Commit 06987b1c authored by runge's avatar runge

x11vnc: fix keycode and other remote control actions under

        DIRECT: with an extra XFlush and other safety measures.
        fflush(stderr) much in su_verify.  Make the -unixpw env. vars
        UNIXPW_DISABLE_SSL and UNIXPW_DISABLE_LOCALHOST work correctly.
        Make -loopbg actually imply -bg.
parent d6c012e9
2009-12-18 Karl Runge <runge@karlrunge.com>
* x11vnc: fix keycode and other remote control actions under
DIRECT: with an extra XFlush and other safety measures.
fflush(stderr) much in su_verify. Make the -unixpw env. vars
UNIXPW_DISABLE_SSL and UNIXPW_DISABLE_LOCALHOST work correctly.
Make -loopbg actually imply -bg.
2009-12-15 Karl Runge <runge@karlrunge.com> 2009-12-15 Karl Runge <runge@karlrunge.com>
* x11vnc: X11VNC_REMOTE, X11VNC_TICKER, and VNC_CONNECT properties * x11vnc: X11VNC_REMOTE, X11VNC_TICKER, and VNC_CONNECT properties
names can be changed via env. vars (e.g. for multiple names can be changed via env. vars (e.g. for multiple
......
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -2783,6 +2783,7 @@ void reverse_connect(char *str) { ...@@ -2783,6 +2783,7 @@ void reverse_connect(char *str) {
void set_vnc_connect_prop(char *str) { void set_vnc_connect_prop(char *str) {
RAWFB_RET_VOID RAWFB_RET_VOID
#if !NO_X11 #if !NO_X11
if (vnc_connect_prop == None) return;
XChangeProperty(dpy, rootwin, vnc_connect_prop, XA_STRING, 8, XChangeProperty(dpy, rootwin, vnc_connect_prop, XA_STRING, 8,
PropModeReplace, (unsigned char *)str, strlen(str)); PropModeReplace, (unsigned char *)str, strlen(str));
#else #else
...@@ -2793,6 +2794,7 @@ void set_vnc_connect_prop(char *str) { ...@@ -2793,6 +2794,7 @@ void set_vnc_connect_prop(char *str) {
void set_x11vnc_remote_prop(char *str) { void set_x11vnc_remote_prop(char *str) {
RAWFB_RET_VOID RAWFB_RET_VOID
#if !NO_X11 #if !NO_X11
if (x11vnc_remote_prop == None) return;
XChangeProperty(dpy, rootwin, x11vnc_remote_prop, XA_STRING, 8, XChangeProperty(dpy, rootwin, x11vnc_remote_prop, XA_STRING, 8,
PropModeReplace, (unsigned char *)str, strlen(str)); PropModeReplace, (unsigned char *)str, strlen(str));
#else #else
...@@ -3280,6 +3282,9 @@ int set_xprop(char *prop, Window win, char *value) { ...@@ -3280,6 +3282,9 @@ int set_xprop(char *prop, Window win, char *value) {
win = rootwin; win = rootwin;
} }
aprop = XInternAtom(dpy, prop, False); aprop = XInternAtom(dpy, prop, False);
if (aprop == None) {
return rc;
}
rc = XChangeProperty(dpy, win, aprop, XA_STRING, 8, rc = XChangeProperty(dpy, win, aprop, XA_STRING, 8,
PropModeReplace, (unsigned char *)value, strlen(value)); PropModeReplace, (unsigned char *)value, strlen(value));
return rc; return rc;
......
...@@ -913,20 +913,24 @@ void print_help(int mode) { ...@@ -913,20 +913,24 @@ void print_help(int mode) {
" environment variables before starting x11vnc:\n" " environment variables before starting x11vnc:\n"
"\n" "\n"
" Set UNIXPW_DISABLE_SSL=1 to disable requiring either\n" " Set UNIXPW_DISABLE_SSL=1 to disable requiring either\n"
" -ssl or -stunnel. Evidently you will be using a\n" " -ssl or -stunnel (as under SSH_CONNECTION.) Evidently\n"
" different method to encrypt the data between the\n" " you will be using a different method to encrypt the\n"
" vncviewer and x11vnc: perhaps ssh(1) or an IPSEC VPN.\n" " data between the vncviewer and x11vnc: perhaps ssh(1)\n"
"\n" " or an IPSEC VPN. -localhost is still enforced (however,\n"
" Note that use of -localhost with ssh(1) is roughly\n" " see the next paragraph.)\n"
" the same as requiring a Unix user login (since a Unix\n"
" password or the user's public key authentication is\n"
" used by sshd on the machine where x11vnc runs and only\n"
" local connections from that machine are accepted).\n"
"\n" "\n"
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" " Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
" requirement in Method 2). One should never do this\n" " requirement in -unixpw modes. One should never do this\n"
" (i.e. allow the Unix passwords to be sniffed on the\n" " (i.e. allow the Unix passwords to be sniffed on the\n"
" network.)\n" " network.) This also disables the localhost requirement\n"
" for reverse connections (see below.)\n"
"\n"
" Note that use of -localhost with ssh(1) (and no -unixpw)\n"
" is roughly the same as requiring a Unix user login\n"
" (since a Unix password or the user's public key\n"
" authentication is used by sshd on the machine where\n"
" x11vnc runs and only local connections from that machine\n"
" are accepted).\n"
"\n" "\n"
" Regarding reverse connections (e.g. -R connect:host\n" " Regarding reverse connections (e.g. -R connect:host\n"
" and -connect host), when the -localhost constraint is\n" " and -connect host), when the -localhost constraint is\n"
......
...@@ -4176,6 +4176,7 @@ char *process_remote_cmd(char *cmd, int stringonly) { ...@@ -4176,6 +4176,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
} else { } else {
XTestFakeKeyEvent_wr(dpy, kc, down, CurrentTime); XTestFakeKeyEvent_wr(dpy, kc, down, CurrentTime);
} }
XFlush_wr(dpy);
X_UNLOCK; X_UNLOCK;
} }
goto done; goto done;
...@@ -4243,6 +4244,7 @@ char *process_remote_cmd(char *cmd, int stringonly) { ...@@ -4243,6 +4244,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
X_LOCK; X_LOCK;
rfbLog("remote_cmd: XTestFakeButtonEvent(mb=%d, down=%d)\n", mb, down); rfbLog("remote_cmd: XTestFakeButtonEvent(mb=%d, down=%d)\n", mb, down);
XTestFakeButtonEvent_wr(dpy, mb, down ? True : False, CurrentTime); XTestFakeButtonEvent_wr(dpy, mb, down ? True : False, CurrentTime);
XFlush_wr(dpy);
X_UNLOCK; X_UNLOCK;
} }
......
...@@ -960,6 +960,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int ...@@ -960,6 +960,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
first = 0; first = 0;
} }
rfbLog("su_verify: '%s' for %s.\n", user, cmd ? "command" : "login"); rfbLog("su_verify: '%s' for %s.\n", user, cmd ? "command" : "login");
fflush(stderr);
if (! scheck(user, 100, "username")) { if (! scheck(user, 100, "username")) {
return 0; return 0;
...@@ -992,6 +993,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int ...@@ -992,6 +993,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
} }
if (bin_su == NULL) { if (bin_su == NULL) {
rfbLogPerror("existence /bin/su"); rfbLogPerror("existence /bin/su");
fflush(stderr);
return 0; return 0;
} }
...@@ -1006,6 +1008,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int ...@@ -1006,6 +1008,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
} }
if (bin_true == NULL) { if (bin_true == NULL) {
rfbLogPerror("existence /bin/true"); rfbLogPerror("existence /bin/true");
fflush(stderr);
return 0; return 0;
} }
...@@ -1013,6 +1016,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int ...@@ -1013,6 +1016,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
if (slave == NULL) { if (slave == NULL) {
rfbLogPerror("get_pty failed."); rfbLogPerror("get_pty failed.");
fflush(stderr);
return 0; return 0;
} }
...@@ -1021,6 +1025,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int ...@@ -1021,6 +1025,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
if (fd < 0) { if (fd < 0) {
rfbLogPerror("get_pty fd < 0"); rfbLogPerror("get_pty fd < 0");
fflush(stderr);
return 0; return 0;
} }
...@@ -1029,6 +1034,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int ...@@ -1029,6 +1034,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
pid = fork(); pid = fork();
if (pid < 0) { if (pid < 0) {
rfbLogPerror("fork"); rfbLogPerror("fork");
fflush(stderr);
close(fd); close(fd);
return 0; return 0;
} }
...@@ -1248,6 +1254,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int ...@@ -1248,6 +1254,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
} }
if (j >= 32-1) { if (j >= 32-1) {
rfbLog("su_verify: problem finding Password:\n"); rfbLog("su_verify: problem finding Password:\n");
fflush(stderr);
return 0; return 0;
} }
instr[j++] = tolower((unsigned char)cbuf[0]); instr[j++] = tolower((unsigned char)cbuf[0]);
...@@ -1399,10 +1406,12 @@ int unixpw_verify(char *user, char *pass) { ...@@ -1399,10 +1406,12 @@ int unixpw_verify(char *user, char *pass) {
if (cmd_verify(user, pass)) { if (cmd_verify(user, pass)) {
rfbLog("unixpw_verify: cmd_verify login for '%s'" rfbLog("unixpw_verify: cmd_verify login for '%s'"
" succeeded.\n", user); " succeeded.\n", user);
fflush(stderr);
ok = 1; ok = 1;
} else { } else {
rfbLog("unixpw_verify: cmd_verify login for '%s'" rfbLog("unixpw_verify: cmd_verify login for '%s'"
" failed.\n", user); " failed.\n", user);
fflush(stderr);
usleep(3000*1000); usleep(3000*1000);
ok = 0; ok = 0;
} }
...@@ -1410,10 +1419,12 @@ int unixpw_verify(char *user, char *pass) { ...@@ -1410,10 +1419,12 @@ int unixpw_verify(char *user, char *pass) {
if (crypt_verify(user, pass)) { if (crypt_verify(user, pass)) {
rfbLog("unixpw_verify: crypt_verify login for '%s'" rfbLog("unixpw_verify: crypt_verify login for '%s'"
" succeeded.\n", user); " succeeded.\n", user);
fflush(stderr);
ok = 1; ok = 1;
} else { } else {
rfbLog("unixpw_verify: crypt_verify login for '%s'" rfbLog("unixpw_verify: crypt_verify login for '%s'"
" failed.\n", user); " failed.\n", user);
fflush(stderr);
usleep(3000*1000); usleep(3000*1000);
ok = 0; ok = 0;
} }
...@@ -1421,10 +1432,12 @@ int unixpw_verify(char *user, char *pass) { ...@@ -1421,10 +1432,12 @@ int unixpw_verify(char *user, char *pass) {
if (su_verify(user, pass, NULL, NULL, NULL, 1)) { if (su_verify(user, pass, NULL, NULL, NULL, 1)) {
rfbLog("unixpw_verify: su_verify login for '%s'" rfbLog("unixpw_verify: su_verify login for '%s'"
" succeeded.\n", user); " succeeded.\n", user);
fflush(stderr);
ok = 1; ok = 1;
} else { } else {
rfbLog("unixpw_verify: su_verify login for '%s'" rfbLog("unixpw_verify: su_verify login for '%s'"
" failed.\n", user); " failed.\n", user);
fflush(stderr);
/* use su(1)'s sleep */ /* use su(1)'s sleep */
ok = 0; ok = 0;
} }
...@@ -1451,6 +1464,7 @@ if (db) fprintf(stderr, "unixpw_verify: '%s' '%s'\n", user, db > 1 ? pass : "*** ...@@ -1451,6 +1464,7 @@ if (db) fprintf(stderr, "unixpw_verify: '%s' '%s'\n", user, db > 1 ? pass : "***
*colon = '\0'; *colon = '\0';
rfbLog("unixpw_verify: colon: '%s'\n", user); rfbLog("unixpw_verify: colon: '%s'\n", user);
} }
fflush(stderr);
if (unixpw_client) { if (unixpw_client) {
cd = (ClientData *) unixpw_client->clientData; cd = (ClientData *) unixpw_client->clientData;
if (cd) { if (cd) {
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
.TH X11VNC "1" "December 2009" "x11vnc " "User Commands" .TH X11VNC "1" "December 2009" "x11vnc " "User Commands"
.SH NAME .SH NAME
x11vnc - allow VNC connections to real X11 displays x11vnc - allow VNC connections to real X11 displays
version: 0.9.9, lastmod: 2009-12-14 version: 0.9.9, lastmod: 2009-12-17
.SH SYNOPSIS .SH SYNOPSIS
.B x11vnc .B x11vnc
[OPTION]... [OPTION]...
...@@ -1006,24 +1006,27 @@ To override the above restrictions you can set ...@@ -1006,24 +1006,27 @@ To override the above restrictions you can set
environment variables before starting x11vnc: environment variables before starting x11vnc:
.IP .IP
Set UNIXPW_DISABLE_SSL=1 to disable requiring either Set UNIXPW_DISABLE_SSL=1 to disable requiring either
\fB-ssl\fR or \fB-stunnel.\fR Evidently you will be using a \fB-ssl\fR or \fB-stunnel\fR (as under SSH_CONNECTION.) Evidently
different method to encrypt the data between the you will be using a different method to encrypt the
vncviewer and x11vnc: perhaps data between the vncviewer and x11vnc: perhaps
.IR ssh (1) .IR ssh (1)
or an IPSEC VPN. or an IPSEC VPN. \fB-localhost\fR is still enforced (however,
.IP see the next paragraph.)
Note that use of \fB-localhost\fR with
.IR ssh (1)
is roughly
the same as requiring a Unix user login (since a Unix
password or the user's public key authentication is
used by sshd on the machine where x11vnc runs and only
local connections from that machine are accepted).
.IP .IP
Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
requirement in Method 2). One should never do this requirement in \fB-unixpw\fR modes. One should never do this
(i.e. allow the Unix passwords to be sniffed on the (i.e. allow the Unix passwords to be sniffed on the
network.) network.) This also disables the localhost requirement
for reverse connections (see below.)
.IP
Note that use of \fB-localhost\fR with
.IR ssh (1)
(and no \fB-unixpw)\fR
is roughly the same as requiring a Unix user login
(since a Unix password or the user's public key
authentication is used by sshd on the machine where
x11vnc runs and only local connections from that machine
are accepted).
.IP .IP
Regarding reverse connections (e.g. \fB-R\fR connect:host Regarding reverse connections (e.g. \fB-R\fR connect:host
and \fB-connect\fR host), when the \fB-localhost\fR constraint is and \fB-connect\fR host), when the \fB-localhost\fR constraint is
......
...@@ -4093,6 +4093,12 @@ int main(int argc, char* argv[]) { ...@@ -4093,6 +4093,12 @@ int main(int argc, char* argv[]) {
"mode\n"); "mode\n");
} }
bg = 0; bg = 0;
} else if (!bg && getenv("X11VNC_LOOP_MODE_BG")) {
if (! quiet) {
fprintf(stderr, "enabling -bg in -loopbg "
"mode\n");
}
bg = 1;
} }
if (inetd) { if (inetd) {
if (! quiet) { if (! quiet) {
...@@ -4591,10 +4597,18 @@ int main(int argc, char* argv[]) { ...@@ -4591,10 +4597,18 @@ int main(int argc, char* argv[]) {
use_stunnel = 0; use_stunnel = 0;
} }
if (! use_stunnel && ! use_openssl) { if (! use_stunnel && ! use_openssl) {
if (getenv("UNIXPW_DISABLE_LOCALHOST")) { if (getenv("UNIXPW_DISABLE_SSL")) {
rfbLog("Skipping -ssl/-stunnel requirement" rfbLog("Skipping -ssl/-stunnel requirement"
" due to\n"); " due to\n");
rfbLog("UNIXPW_DISABLE_LOCALHOST setting.\n"); rfbLog("UNIXPW_DISABLE_SSL setting.\n");
if (!getenv("UNIXPW_DISABLE_LOCALHOST")) {
if (!got_localhost) {
rfbLog("Forcing -localhost mode.\n");
}
allow_list = strdup("127.0.0.1");
got_localhost = 1;
}
} else if (have_ssh_env()) { } else if (have_ssh_env()) {
char *s = getenv("SSH_CONNECTION"); char *s = getenv("SSH_CONNECTION");
if (! s) s = getenv("SSH_CLIENT"); if (! s) s = getenv("SSH_CLIENT");
...@@ -4605,13 +4619,18 @@ int main(int argc, char* argv[]) { ...@@ -4605,13 +4619,18 @@ int main(int argc, char* argv[]) {
rfbLog("assuming your SSH encryption" rfbLog("assuming your SSH encryption"
" is:\n"); " is:\n");
rfbLog(" %s\n", s); rfbLog(" %s\n", s);
rfbLog("Setting -localhost in SSH + -unixpw"
" mode.\n"); if (!getenv("UNIXPW_DISABLE_LOCALHOST")) {
if (!got_localhost) {
rfbLog("Setting -localhost in SSH + -unixpw mode.\n");
}
allow_list = strdup("127.0.0.1");
got_localhost = 1;
}
rfbLog("If you *actually* want SSL, restart" rfbLog("If you *actually* want SSL, restart"
" with -ssl on the cmdline\n"); " with -ssl on the cmdline\n");
fprintf(stderr, "\n"); fprintf(stderr, "\n");
allow_list = strdup("127.0.0.1");
got_localhost = 1;
if (! nopw) { if (! nopw) {
usleep(2000*1000); usleep(2000*1000);
} }
......
...@@ -47,7 +47,7 @@ int xtrap_base_event_type = 0; ...@@ -47,7 +47,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.9.9 lastmod: 2009-12-14"; char lastmod[] = "0.9.9 lastmod: 2009-12-17";
/* X display info */ /* X display info */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment