From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53419)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Y8CAJ-0000yv-CX
	for qemu-devel@nongnu.org; Mon, 05 Jan 2015 13:14:11 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Y8CAF-0005ww-Jr
	for qemu-devel@nongnu.org; Mon, 05 Jan 2015 13:14:07 -0500
Received: from mx1.redhat.com ([209.132.183.28]:39093)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Y8CAF-0005wJ-Cg
	for qemu-devel@nongnu.org; Mon, 05 Jan 2015 13:14:03 -0500
Date: Mon, 5 Jan 2015 18:13:55 +0000
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20150105181354.GN29381@redhat.com>
References: <CAOqyLXjX2R7bSFX8kgZ=QheLRnULDh2qWep2mMXf9QN4qa5vqQ@mail.gmail.com>
	<CAFEAcA_FsHYmOieHkwW_ZJA7Lm2mnhgeUs1HG9gpVwt7tZafzA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAFEAcA_FsHYmOieHkwW_ZJA7Lm2mnhgeUs1HG9gpVwt7tZafzA@mail.gmail.com>
Subject: Re: [Qemu-devel] Possible security enhancement for QEMU
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Attila-Mihaly Balazs <dify.ltd@gmail.com>, QEMU Developers <qemu-devel@nongnu.org>

On Mon, Dec 29, 2014 at 09:26:45PM +0000, Peter Maydell wrote:
> On 29 December 2014 at 19:09, Attila-Mihaly Balazs <dify.ltd@gmail.com> wrote:
> > My suggestion for improvement would be:
> > - change the behaviour of "-vnc :port" such that it listens on "127.0.0.1"
> > when the IP isn't specified
> > - if host is "0.0.0.0" (perhaps also include any routable IPv4 addresses -
> > and non-link-local IPv6 addresses) and no authentication method is specified
> > error out with a message like "It is recommended that you DO NOT expose the
> > VNC server directly to the public internet. If you are sure of what you are
> > doing, please specify an authentication method for the VNC server. See the
> > documentation for more details"

Configuring 0.0.0.0 and no auth is a valid setup *provided* the virtualization
host itself is on a secured network. In fact this is the normal setup for an
OpenStack deployment, since the virt host/VNC server is not intended to ever
be directly exposed to the internet. Instead the user accesses the VNC server
via an authenticated VNC proxy tunnelled over HTTPs. So printing out such an
error message or refusing to launch would be wrong - QEMU doesn't know the
context of how it is being used.

> Seems reasonable to me. Some questions:
>  * do we need an option for "yes, I know what I'm doing and do not
>    want any authentication" ?
>  * how many of these VMs are configured for wide-open VNC by libvirt or
>    similar management tool rather than by the user directly running QEMU?

Libvirt will always set the listen address to 127.0.0.1 if not otherwise
specified, and so not rely on QEMU's (insecure) default.  So if any VMs
managed by libvirt are using a public IP address, this was requested
explicitly by the admin or the mgmt app using libvrt.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|