From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55384)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Y8CGd-00068n-JT
	for qemu-devel@nongnu.org; Mon, 05 Jan 2015 13:20:40 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Y8CGY-0008Of-3T
	for qemu-devel@nongnu.org; Mon, 05 Jan 2015 13:20:39 -0500
Received: from mail-lb0-f169.google.com ([209.85.217.169]:61779)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Y8CGX-0008Oa-O3
	for qemu-devel@nongnu.org; Mon, 05 Jan 2015 13:20:33 -0500
Received: by mail-lb0-f169.google.com with SMTP id p9so18478662lbv.28
	for <qemu-devel@nongnu.org>; Mon, 05 Jan 2015 10:20:32 -0800 (PST)
MIME-Version: 1.0
In-Reply-To: <20150105181354.GN29381@redhat.com>
References: <CAOqyLXjX2R7bSFX8kgZ=QheLRnULDh2qWep2mMXf9QN4qa5vqQ@mail.gmail.com>
	<CAFEAcA_FsHYmOieHkwW_ZJA7Lm2mnhgeUs1HG9gpVwt7tZafzA@mail.gmail.com>
	<20150105181354.GN29381@redhat.com>
From: Peter Maydell <peter.maydell@linaro.org>
Date: Mon, 5 Jan 2015 18:20:12 +0000
Message-ID: <CAFEAcA--yDRwXuCLRtEmeEGEye1WMAnUpXJ-jje6MEpFSSWcAw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Qemu-devel] Possible security enhancement for QEMU
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Attila-Mihaly Balazs <dify.ltd@gmail.com>, QEMU Developers <qemu-devel@nongnu.org>

On 5 January 2015 at 18:13, Daniel P. Berrange <berrange@redhat.com> wrote:
> Configuring 0.0.0.0 and no auth is a valid setup *provided* the virtualization
> host itself is on a secured network. In fact this is the normal setup for an
> OpenStack deployment, since the virt host/VNC server is not intended to ever
> be directly exposed to the internet. Instead the user accesses the VNC server
> via an authenticated VNC proxy tunnelled over HTTPs. So printing out such an
> error message or refusing to launch would be wrong - QEMU doesn't know the
> context of how it is being used.

Well, the question is what the default should be, and whether you should
have to take explicit action to enable a possibly-insecure configuration.
At the moment you don't, and this seems to have resulted in a lot of
people presumably unintentionally leaving themselves wide open to
access from the internet.

So it comes down to "are we willing to one-time break currently working
configs for people with openstack type deployments who will now need to
put no-auth-is-ok in their command line switches, in order to protect
new users against shooting themselves in the foot without realising it?".
You could argue it either way...

>> Seems reasonable to me. Some questions:
>>  * do we need an option for "yes, I know what I'm doing and do not
>>    want any authentication" ?
>>  * how many of these VMs are configured for wide-open VNC by libvirt or
>>    similar management tool rather than by the user directly running QEMU?
>
> Libvirt will always set the listen address to 127.0.0.1 if not otherwise
> specified, and so not rely on QEMU's (insecure) default.  So if any VMs
> managed by libvirt are using a public IP address, this was requested
> explicitly by the admin or the mgmt app using libvrt.

That's good to hear.

-- PMM