On Wed, Aug 08, 2012 at 02:17:30PM +0200, Thierry Carrez wrote: > Eric Windisch wrote: > > Unfortunately, this won't be the end of vulnerabilities coming from this "feature". > > Indeed. I would like to see evil file injection die, and be replaced by > cloud-init / config-drive. That's the safest way. > > If we can't totally get rid of file injection, I'd like it to be a clear > second-class citizen that you should enable only if you absolutely need it. If we used the libguestfs APIs instead of guestmount program, then the security characteristics of file injection would be pretty much equivalent to config drive IMHO. In both cases you would be primarily relying on the containment of the QEMU process for security. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|