[GH-ISSUE #95] vnc listens on 0.0.0.0 #66

New issue

Closed

opened 2026-02-27 15:57:12 +03:00 by kerem · 2 comments

kerem commented

2026-02-27 15:57:12 +03:00

Owner

Originally created by @xdtianyu on GitHub (Mar 21, 2016).
Original GitHub issue: https://github.com/retspen/webvirtcloud/issues/95

Machines created by webvirtcloud and webvirtmgr is setting vnc listen on 0.0.0.0, I think it's not safe.

I have modified vrtManager/create.py from

<graphics type='%s' port='-1' autoport='yes' listen='0.0.0.0'>
    <listen type='address' address='0.0.0.0'/>
</graphics>

<graphics type='%s' port='-1' autoport='yes'/>

But it seems noVnc is not working with vnc listen on 127.0.0.1, I'm using socket connection, so I modified console/webvirtmgr-console and console/novncd from

elif console_socket or re.match('^127\.', console_host):

elif console_socket or (re.match('^127\.', console_host) and conntype != CONN_SOCKET):

and everything works fine. Is this a bug or something designed on purpose?

Originally created by @xdtianyu on GitHub (Mar 21, 2016). Original GitHub issue: https://github.com/retspen/webvirtcloud/issues/95 Machines created by `webvirtcloud` and `webvirtmgr` is setting `vnc` listen on `0.0.0.0`, I think it's not safe. I have modified `vrtManager/create.py` from ``` <graphics type='%s' port='-1' autoport='yes' listen='0.0.0.0'> <listen type='address' address='0.0.0.0'/> </graphics> ``` to ``` <graphics type='%s' port='-1' autoport='yes'/> ``` But it seems `noVnc` is not working with `vnc` listen on `127.0.0.1`, I'm using socket connection, so I modified `console/webvirtmgr-console` and `console/novncd` from ``` elif console_socket or re.match('^127\.', console_host): ``` to ``` elif console_socket or (re.match('^127\.', console_host) and conntype != CONN_SOCKET): ``` and everything works fine. Is this a bug or something designed on purpose?

kerem closed this issue

2026-02-27 15:57:12 +03:00

kerem commented

2026-02-27 15:57:12 +03:00

Author

Owner

@nitmir commented on GitHub (May 3, 2016):

The main problem I tkink is that there is no VNC password by default, so anyone can connect to the VM VNC.
As long that no password is defined for the VNC connection, I think VNC should only listen locally and preferably to a unix socket where only novnc console (with token auth) has access.

If the user set a VNC password later, then webvirtcloud or webvirtmgr can bind VNC to 0.0.0.0.

@nitmir commented on GitHub (May 3, 2016): The main problem I tkink is that there is no VNC password by default, so anyone can connect to the VM VNC. As long that no password is defined for the VNC connection, I think VNC should only listen locally and preferably to a unix socket where only novnc console (with token auth) has access. If the user set a VNC password later, then `webvirtcloud` or `webvirtmgr` can bind VNC to 0.0.0.0.

kerem commented

2026-02-27 15:57:12 +03:00

Author

Owner

@nitmir commented on GitHub (May 8, 2016):

Hum, I think that the best solution is maybe to add a field vnc_default_bind_address to the model class Compute with default value 0.0.0.0 for TCP and TLS connections and 127.0.0.1 with SSH connection and Local Socket, and let users choose their default bind address on a by hypervisor basis.

Any thought ?

@nitmir commented on GitHub (May 8, 2016): Hum, I think that the best solution is maybe to add a field `vnc_default_bind_address` to the model class `Compute` with default value `0.0.0.0` for TCP and TLS connections and `127.0.0.1` with SSH connection and Local Socket, and let users choose their default bind address on a by hypervisor basis. Any thought ?

kerem referenced this issue

2026-02-27 15:58:38 +03:00

[PR #66] [MERGED] Update README.md #410