) < 0) { -- 2.24.1
