[Spice-devel] spice-client: "-w password" (on the command line) is a security risk

Christophe Fergeau cfergeau at redhat.com
Mon May 13 04:10:01 PDT 2013


On Sun, Apr 07, 2013 at 09:05:34PM -0500, Rob Browning wrote:
> (If possible, please preserve the 704229-forwarded address in any replies.)
> 
> I reported the following bug to the Debian bug tracker, but realized it
> should probably just be forwarded upstream.
> 
> Rob Browning <rlb at defaultvalue.org> writes:
> 
> > Package: spice-client
> > Version: 0.11.0-1
> >
> > I think the spice client should probably support some other way of
> > specifying the password since putting it on the command line makes it
> > visible to any other users on the system.
> >
> > A reasonable alternative might be "--password-file foo".
> 
> (cf. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704229)

The recommended client these days is remote-viewer which does not allow
passing the password on the command line, so this is less of an issue

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20130513/40b470d1/attachment.pgp>


More information about the Spice-devel mailing list