virt-manager does not prevent other local users from using the VNC and SPICE protocols to access the console of virtual machines created using virt-manager. Using UNIX domain socket connections by default would be the best solution for this. Automatically generated random passwords do not authenticate the server and allow it to be impersonated by other users because it is usually running on an untrusted port.
/etc/libvirt/qemu.conf has an option 'vnc_auto_unix_socket' which changes the default for VNC, but it's obviously not enabled by default. virt-manager can work with it but it's sub optimal. I've opened an upstream bug about improving things here: https://bugzilla.redhat.com/show_bug.cgi?id=1044021 AFAICT qemu doesn't support spice over unix socket, so any request should start there. And if this is RHEL important, I'd recommend filing a bug there where it well get the most attention. There should be a corresponding libvirt bug as well. but the reality is it's been like this forever so it's a known issue, and changing this has the side effect that traditional vnc clients no longer 'just work' which will definitely confuse some users confusion. So definitely not something I would change in a stable fedora release, and not without a ton of documentation and noise about it. And anyway the default would be changed at the libvirt level, so reassigning there.
Yep, if we defaulted to using UNIX domain sockets we must also make sure virt-viewer, remote-viewer both support that correctly (at least virt-viewer does, not sure about remote-viewer though). Probably also worth checking the TightVNC viewer to see if it does, since some people use that. virt-manager would want to use the virConnectOpenGraphics API to connect which should work for spice and vnc alike
Hi Florian Weimer, I can't reproduce this bug by the steps below. Could you please kindly check my steps. Thanks. # rpm -qa libvirt virt-manager libvirt-1.1.1-17.el7.x86_64 virt-manager-0.10.0-9.el7.noarch 1. Login the host as root and comment out the following line by vim /etc/libvirt/qemu.conf vnc_auto_unix_socket = 1 2. Login the host as local user test and launch out the virt-manager by $virt-manager Get an authentication Required window. Type in the root passwd and Click Authenticate. Get the guest list in virt-manager main window. 3. Highlight the guest and try to open the guest in virt-manager Get "Error connecting to graphical console: Error opening socket path '/var/lib/libvirt/qemu/demo.vnc':[Error 13 ] Permission denied"
That last comment should be in the RHEL7 version of this bug, it's not relevant for fedora
I'm repurposing this bug to track unix socket support with spice. Once that's available upstream we can have a discussion about changing the default in distros. I think qemu supports spice unix sockets nowadays but I haven't looked at it closely, I think elmarco had patches at one point
*** Bug 638820 has been marked as a duplicate of this bug. ***
Patches posted upstream: http://www.redhat.com/archives/libvir-list/2016-March/msg00979.html
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Upstream now: commit e0c309b2dc0655d212fb65e1e7bbc444794759a5 Author: Pavel Hrdina <phrdina> Date: Wed Jun 8 15:18:59 2016 +0200 spice: add support for listen type socket