Commit 06987b1c authored by runge's avatar runge

x11vnc: fix keycode and other remote control actions under

        DIRECT: with an extra XFlush and other safety measures.
        fflush(stderr) much in su_verify.  Make the -unixpw env. vars
        UNIXPW_DISABLE_SSL and UNIXPW_DISABLE_LOCALHOST work correctly.
        Make -loopbg actually imply -bg.
parent d6c012e9
2009-12-18 Karl Runge <runge@karlrunge.com>
* x11vnc: fix keycode and other remote control actions under
DIRECT: with an extra XFlush and other safety measures.
fflush(stderr) much in su_verify. Make the -unixpw env. vars
UNIXPW_DISABLE_SSL and UNIXPW_DISABLE_LOCALHOST work correctly.
Make -loopbg actually imply -bg.
2009-12-15 Karl Runge <runge@karlrunge.com>
* x11vnc: X11VNC_REMOTE, X11VNC_TICKER, and VNC_CONNECT properties
names can be changed via env. vars (e.g. for multiple
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -2783,6 +2783,7 @@ void reverse_connect(char *str) {
void set_vnc_connect_prop(char *str) {
RAWFB_RET_VOID
#if !NO_X11
if (vnc_connect_prop == None) return;
XChangeProperty(dpy, rootwin, vnc_connect_prop, XA_STRING, 8,
PropModeReplace, (unsigned char *)str, strlen(str));
#else
......@@ -2793,6 +2794,7 @@ void set_vnc_connect_prop(char *str) {
void set_x11vnc_remote_prop(char *str) {
RAWFB_RET_VOID
#if !NO_X11
if (x11vnc_remote_prop == None) return;
XChangeProperty(dpy, rootwin, x11vnc_remote_prop, XA_STRING, 8,
PropModeReplace, (unsigned char *)str, strlen(str));
#else
......@@ -3280,6 +3282,9 @@ int set_xprop(char *prop, Window win, char *value) {
win = rootwin;
}
aprop = XInternAtom(dpy, prop, False);
if (aprop == None) {
return rc;
}
rc = XChangeProperty(dpy, win, aprop, XA_STRING, 8,
PropModeReplace, (unsigned char *)value, strlen(value));
return rc;
......
......@@ -913,20 +913,24 @@ void print_help(int mode) {
" environment variables before starting x11vnc:\n"
"\n"
" Set UNIXPW_DISABLE_SSL=1 to disable requiring either\n"
" -ssl or -stunnel. Evidently you will be using a\n"
" different method to encrypt the data between the\n"
" vncviewer and x11vnc: perhaps ssh(1) or an IPSEC VPN.\n"
"\n"
" Note that use of -localhost with ssh(1) is roughly\n"
" the same as requiring a Unix user login (since a Unix\n"
" password or the user's public key authentication is\n"
" used by sshd on the machine where x11vnc runs and only\n"
" local connections from that machine are accepted).\n"
" -ssl or -stunnel (as under SSH_CONNECTION.) Evidently\n"
" you will be using a different method to encrypt the\n"
" data between the vncviewer and x11vnc: perhaps ssh(1)\n"
" or an IPSEC VPN. -localhost is still enforced (however,\n"
" see the next paragraph.)\n"
"\n"
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
" requirement in Method 2). One should never do this\n"
" requirement in -unixpw modes. One should never do this\n"
" (i.e. allow the Unix passwords to be sniffed on the\n"
" network.)\n"
" network.) This also disables the localhost requirement\n"
" for reverse connections (see below.)\n"
"\n"
" Note that use of -localhost with ssh(1) (and no -unixpw)\n"
" is roughly the same as requiring a Unix user login\n"
" (since a Unix password or the user's public key\n"
" authentication is used by sshd on the machine where\n"
" x11vnc runs and only local connections from that machine\n"
" are accepted).\n"
"\n"
" Regarding reverse connections (e.g. -R connect:host\n"
" and -connect host), when the -localhost constraint is\n"
......
......@@ -4176,6 +4176,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
} else {
XTestFakeKeyEvent_wr(dpy, kc, down, CurrentTime);
}
XFlush_wr(dpy);
X_UNLOCK;
}
goto done;
......@@ -4243,6 +4244,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
X_LOCK;
rfbLog("remote_cmd: XTestFakeButtonEvent(mb=%d, down=%d)\n", mb, down);
XTestFakeButtonEvent_wr(dpy, mb, down ? True : False, CurrentTime);
XFlush_wr(dpy);
X_UNLOCK;
}
......
......@@ -960,6 +960,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
first = 0;
}
rfbLog("su_verify: '%s' for %s.\n", user, cmd ? "command" : "login");
fflush(stderr);
if (! scheck(user, 100, "username")) {
return 0;
......@@ -992,6 +993,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
}
if (bin_su == NULL) {
rfbLogPerror("existence /bin/su");
fflush(stderr);
return 0;
}
......@@ -1006,6 +1008,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
}
if (bin_true == NULL) {
rfbLogPerror("existence /bin/true");
fflush(stderr);
return 0;
}
......@@ -1013,6 +1016,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
if (slave == NULL) {
rfbLogPerror("get_pty failed.");
fflush(stderr);
return 0;
}
......@@ -1021,6 +1025,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
if (fd < 0) {
rfbLogPerror("get_pty fd < 0");
fflush(stderr);
return 0;
}
......@@ -1029,6 +1034,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
pid = fork();
if (pid < 0) {
rfbLogPerror("fork");
fflush(stderr);
close(fd);
return 0;
}
......@@ -1248,6 +1254,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
}
if (j >= 32-1) {
rfbLog("su_verify: problem finding Password:\n");
fflush(stderr);
return 0;
}
instr[j++] = tolower((unsigned char)cbuf[0]);
......@@ -1399,10 +1406,12 @@ int unixpw_verify(char *user, char *pass) {
if (cmd_verify(user, pass)) {
rfbLog("unixpw_verify: cmd_verify login for '%s'"
" succeeded.\n", user);
fflush(stderr);
ok = 1;
} else {
rfbLog("unixpw_verify: cmd_verify login for '%s'"
" failed.\n", user);
fflush(stderr);
usleep(3000*1000);
ok = 0;
}
......@@ -1410,10 +1419,12 @@ int unixpw_verify(char *user, char *pass) {
if (crypt_verify(user, pass)) {
rfbLog("unixpw_verify: crypt_verify login for '%s'"
" succeeded.\n", user);
fflush(stderr);
ok = 1;
} else {
rfbLog("unixpw_verify: crypt_verify login for '%s'"
" failed.\n", user);
fflush(stderr);
usleep(3000*1000);
ok = 0;
}
......@@ -1421,10 +1432,12 @@ int unixpw_verify(char *user, char *pass) {
if (su_verify(user, pass, NULL, NULL, NULL, 1)) {
rfbLog("unixpw_verify: su_verify login for '%s'"
" succeeded.\n", user);
fflush(stderr);
ok = 1;
} else {
rfbLog("unixpw_verify: su_verify login for '%s'"
" failed.\n", user);
fflush(stderr);
/* use su(1)'s sleep */
ok = 0;
}
......@@ -1451,6 +1464,7 @@ if (db) fprintf(stderr, "unixpw_verify: '%s' '%s'\n", user, db > 1 ? pass : "***
*colon = '\0';
rfbLog("unixpw_verify: colon: '%s'\n", user);
}
fflush(stderr);
if (unixpw_client) {
cd = (ClientData *) unixpw_client->clientData;
if (cd) {
......
......@@ -2,7 +2,7 @@
.TH X11VNC "1" "December 2009" "x11vnc " "User Commands"
.SH NAME
x11vnc - allow VNC connections to real X11 displays
version: 0.9.9, lastmod: 2009-12-14
version: 0.9.9, lastmod: 2009-12-17
.SH SYNOPSIS
.B x11vnc
[OPTION]...
......@@ -1006,24 +1006,27 @@ To override the above restrictions you can set
environment variables before starting x11vnc:
.IP
Set UNIXPW_DISABLE_SSL=1 to disable requiring either
\fB-ssl\fR or \fB-stunnel.\fR Evidently you will be using a
different method to encrypt the data between the
vncviewer and x11vnc: perhaps
\fB-ssl\fR or \fB-stunnel\fR (as under SSH_CONNECTION.) Evidently
you will be using a different method to encrypt the
data between the vncviewer and x11vnc: perhaps
.IR ssh (1)
or an IPSEC VPN.
.IP
Note that use of \fB-localhost\fR with
.IR ssh (1)
is roughly
the same as requiring a Unix user login (since a Unix
password or the user's public key authentication is
used by sshd on the machine where x11vnc runs and only
local connections from that machine are accepted).
or an IPSEC VPN. \fB-localhost\fR is still enforced (however,
see the next paragraph.)
.IP
Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
requirement in Method 2). One should never do this
requirement in \fB-unixpw\fR modes. One should never do this
(i.e. allow the Unix passwords to be sniffed on the
network.)
network.) This also disables the localhost requirement
for reverse connections (see below.)
.IP
Note that use of \fB-localhost\fR with
.IR ssh (1)
(and no \fB-unixpw)\fR
is roughly the same as requiring a Unix user login
(since a Unix password or the user's public key
authentication is used by sshd on the machine where
x11vnc runs and only local connections from that machine
are accepted).
.IP
Regarding reverse connections (e.g. \fB-R\fR connect:host
and \fB-connect\fR host), when the \fB-localhost\fR constraint is
......
......@@ -4093,6 +4093,12 @@ int main(int argc, char* argv[]) {
"mode\n");
}
bg = 0;
} else if (!bg && getenv("X11VNC_LOOP_MODE_BG")) {
if (! quiet) {
fprintf(stderr, "enabling -bg in -loopbg "
"mode\n");
}
bg = 1;
}
if (inetd) {
if (! quiet) {
......@@ -4591,10 +4597,18 @@ int main(int argc, char* argv[]) {
use_stunnel = 0;
}
if (! use_stunnel && ! use_openssl) {
if (getenv("UNIXPW_DISABLE_LOCALHOST")) {
if (getenv("UNIXPW_DISABLE_SSL")) {
rfbLog("Skipping -ssl/-stunnel requirement"
" due to\n");
rfbLog("UNIXPW_DISABLE_LOCALHOST setting.\n");
rfbLog("UNIXPW_DISABLE_SSL setting.\n");
if (!getenv("UNIXPW_DISABLE_LOCALHOST")) {
if (!got_localhost) {
rfbLog("Forcing -localhost mode.\n");
}
allow_list = strdup("127.0.0.1");
got_localhost = 1;
}
} else if (have_ssh_env()) {
char *s = getenv("SSH_CONNECTION");
if (! s) s = getenv("SSH_CLIENT");
......@@ -4605,13 +4619,18 @@ int main(int argc, char* argv[]) {
rfbLog("assuming your SSH encryption"
" is:\n");
rfbLog(" %s\n", s);
rfbLog("Setting -localhost in SSH + -unixpw"
" mode.\n");
if (!getenv("UNIXPW_DISABLE_LOCALHOST")) {
if (!got_localhost) {
rfbLog("Setting -localhost in SSH + -unixpw mode.\n");
}
allow_list = strdup("127.0.0.1");
got_localhost = 1;
}
rfbLog("If you *actually* want SSL, restart"
" with -ssl on the cmdline\n");
fprintf(stderr, "\n");
allow_list = strdup("127.0.0.1");
got_localhost = 1;
if (! nopw) {
usleep(2000*1000);
}
......
......@@ -47,7 +47,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.9.9 lastmod: 2009-12-14";
char lastmod[] = "0.9.9 lastmod: 2009-12-17";
/* X display info */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment