[Spice-devel] Virt-viewer single connection
Jonathon Jongsma
jjongsma at redhat.com
Thu Oct 4 14:57:51 UTC 2018
On Thu, 2018-10-04 at 07:55 -0300, Ivo Cavalcante wrote:
> Hi people,
>
> We're trying to implement a standard solution on our company, where
> users who need Windows machines (some legacy software still uses it)
> will have a VM on their workstations, using Libvirt/QEMU/KVM. The
> biggest problem we're seeing so far is that we can't find a way to
> prevent users with root access on the physical machine from
> "stealing"
> an eventually open Windows session on virt-viewer from the machine
> owners.
>
> I know, only IT staff will have such privileges, but even then this
> might pose a security threat that should be dealt with. I've looked
> into ticketing, SASL and other things, but failed to find a way to
> definitely avoid this.
>
> Is there something I'm missing or is this a dead end? We're looking
> primarily at Spice displays 'cause it just works - USB redirection,
> video, audio... Easier than trying to achieve the same using open
> tools
> and RDP.
>
> Any help is much appreciated.
>
>
>
> Thanks,
> Ivo Cavalcante
>
If a determined user has root access on the physical machine, it's
going to be very difficult to prevent them from accessing anything on
that machine. I know there's a way to make spice tickets / passwords
expire after a certain amount of time. For example, there is a QMP
expire_password command. I'm not sure if that's helpful though, because
a user with root access could also potentially use these commands.
Another possibility might be to have the windows vdagent lock the
windows account when a client disconnects. This wouldn't prevent
another user from "stealing" the spice session, but it might prevent
them from accessing to the user's windows account within the guest.
Jonathon
More information about the Spice-devel
mailing list