From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: [PATCH 1/2] kvm tools: Export DISPLAY ENV as our default host ip address Date: Wed, 05 Sep 2012 14:56:48 +0300 Message-ID: <50473E00.2010809@redhat.com> References: <1345807781-23452-1-git-send-email-asias.hejun@gmail.com> <5045FD1E.2080602@redhat.com> <50470592.4090002@redhat.com> <50471B8B.5060701@redhat.com> <5047212F.50508@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Pekka Enberg , Sasha Levin , Ingo Molnar , Cyrill Gorcunov , kvm@vger.kernel.org To: Asias He Return-path: Received: from mx1.redhat.com ([209.132.183.28]:12802 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751318Ab2IEL46 (ORCPT ); Wed, 5 Sep 2012 07:56:58 -0400 In-Reply-To: Sender: kvm-owner@vger.kernel.org List-ID: On 09/05/2012 01:14 PM, Asias He wrote: > On Wed, Sep 5, 2012 at 5:53 PM, Avi Kivity wrote: >> On 09/05/2012 12:46 PM, Asias He wrote: >>>> Ok. Then the socat command not only exposes the display to the guest, >>>> but also to any local process with access to localhost:6000. >>> >>> Yes. It is a trick for people with 'Xorg -nolisten tcp' enabled. >> >> Which is hopefully everyone. > > Yup. That's why I want the socat trick ;-d No, it's horribly insecure. One option is to generate a temporary keypair and use ssh. Or you can make the guest talk to an internal unix-domain socket, tunnel that through virtio-serial, terminate virtio-serial in lkvm, and direct it towards the local X socket. It's more work than exposing X11 via tcp, but if the user said -nolisten tcp, you must respect it. -- error compiling committee.c: too many arguments to function