Ubuntu
qemu-kvm package

Please include sasl support into KVM

Bug #621639 reported by Christian Roessner on 2010-08-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	qemu-kvm (Ubuntu)	Fix Released	Wishlist	Dustin Kirkland 

Bug Description

Binary package hint: kvm

Hi all,

Please include sasl support into KVM.

--snip--
Hi Dustin,

sorry if I bother you, but could it be that kvm lacks sasl support for the vnc flag? I checked the debian/control file and saw that sasl was not included. Why? Without it, VNC only would work over x509, but there are nearly no vnc viewers that support x509. So I consider this a lack of security.

I enabled vnc with:

-vnc :1,sasl,acl

The acl_show vnc.username says: unknown list

Please, if this is a bug, can you rebuild kvm with sasl-support?

Hi Christian,

This may be an easy thing to fix, if the necessary build dependency is
in the Ubuntu main archive (rather than universe).

FWIW, qemu-kvm/configure suggests cyrus-sasl, which is in main.
So, like Dustin said, please file a bug and we should be able to
get that in lickity-split.

thanks,
-serge

I see several sasl-related packages in the archive... Specifically
which one are you requesting that we build qemu-kvm against?

Sorry it took me so long to find this email...ideally, you'd file this
as a wishlist bug against qemu-kvm in Launchpad.net, and I probably
would have gotten to it by now :-)

Thanks,
--
:-Dustin
--snap--

Thanks
Christian

Related branches

lp:ubuntu/maverick/qemu-kvm

Revision history for this message

Dustin Kirkland  (kirkland) wrote on 2010-08-21:

Hi Christian, thanks for the bug report!

I think this looks like a reasonable request, but I have question...

Is this a new build-time dependency, or just a run time dependency?

ie, if you just 'sudo apt-get install qemu-kvm cyrus-sasl', and then run with vnc/sasl, does it work?

If so, we can simply add a recommends on cyrus-sasl.

Or, does qemu-kvm need to be rebuilt with some additional sasl library? If so, what is the exact library we need to compile against?

Thanks!
:-Dustin

Changed in kvm (Ubuntu):
importance:	Undecided → Wishlist
status:	New → Incomplete
assignee:	nobody → Dustin Kirkland (kirkland)

Revision history for this message

Christian Roessner (christian-roessner-net) wrote on 2010-08-21:

You need to recompile kvm. I tried it with simply the libsasl2-dev package.

debian/rules:

--- rules 2010-08-21 23:58:53.000000000 +0200
+++ rules.new 2010-08-22 00:02:54.681408215 +0200
@@ -11,6 +11,7 @@
# Note: We differ from Debian here by favoring the pulseaudio driver, since that's default in Ubuntu.
# Users override this when calling qemu by exporting the environment variable QEMU_AUDIO_DRV.
conf_arch += --audio-drv-list="pa,alsa,sdl,oss"
+conf_arch += --enable-vnc-sasl
endif
ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
conf_arch += --audio-drv-list=oss,sdl,pa

Add libsasl2-dev to the debian/control file.

Rebuild

...
dh_testdir
./configure \
     --target-list="" \
     --prefix=/usr \
     --interp-prefix=/etc/qemu-binfmt/%M \
     --disable-blobs \
     --disable-strip \
     --audio-drv-list="pa,alsa,sdl,oss" --enable-vnc-sasl
Install prefix /usr
BIOS directory /usr/share/qemu
binary directory /usr/bin
Manual directory /usr/share/man
ELF interp prefix /etc/qemu-binfmt/%M
Source path /usr/local/src/qemu-kvm-0.12.3+noroms
C compiler gcc
Host C compiler gcc
CFLAGS -O2 -g -g -O2 -Wall -g -O2
QEMU_CFLAGS -m64 -Wold-style-definition -Wold-style-declaration -I. -I$(SRC_PATH) -U_FORTIFY_SOURCE -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wendif-labels -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing
LDFLAGS -Wl,--warn-common -m64 -g -Wl,-Bsymbolic-functions
make make
install install
host CPU x86_64
host big endian no
target list i386-softmmu x86_64-softmmu arm-softmmu cris-softmmu m68k-softmmu microblaze-softmmu mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu ppc-softmmu ppcemb-softmmu ppc64-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu sparc64-softmmu i386-linux-user x86_64-linux-user alpha-linux-user arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user microblaze-linux-user mips-linux-user mipsel-linux-user ppc-linux-user ppc64-linux-user ppc64abi32-linux-user sh4-linux-user sh4eb-linux-user sparc-linux-user sparc64-linux-user sparc32plus-linux-user
tcg debug enabled no
gprof enabled no
sparse enabled no
strip binaries no
profiler no
static build no
-Werror enabled no
SDL support yes
curses support yes
curl support yes
check support no
mingw32 support no
Audio drivers pa alsa sdl oss
Extra audio cards ac97 es1370 sb16
Block whitelist
Mixer emulation no
VNC TLS support yes <---
VNC SASL support yes <---
...

This also enables ACLs. Missing sasl is a security hole for vnc in my opinion.

As you can see, sasl will be easily included. I see it as a bug for current Lucid, so it _could_/should go as an update into Lucid, but I fear it is a feature for upcoming release ;-)

Regards
Christian

You need to recompile kvm. I tried it with simply the libsasl2-dev package.

debian/rules:

--- rules	2010-08-21 23:58:53.000000000 +0200
+++ rules.new	2010-08-22 00:02:54.681408215 +0200
@@ -11,6 +11,7 @@
 # Note: We differ from Debian here by favoring the pulseaudio driver, since that's default in Ubuntu.
 #       Users override this when calling qemu by exporting the environment variable QEMU_AUDIO_DRV.
 conf_arch += --audio-drv-list="pa,alsa,sdl,oss"
+conf_arch += --enable-vnc-sasl
 endif
 ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
 conf_arch += --audio-drv-list=oss,sdl,pa

Add libsasl2-dev to the debian/control file.

Rebuild

...
dh_testdir
./configure \
	    --target-list="" \
	    --prefix=/usr \
	    --interp-prefix=/etc/qemu-binfmt/%M \
	    --disable-blobs \
	    --disable-strip \
	    --audio-drv-list="pa,alsa,sdl,oss" --enable-vnc-sasl
Install prefix    /usr
BIOS directory    /usr/share/qemu
binary directory  /usr/bin
Manual directory  /usr/share/man
ELF interp prefix /etc/qemu-binfmt/%M
Source path       /usr/local/src/qemu-kvm-0.12.3+noroms
C compiler        gcc
Host C compiler   gcc
CFLAGS            -O2 -g -g -O2 -Wall -g -O2
QEMU_CFLAGS       -m64 -Wold-style-definition -Wold-style-declaration -I. -I$(SRC_PATH) -U_FORTIFY_SOURCE -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wendif-labels -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing 
LDFLAGS           -Wl,--warn-common -m64 -g -Wl,-Bsymbolic-functions
make              make
install           install
host CPU          x86_64
host big endian   no
target list       i386-softmmu x86_64-softmmu arm-softmmu cris-softmmu m68k-softmmu microblaze-softmmu mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu ppc-softmmu ppcemb-softmmu ppc64-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu sparc64-softmmu i386-linux-user x86_64-linux-user alpha-linux-user arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user microblaze-linux-user mips-linux-user mipsel-linux-user ppc-linux-user ppc64-linux-user ppc64abi32-linux-user sh4-linux-user sh4eb-linux-user sparc-linux-user sparc64-linux-user sparc32plus-linux-user 
tcg debug enabled no
gprof enabled     no
sparse enabled    no
strip binaries    no
profiler          no
static build      no
-Werror enabled   no
SDL support       yes
curses support    yes
curl support      yes
check support     no
mingw32 support   no
Audio drivers     pa alsa sdl oss
Extra audio cards ac97 es1370 sb16
Block whitelist   
Mixer emulation   no
VNC TLS support   yes       <---
VNC SASL support  yes       <---
...

This also enables ACLs. Missing sasl is a security hole for vnc in my opinion.

As you can see, sasl will be easily included. I see it as a bug for current Lucid, so it _could_/should go as an update into Lucid, but I fear it is a feature for upcoming release ;-)

Regards
Christian

Revision history for this message

Dustin Kirkland  (kirkland) wrote on 2010-08-22:

Perfect, thanks.

Changed in kvm (Ubuntu):
status:	Incomplete → Triaged

Revision history for this message

Dustin Kirkland  (kirkland) wrote on 2010-08-23:

I can't build locally right now, so I've sent a test build to my ppa. Will check back in a few hours. If you're interested in testing my new package, see:
* https://launchpad.net/~kirkland/+archive/ppa

Look for:
* qemu-kvm_0.12.5+noroms-0ubuntu3~ppa1

Changed in kvm (Ubuntu):
status:	Triaged → In Progress

Dustin Kirkland  (kirkland) on 2010-08-24

affects:

kvm (Ubuntu) → qemu-kvm (Ubuntu)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-08-24:

This bug was fixed in the package qemu-kvm - 0.12.5+noroms-0ubuntu3

---------------
qemu-kvm (0.12.5+noroms-0ubuntu3) maverick; urgency=low

* debian/rules, debian/control: enable vnc sasl in the build, LP: #621639
-- Dustin Kirkland <email address hidden> Tue, 24 Aug 2010 09:56:34 -0400

Changed in qemu-kvm (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuqemu-kvm package

Please include sasl support into KVM

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
qemu-kvm package