Re: [libvirt] Question about LSN-2016-0001
On Fri, Jul 29, 2016 at 02:16:16PM -0600, Jim Fehlig wrote:
I've noticed the behavior described by this LSN with libvirt+Xen.
Config
containing <graphics type='vnc' passwd=''/> allows any client to
connect with no authentication check. I asked about this on the Xen security
list and was told that "libxl interprets an empty password in the caller's
configuration to mean that passwordless access should be permitted". The libvirt
domXML docs are not clear on semantics of empty vnc password, only stating "The
passwd attribute provides a VNC password in clear text".
Should the libvirt domXML vnc passwd documentation be amended to define the
semantics of an empty string in the passwd attribute? Is the behavior
hypervisor-dependent as the documentation in qemu.conf suggests?
I guess we've never clarified the semantics in any cross-hypervisor
manner. I think the fixed QEMU behaviour is the most sane from a
portability POV - the Xen (and broken QEMU) behaviour was effectively
overloading 2 settings onto one attribute. ie it was (ab)using a zero
length password as a way to change the authentication method. We should
always have distinct XML attributes for distinct settings. IOW, any toggle
betweeen password and no-auth should an explicit setting and a zero length
password should not magically change that.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|