unattended: Read the passwords from a file

Let's not expose the user/root password in the CLI and, instead, let's
rely on a file passed by the admin and read the password from there.

'CVE-2019-10183' has been assigned to the virt-install --unattended
admin-password=xxx disclosure issue.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

1 files changed, 17 insertions, 7 deletions

diff --git a/man/virt-install.pod b/man/virt-install.pod
index d8bd4127..081f28c3 100644
--- a/man/virt-install.pod
+++ b/man/virt-install.pod
@@ -612,13 +612,23 @@ Choose which libosinfo unattended profile to use. Most distros have
 a 'desktop' and a 'jeos' profile. virt-install will default to 'desktop'
 if this is unspecified.
 
-=item B<admin-password=>
-
-Set the VM OS admin/root password
-
-=item B<user-password=>
-
-Set the VM user password. The username is your current host username
+=item B<admin-password-file=>
+
+A file used to set the VM OS admin/root password from. This option can
+be used either as "admin-password-file=/path/to/password-file" or as
+"admin-password-file=/dev/fd/n", being n the file descriptor of the
+password-file.
+Note that only the first line of the file will be considered, including
+any whitespace characters and excluding new-line.
+
+=item B<user-password-file=>
+
+A file used to set the VM user password. This option can be used either as
+"user-password-file=/path/to/password-file" or as
+"user-password-file=/dev/fd/n", being n the file descriptor of the
+password-file. The username is your current host username.
+Note that only the first line of the file will be considered, including
+any whitespace characters and excluding new-line.
 
 =item B<product-key=>