Re: [Qemu-devel] Possible security enhancement for QEMU

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Possible security enhancement for QEMU

From:	Daniel P. Berrange
Subject:	Re: [Qemu-devel] Possible security enhancement for QEMU
Date:	Mon, 5 Jan 2015 18:13:55 +0000
User-agent:	Mutt/1.5.23 (2014-03-12)

On Mon, Dec 29, 2014 at 09:26:45PM +0000, Peter Maydell wrote:
> On 29 December 2014 at 19:09, Attila-Mihaly Balazs <address@hidden> wrote:
> > My suggestion for improvement would be:
> > - change the behaviour of "-vnc :port" such that it listens on "127.0.0.1"
> > when the IP isn't specified
> > - if host is "0.0.0.0" (perhaps also include any routable IPv4 addresses -
> > and non-link-local IPv6 addresses) and no authentication method is specified
> > error out with a message like "It is recommended that you DO NOT expose the
> > VNC server directly to the public internet. If you are sure of what you are
> > doing, please specify an authentication method for the VNC server. See the
> > documentation for more details"

Configuring 0.0.0.0 and no auth is a valid setup *provided* the virtualization
host itself is on a secured network. In fact this is the normal setup for an
OpenStack deployment, since the virt host/VNC server is not intended to ever
be directly exposed to the internet. Instead the user accesses the VNC server
via an authenticated VNC proxy tunnelled over HTTPs. So printing out such an
error message or refusing to launch would be wrong - QEMU doesn't know the
context of how it is being used.

> Seems reasonable to me. Some questions:
>  * do we need an option for "yes, I know what I'm doing and do not
>    want any authentication" ?
>  * how many of these VMs are configured for wide-open VNC by libvirt or
>    similar management tool rather than by the user directly running QEMU?

Libvirt will always set the listen address to 127.0.0.1 if not otherwise
specified, and so not rely on QEMU's (insecure) default.  So if any VMs
managed by libvirt are using a public IP address, this was requested
explicitly by the admin or the mgmt app using libvrt.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] Possible security enhancement for QEMU, Daniel P. Berrange <=
- Re: [Qemu-devel] Possible security enhancement for QEMU, Peter Maydell, 2015/01/05

Prev by Date: Re: [Qemu-devel] [RFC v2 1/4] hw/arm/virt: Allow multiple agents to modify dt
Next by Date: Re: [Qemu-devel] [PATCH] target-openrisc: bugfixes for debugging with GDB+Qemu on OpenRISC
Previous by thread: Re: [Qemu-devel] [PATCH] target-openrisc: bugfixes for debugging with GDB+Qemu on OpenRISC
Next by thread: Re: [Qemu-devel] Possible security enhancement for QEMU
Index(es):
- Date
- Thread