On Thu, 2018-10-04 at 07:55 -0300, Ivo Cavalcante wrote: > Hi people, > > We're trying to implement a standard solution on our company, where > users who need Windows machines (some legacy software still uses it) > will have a VM on their workstations, using Libvirt/QEMU/KVM. The > biggest problem we're seeing so far is that we can't find a way to > prevent users with root access on the physical machine from > "stealing" > an eventually open Windows session on virt-viewer from the machine > owners. > > I know, only IT staff will have such privileges, but even then this > might pose a security threat that should be dealt with. I've looked > into ticketing, SASL and other things, but failed to find a way to > definitely avoid this. > > Is there something I'm missing or is this a dead end? We're looking > primarily at Spice displays 'cause it just works - USB redirection, > video, audio... Easier than trying to achieve the same using open > tools > and RDP. > > Any help is much appreciated. > > > > Thanks, > Ivo Cavalcante > If a determined user has root access on the physical machine, it's going to be very difficult to prevent them from accessing anything on that machine. I know there's a way to make spice tickets / passwords expire after a certain amount of time. For example, there is a QMP expire_password command. I'm not sure if that's helpful though, because a user with root access could also potentially use these commands. Another possibility might be to have the windows vdagent lock the windows account when a client disconnects. This wouldn't prevent another user from "stealing" the spice session, but it might prevent them from accessing to the user's windows account within the guest. Jonathon _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel