x11vnc: clear DISPLAY for -unixpw su_verify, user supplied sig ignore.

libvncserver/rfbserver.c

@@ -2971,9 +2971,9 @@ rfbSendNewFBSize(rfbClientPtr cl,
     }
 
     if (cl->PalmVNC==TRUE)
-        rfbLog("Sending a rfbEncodingNewFBSize in response to a PalmVNC  style frameuffer resize request (%dx%d)\n", w, h);
+        rfbLog("Sending rfbEncodingNewFBSize in response to a PalmVNC style framebuffer resize (%dx%d)\n", w, h);
     else
-        rfbLog("Sending a rfbEncodingNewFBSize in response to a UltraVNC style frameuffer resize request (%dx%d)\n", w, h);
+        rfbLog("Sending rfbEncodingNewFBSize for resize to (%dx%d)\n", w, h);
 
     rect.encoding = Swap32IfLE(rfbEncodingNewFBSize);
     rect.r.x = 0;

x11vnc/ChangeLog

+2006-09-15  Karl Runge <runge@karlrunge.com>
+	* x11vnc: allow user set signals to ignore, clear DISPLAY in 
+	  -unixpw su_verify. -rawfb none same as null. 
+	* rfbserver.c: shorten rfbEncodingNewFBSize message.
+
 2006-09-13  Karl Runge <runge@karlrunge.com>
 	* x11vnc: document 'ssh -t' improved keyboard response.  add
 	  extra rfbPE() around keystrokes. 

x11vnc/README

 
-x11vnc README file                         Date: Wed Sep 13 21:30:41 EDT 2006
+x11vnc README file                         Date: Fri Sep 15 11:12:28 EDT 2006
 
 The following information is taken from these URLs:
 
@@ -8061,7 +8061,7 @@ x11vnc: a VNC server for real X displays
    Here are all of x11vnc command line options:
 % x11vnc -opts      (see below for -help long descriptions)
 
-x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-13
+x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-15
 
 x11vnc options:
   -display disp            -auth file               -id windowid           
@@ -8160,7 +8160,7 @@ libvncserver-tight-extension options:
 
 % x11vnc -help
 
-x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-13
+x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-15
 
 (type "x11vnc -opts" to just list the options.)
 
@@ -8713,20 +8713,31 @@ Options:
 
 -unixpw_nis [list]     As -unixpw above, however do not use su(1) but rather
                        use the traditional getpwnam(3) + crypt(3) method to
-                       verify passwords instead.  This requires that the
-                       encrypted passwords be readable.  Passwords stored
-                       in /etc/shadow will be inaccessible unless x11vnc
-                       is run as root.
+                       verify passwords. All of the above -unixpw options and
+                       contraints apply.
+
+                       This mode requires that the encrypted passwords be
+                       readable.  Encrypted passwords stored in /etc/shadow
+                       will be inaccessible unless x11vnc is run as root.
 
                        This is called "NIS" mode simply because in most
-                       NIS setups the user encrypted passwords are accessible
-                       (e.g. "ypcat passwd").  NIS is not required for this
-                       mode to work (only that getpwnam(3) return the encrypted
-                       password is required), but it is unlikely it will work
-                       for any other modern environment unless x11vnc is run
-                       as root (which, btw, is often done when running x11vnc
-                       from inetd and xdm/gdm/kdm).  All of the -unixpw options
-                       and contraints apply.
+                       NIS setups user encrypted passwords are accessible
+                       (e.g. "ypcat passwd") by an ordinary user and so that
+                       user can authenticate ANY user.
+
+                       NIS is not required for this mode to work (only that
+                       getpwnam(3) return the encrypted password is required),
+                       but it is unlikely it will work for any most modern
+                       environments unless x11vnc is run as root to be able
+                       to access /etc/shadow (note running as root is often
+                       done when running x11vnc from inetd and xdm/gdm/kdm).
+
+                       Looked at another way, if you do not want to use the
+                       su(1) method provided by -unixpw, you can run x11vnc
+                       as root and use -unixpw_nis.  Any users with passwords
+                       in /etc/shadow can then be authenticated.  You may want
+                       to use -users unixpw= to switch the process user after
+                       the user logs in.
 
 -display_WAIT :...      A special usage mode for the normal -display option.
                        Useful with -unixpw, but can be used independently
@@ -10500,8 +10511,15 @@ Options:
                        "ignore" or "exit".  For "ignore" libvncserver
                        will handle the abrupt loss of a client and continue,
                        for "exit" x11vnc will cleanup and exit at the 1st
-                       broken connection.  Default: "ignore".  This option
-                       is obsolete.
+                       broken connection.
+
+                       This option is not really needed since libvncserver
+                       is doing the correct thing now for quite some time.
+                       However, for convenience you can use it to ignore other
+                       signals, e.g. "-sigpipe ignore:HUP,INT,TERM" in case
+                       that would be useful for some sort of application.
+                       You can also put "exit:.." in there.
+
 -threads               Whether or not to use the threaded libvncserver
 -nothreads             algorithm [rfbRunEventLoop] if libpthread is available
                        Default: -nothreads

x11vnc/cleanup.c

@@ -405,6 +405,83 @@ static void interrupted (int sig) {
 	}
 }
 
+static void ignore_sigs(char *list) {
+	char *str, *p;
+	int ignore = 1;
+	if (list == NULL || *list == '\0') {
+		return;
+	}
+	str = strdup(list);
+	p = strtok(str, ":,");
+
+#define SETSIG(x, y) \
+	if (strstr(p, x)) { \
+		if (ignore) { \
+			signal(y, SIG_IGN); \
+		} else { \
+			signal(y, interrupted); \
+		} \
+	}
+
+#ifdef SIG_IGN
+	while (p) {
+		if (!strcmp(p, "ignore")) {
+			ignore = 1;
+		} else if (!strcmp(p, "exit")) {
+			ignore = 0;
+		}
+		/* Take off every 'sig' ;-) */
+#ifdef SIGHUP
+		SETSIG("HUP", SIGHUP);
+#endif
+#ifdef SIGINT
+		SETSIG("INT", SIGINT);
+#endif
+#ifdef SIGQUIT
+		SETSIG("QUIT", SIGQUIT);
+#endif
+#ifdef SIGTRAP
+		SETSIG("TRAP", SIGTRAP);
+#endif
+#ifdef SIGABRT
+		SETSIG("ABRT", SIGABRT);
+#endif
+#ifdef SIGBUS
+		SETSIG("BUS", SIGBUS);
+#endif
+#ifdef SIGFPE
+		SETSIG("FPE", SIGFPE);
+#endif
+#ifdef SIGSEGV
+		SETSIG("SEGV", SIGSEGV);
+#endif
+#ifdef SIGPIPE
+		SETSIG("PIPE", SIGPIPE);
+#endif
+#ifdef SIGTERM
+		SETSIG("TERM", SIGTERM);
+#endif
+#ifdef SIGUSR1
+		SETSIG("USR1", SIGUSR1);
+#endif
+#ifdef SIGUSR2
+		SETSIG("USR2", SIGUSR2);
+#endif
+#ifdef SIGCONT
+		SETSIG("CONT", SIGCONT);
+#endif
+#ifdef SIGSTOP
+		SETSIG("STOP", SIGSTOP);
+#endif
+#ifdef SIGTSTP
+		SETSIG("TSTP", SIGTSTP);
+#endif
+		p = strtok(NULL, ":,");
+	}
+#endif	/* SIG_IGN */
+	free(str);
+}
+
 /* signal handlers */
 void initialize_signals(void) {
 	signal(SIGHUP,  interrupted);
@@ -418,6 +495,10 @@ void initialize_signals(void) {
 
 	if (!sigpipe || *sigpipe == '\0' || !strcmp(sigpipe, "skip")) {
 		;
+	} else if (strstr(sigpipe, "ignore:") == sigpipe) {
+		ignore_sigs(sigpipe);
+	} else if (strstr(sigpipe, "exit:") == sigpipe) {
+		ignore_sigs(sigpipe);
 	} else if (!strcmp(sigpipe, "ignore")) {
 #ifdef SIG_IGN
 		signal(SIGPIPE, SIG_IGN);
@@ -454,6 +535,12 @@ int known_sigpipe_mode(char *s) {
 /*
  * skip, ignore, exit
  */
+	if (strstr(s, "ignore:") == s) {
+		return 1;
+	}
+	if (strstr(s, "exit:") == s) {
+		return 1;
+	}
 	if (strcmp(s, "skip") && strcmp(s, "ignore") && 
 	    strcmp(s, "exit")) {
 		return 0;

x11vnc/help.c

@@ -574,20 +574,31 @@ void print_help(int mode) {
 "\n"
 "-unixpw_nis [list]     As -unixpw above, however do not use su(1) but rather\n"
 "                       use the traditional getpwnam(3) + crypt(3) method to\n"
-"                       verify passwords instead.  This requires that the\n"
-"                       encrypted passwords be readable.  Passwords stored\n"
-"                       in /etc/shadow will be inaccessible unless x11vnc\n"
-"                       is run as root.\n"
+"                       verify passwords. All of the above -unixpw options and\n"
+"                       contraints apply.\n"
+"\n"
+"                       This mode requires that the encrypted passwords be\n"
+"                       readable.  Encrypted passwords stored in /etc/shadow\n"
+"                       will be inaccessible unless x11vnc is run as root.\n"
 "\n"
 "                       This is called \"NIS\" mode simply because in most\n"
-"                       NIS setups the user encrypted passwords are accessible\n"
-"                       (e.g. \"ypcat passwd\").  NIS is not required for this\n"
-"                       mode to work (only that getpwnam(3) return the encrypted\n"
-"                       password is required), but it is unlikely it will work\n"
-"                       for any other modern environment unless x11vnc is run\n"
-"                       as root (which, btw, is often done when running x11vnc\n"
-"                       from inetd and xdm/gdm/kdm).  All of the -unixpw options\n"
-"                       and contraints apply.\n"
+"                       NIS setups user encrypted passwords are accessible\n"
+"                       (e.g. \"ypcat passwd\") by an ordinary user and so that\n"
+"                       user can authenticate ANY user.\n"
+"\n"
+"                       NIS is not required for this mode to work (only that\n"
+"                       getpwnam(3) return the encrypted password is required),\n"
+"                       but it is unlikely it will work for any most modern\n"
+"                       environments unless x11vnc is run as root to be able\n"
+"                       to access /etc/shadow (note running as root is often\n"
+"                       done when running x11vnc from inetd and xdm/gdm/kdm).\n"
+"\n"
+"                       Looked at another way, if you do not want to use the\n"
+"                       su(1) method provided by -unixpw, you can run x11vnc\n"
+"                       as root and use -unixpw_nis.  Any users with passwords\n"
+"                       in /etc/shadow can then be authenticated.  You may want\n"
+"                       to use -users unixpw= to switch the process user after\n"
+"                       the user logs in.\n"
 "\n"
 #endif
 "-display WAIT:...      A special usage mode for the normal -display option.\n"
@@ -2374,8 +2385,15 @@ void print_help(int mode) {
 "                       \"ignore\" or \"exit\".  For \"ignore\" libvncserver\n"
 "                       will handle the abrupt loss of a client and continue,\n"
 "                       for \"exit\" x11vnc will cleanup and exit at the 1st\n"
-"                       broken connection.  Default: \"ignore\".  This option\n"
-"                       is obsolete.\n"
+"                       broken connection.\n"
+"\n"
+"                       This option is not really needed since libvncserver\n"
+"                       is doing the correct thing now for quite some time.\n"
+"                       However, for convenience you can use it to ignore other\n"
+"                       signals, e.g. \"-sigpipe ignore:HUP,INT,TERM\" in case\n"
+"                       that would be useful for some sort of application.\n"
+"                       You can also put \"exit:..\" in there.\n"
+"\n"
 "-threads               Whether or not to use the threaded libvncserver\n"
 "-nothreads             algorithm [rfbRunEventLoop] if libpthread is available\n"
 "                       Default: %s\n"

x11vnc/screen.c

@@ -880,7 +880,8 @@ if (db) fprintf(stderr, "initialize_raw_fb reset\n");
 	if (! raw_fb_str) {
 		return NULL;
 	}
-	if (!strcasecmp(raw_fb_str, "NULL") || !strcasecmp(raw_fb_str, "ZERO")) {
+	if (!strcasecmp(raw_fb_str, "NULL") || !strcasecmp(raw_fb_str, "ZERO")
+	    || !strcasecmp(raw_fb_str, "NONE")) {
 		raw_fb_str = strdup("map:/dev/zero@640x480x32");
 	}
 	if (!strcasecmp(raw_fb_str, "RAND")) {

x11vnc/unixpw.c

@@ -584,6 +584,11 @@ if (db) fprintf(stderr, "slave is: %s fd=%d\n", slave, fd);
 
 		try_to_be_nobody();
 #if LIBVNCSERVER_HAVE_GETUID
+		if (0 && db > 1) {
+			/* does not work, writes to pty... */
+			fprintf(stderr, "getuid=%d geteuid=%d\n",
+			    getuid(), geteuid());
+		}
 		if (getuid() == 0 || geteuid() == 0) {
 			exit(1);
 		}
@@ -594,6 +599,11 @@ if (db) fprintf(stderr, "slave is: %s fd=%d\n", slave, fd);
 		set_env("LC_ALL", "C");
 		set_env("LANG", "C");
 		set_env("SHELL", "/bin/sh");
+		if (!cmd && getenv("DISPLAY")) {
+			/* this will cause timeout problems with pam_xauth */
+			char *s = getenv("DISPLAY");
+			if (s) *(s-2) = '_';
+		}
 
 		/* synchronize with parent: */
 		write(2, "C", 1);

x11vnc/x11vnc.1

@@ -2,7 +2,7 @@
 .TH X11VNC "1" "September 2006" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.8.3, lastmod: 2006-09-13
+         version: 0.8.3, lastmod: 2006-09-15
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@@ -692,22 +692,33 @@ use the traditional
 + 
 .IR crypt (3)
 method to
-verify passwords instead.  This requires that the
-encrypted passwords be readable.  Passwords stored
-in /etc/shadow will be inaccessible unless x11vnc
-is run as root.
+verify passwords. All of the above \fB-unixpw\fR options and
+contraints apply.
+.IP
+This mode requires that the encrypted passwords be
+readable.  Encrypted passwords stored in /etc/shadow
+will be inaccessible unless x11vnc is run as root.
 .IP
 This is called "NIS" mode simply because in most
-NIS setups the user encrypted passwords are accessible
-(e.g. "ypcat passwd").  NIS is not required for this
-mode to work (only that 
+NIS setups user encrypted passwords are accessible
+(e.g. "ypcat passwd") by an ordinary user and so that
+user can authenticate ANY user.
+.IP
+NIS is not required for this mode to work (only that
 .IR getpwnam (3)
-return the encrypted
-password is required), but it is unlikely it will work
-for any other modern environment unless x11vnc is run
-as root (which, btw, is often done when running x11vnc
-from inetd and xdm/gdm/kdm).  All of the \fB-unixpw\fR options
-and contraints apply.
+return the encrypted password is required),
+but it is unlikely it will work for any most modern
+environments unless x11vnc is run as root to be able
+to access /etc/shadow (note running as root is often
+done when running x11vnc from inetd and xdm/gdm/kdm).
+.IP
+Looked at another way, if you do not want to use the
+.IR su (1)
+method provided by \fB-unixpw,\fR you can run x11vnc
+as root and use \fB-unixpw_nis.\fR  Any users with passwords
+in /etc/shadow can then be authenticated.  You may want
+to use \fB-users\fR unixpw= to switch the process user after
+the user logs in.
 .PP
 \fB-display\fR \fIWAIT:...\fR
 .IP
@@ -2801,8 +2812,14 @@ Broken pipe (SIGPIPE) handling.  \fIstring\fR can be
 "ignore" or "exit".  For "ignore" libvncserver
 will handle the abrupt loss of a client and continue,
 for "exit" x11vnc will cleanup and exit at the 1st
-broken connection.  Default: "ignore".  This option
-is obsolete.
+broken connection.
+.IP
+This option is not really needed since libvncserver
+is doing the correct thing now for quite some time.
+However, for convenience you can use it to ignore other
+signals, e.g. "\fB-sigpipe\fR \fIignore:HUP,INT,TERM\fR" in case
+that would be useful for some sort of application.
+You can also put "exit:.." in there.
 .PP
 \fB-threads,\fR \fB-nothreads\fR
 .IP

x11vnc/x11vnc_defs.c

@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.8.3 lastmod: 2006-09-13";
+char lastmod[] = "0.8.3 lastmod: 2006-09-15";
 
 /* X display info */