Skip to content

L
libvncserver
Commit be2b77f2 authored by runge's avatar runge
Browse files
Options

x11vnc: clear DISPLAY for -unixpw su_verify, user supplied sig ignore.

parent 130cf391
Hide whitespace changes
Inline Side-by-side
Showing with 207 additions and 51 deletions
libvncserver/rfbserver.c
View file @ be2b77f2
...@@ -2971,9 +2971,9 @@ rfbSendNewFBSize(rfbClientPtr cl, ...@@ -2971,9 +2971,9 @@ rfbSendNewFBSize(rfbClientPtr cl,
} }
if (cl->PalmVNC==TRUE) if (cl->PalmVNC==TRUE)
rfbLog("Sending a rfbEncodingNewFBSize in response to a PalmVNC style frameuffer resize request (%dx%d)\n", w, h); rfbLog("Sending rfbEncodingNewFBSize in response to a PalmVNC style framebuffer resize (%dx%d)\n", w, h);
else else
rfbLog("Sending a rfbEncodingNewFBSize in response to a UltraVNC style frameuffer resize request (%dx%d)\n", w, h); rfbLog("Sending rfbEncodingNewFBSize for resize to (%dx%d)\n", w, h);
rect.encoding = Swap32IfLE(rfbEncodingNewFBSize); rect.encoding = Swap32IfLE(rfbEncodingNewFBSize);
rect.r.x = 0; rect.r.x = 0;
......
x11vnc/ChangeLog
View file @ be2b77f2
2006-09-15 Karl Runge <runge@karlrunge.com>
* x11vnc: allow user set signals to ignore, clear DISPLAY in
-unixpw su_verify. -rawfb none same as null.
* rfbserver.c: shorten rfbEncodingNewFBSize message.
2006-09-13 Karl Runge <runge@karlrunge.com> 2006-09-13 Karl Runge <runge@karlrunge.com>
* x11vnc: document 'ssh -t' improved keyboard response. add * x11vnc: document 'ssh -t' improved keyboard response. add
extra rfbPE() around keystrokes. extra rfbPE() around keystrokes.
......
x11vnc/README
View file @ be2b77f2
x11vnc README file Date: Wed Sep 13 21:30:41 EDT 2006 x11vnc README file Date: Fri Sep 15 11:12:28 EDT 2006
The following information is taken from these URLs: The following information is taken from these URLs:
...@@ -8061,7 +8061,7 @@ x11vnc: a VNC server for real X displays ...@@ -8061,7 +8061,7 @@ x11vnc: a VNC server for real X displays
Here are all of x11vnc command line options: Here are all of x11vnc command line options:
% x11vnc -opts (see below for -help long descriptions) % x11vnc -opts (see below for -help long descriptions)
x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-13 x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-15
x11vnc options: x11vnc options:
-display disp -auth file -id windowid -display disp -auth file -id windowid
...@@ -8160,7 +8160,7 @@ libvncserver-tight-extension options: ...@@ -8160,7 +8160,7 @@ libvncserver-tight-extension options:
% x11vnc -help % x11vnc -help
x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-13 x11vnc: allow VNC connections to real X11 displays. 0.8.3 lastmod: 2006-09-15
(type "x11vnc -opts" to just list the options.) (type "x11vnc -opts" to just list the options.)
...@@ -8713,20 +8713,31 @@ Options: ...@@ -8713,20 +8713,31 @@ Options:
-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather -unixpw_nis [list] As -unixpw above, however do not use su(1) but rather
use the traditional getpwnam(3) + crypt(3) method to use the traditional getpwnam(3) + crypt(3) method to
verify passwords instead. This requires that the verify passwords. All of the above -unixpw options and
encrypted passwords be readable. Passwords stored contraints apply.
in /etc/shadow will be inaccessible unless x11vnc
is run as root. This mode requires that the encrypted passwords be
readable. Encrypted passwords stored in /etc/shadow
will be inaccessible unless x11vnc is run as root.
This is called "NIS" mode simply because in most This is called "NIS" mode simply because in most
NIS setups the user encrypted passwords are accessible NIS setups user encrypted passwords are accessible
(e.g. "ypcat passwd"). NIS is not required for this (e.g. "ypcat passwd") by an ordinary user and so that
mode to work (only that getpwnam(3) return the encrypted user can authenticate ANY user.
password is required), but it is unlikely it will work
for any other modern environment unless x11vnc is run NIS is not required for this mode to work (only that
as root (which, btw, is often done when running x11vnc getpwnam(3) return the encrypted password is required),
from inetd and xdm/gdm/kdm). All of the -unixpw options but it is unlikely it will work for any most modern
and contraints apply. environments unless x11vnc is run as root to be able
to access /etc/shadow (note running as root is often
done when running x11vnc from inetd and xdm/gdm/kdm).
Looked at another way, if you do not want to use the
su(1) method provided by -unixpw, you can run x11vnc
as root and use -unixpw_nis. Any users with passwords
in /etc/shadow can then be authenticated. You may want
to use -users unixpw= to switch the process user after
the user logs in.
-display_WAIT :... A special usage mode for the normal -display option. -display_WAIT :... A special usage mode for the normal -display option.
Useful with -unixpw, but can be used independently Useful with -unixpw, but can be used independently
...@@ -10500,8 +10511,15 @@ Options: ...@@ -10500,8 +10511,15 @@ Options:
"ignore" or "exit". For "ignore" libvncserver "ignore" or "exit". For "ignore" libvncserver
will handle the abrupt loss of a client and continue, will handle the abrupt loss of a client and continue,
for "exit" x11vnc will cleanup and exit at the 1st for "exit" x11vnc will cleanup and exit at the 1st
broken connection. Default: "ignore". This option broken connection.
is obsolete.
This option is not really needed since libvncserver
is doing the correct thing now for quite some time.
However, for convenience you can use it to ignore other
signals, e.g. "-sigpipe ignore:HUP,INT,TERM" in case
that would be useful for some sort of application.
You can also put "exit:.." in there.
-threads Whether or not to use the threaded libvncserver -threads Whether or not to use the threaded libvncserver
-nothreads algorithm [rfbRunEventLoop] if libpthread is available -nothreads algorithm [rfbRunEventLoop] if libpthread is available
Default: -nothreads Default: -nothreads
......
x11vnc/cleanup.c
View file @ be2b77f2
...@@ -405,6 +405,83 @@ static void interrupted (int sig) { ...@@ -405,6 +405,83 @@ static void interrupted (int sig) {
} }
} }
static void ignore_sigs(char *list) {
char *str, *p;
int ignore = 1;
if (list == NULL || *list == '\0') {
return;
}
str = strdup(list);
p = strtok(str, ":,");
#define SETSIG(x, y) \
if (strstr(p, x)) { \
if (ignore) { \
signal(y, SIG_IGN); \
} else { \
signal(y, interrupted); \
} \
}
#ifdef SIG_IGN
while (p) {
if (!strcmp(p, "ignore")) {
ignore = 1;
} else if (!strcmp(p, "exit")) {
ignore = 0;
}
/* Take off every 'sig' ;-) */
#ifdef SIGHUP
SETSIG("HUP", SIGHUP);
#endif
#ifdef SIGINT
SETSIG("INT", SIGINT);
#endif
#ifdef SIGQUIT
SETSIG("QUIT", SIGQUIT);
#endif
#ifdef SIGTRAP
SETSIG("TRAP", SIGTRAP);
#endif
#ifdef SIGABRT
SETSIG("ABRT", SIGABRT);
#endif
#ifdef SIGBUS
SETSIG("BUS", SIGBUS);
#endif
#ifdef SIGFPE
SETSIG("FPE", SIGFPE);
#endif
#ifdef SIGSEGV
SETSIG("SEGV", SIGSEGV);
#endif
#ifdef SIGPIPE
SETSIG("PIPE", SIGPIPE);
#endif
#ifdef SIGTERM
SETSIG("TERM", SIGTERM);
#endif
#ifdef SIGUSR1
SETSIG("USR1", SIGUSR1);
#endif
#ifdef SIGUSR2
SETSIG("USR2", SIGUSR2);
#endif
#ifdef SIGCONT
SETSIG("CONT", SIGCONT);
#endif
#ifdef SIGSTOP
SETSIG("STOP", SIGSTOP);
#endif
#ifdef SIGTSTP
SETSIG("TSTP", SIGTSTP);
#endif
p = strtok(NULL, ":,");
}
#endif /* SIG_IGN */
free(str);
}
/* signal handlers */ /* signal handlers */
void initialize_signals(void) { void initialize_signals(void) {
signal(SIGHUP, interrupted); signal(SIGHUP, interrupted);
...@@ -418,6 +495,10 @@ void initialize_signals(void) { ...@@ -418,6 +495,10 @@ void initialize_signals(void) {
if (!sigpipe || *sigpipe == '\0' || !strcmp(sigpipe, "skip")) { if (!sigpipe || *sigpipe == '\0' || !strcmp(sigpipe, "skip")) {
; ;
} else if (strstr(sigpipe, "ignore:") == sigpipe) {
ignore_sigs(sigpipe);
} else if (strstr(sigpipe, "exit:") == sigpipe) {
ignore_sigs(sigpipe);
} else if (!strcmp(sigpipe, "ignore")) { } else if (!strcmp(sigpipe, "ignore")) {
#ifdef SIG_IGN #ifdef SIG_IGN
signal(SIGPIPE, SIG_IGN); signal(SIGPIPE, SIG_IGN);
...@@ -454,6 +535,12 @@ int known_sigpipe_mode(char *s) { ...@@ -454,6 +535,12 @@ int known_sigpipe_mode(char *s) {
/* /*
* skip, ignore, exit * skip, ignore, exit
*/ */
if (strstr(s, "ignore:") == s) {
return 1;
}
if (strstr(s, "exit:") == s) {
return 1;
}
if (strcmp(s, "skip") && strcmp(s, "ignore") && if (strcmp(s, "skip") && strcmp(s, "ignore") &&
strcmp(s, "exit")) { strcmp(s, "exit")) {
return 0; return 0;
......
x11vnc/help.c
View file @ be2b77f2
...@@ -574,20 +574,31 @@ void print_help(int mode) { ...@@ -574,20 +574,31 @@ void print_help(int mode) {
"\n" "\n"
"-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather\n" "-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather\n"
" use the traditional getpwnam(3) + crypt(3) method to\n" " use the traditional getpwnam(3) + crypt(3) method to\n"
" verify passwords instead. This requires that the\n" " verify passwords. All of the above -unixpw options and\n"
" encrypted passwords be readable. Passwords stored\n" " contraints apply.\n"
" in /etc/shadow will be inaccessible unless x11vnc\n" "\n"
" is run as root.\n" " This mode requires that the encrypted passwords be\n"
" readable. Encrypted passwords stored in /etc/shadow\n"
" will be inaccessible unless x11vnc is run as root.\n"
"\n" "\n"
" This is called \"NIS\" mode simply because in most\n" " This is called \"NIS\" mode simply because in most\n"
" NIS setups the user encrypted passwords are accessible\n" " NIS setups user encrypted passwords are accessible\n"
" (e.g. \"ypcat passwd\"). NIS is not required for this\n" " (e.g. \"ypcat passwd\") by an ordinary user and so that\n"
" mode to work (only that getpwnam(3) return the encrypted\n" " user can authenticate ANY user.\n"
" password is required), but it is unlikely it will work\n" "\n"
" for any other modern environment unless x11vnc is run\n" " NIS is not required for this mode to work (only that\n"
" as root (which, btw, is often done when running x11vnc\n" " getpwnam(3) return the encrypted password is required),\n"
" from inetd and xdm/gdm/kdm). All of the -unixpw options\n" " but it is unlikely it will work for any most modern\n"
" and contraints apply.\n" " environments unless x11vnc is run as root to be able\n"
" to access /etc/shadow (note running as root is often\n"
" done when running x11vnc from inetd and xdm/gdm/kdm).\n"
"\n"
" Looked at another way, if you do not want to use the\n"
" su(1) method provided by -unixpw, you can run x11vnc\n"
" as root and use -unixpw_nis. Any users with passwords\n"
" in /etc/shadow can then be authenticated. You may want\n"
" to use -users unixpw= to switch the process user after\n"
" the user logs in.\n"
"\n" "\n"
#endif #endif
"-display WAIT:... A special usage mode for the normal -display option.\n" "-display WAIT:... A special usage mode for the normal -display option.\n"
...@@ -2374,8 +2385,15 @@ void print_help(int mode) { ...@@ -2374,8 +2385,15 @@ void print_help(int mode) {
" \"ignore\" or \"exit\". For \"ignore\" libvncserver\n" " \"ignore\" or \"exit\". For \"ignore\" libvncserver\n"
" will handle the abrupt loss of a client and continue,\n" " will handle the abrupt loss of a client and continue,\n"
" for \"exit\" x11vnc will cleanup and exit at the 1st\n" " for \"exit\" x11vnc will cleanup and exit at the 1st\n"
" broken connection. Default: \"ignore\". This option\n" " broken connection.\n"
" is obsolete.\n" "\n"
" This option is not really needed since libvncserver\n"
" is doing the correct thing now for quite some time.\n"
" However, for convenience you can use it to ignore other\n"
" signals, e.g. \"-sigpipe ignore:HUP,INT,TERM\" in case\n"
" that would be useful for some sort of application.\n"
" You can also put \"exit:..\" in there.\n"
"\n"
"-threads Whether or not to use the threaded libvncserver\n" "-threads Whether or not to use the threaded libvncserver\n"
"-nothreads algorithm [rfbRunEventLoop] if libpthread is available\n" "-nothreads algorithm [rfbRunEventLoop] if libpthread is available\n"
" Default: %s\n" " Default: %s\n"
......
x11vnc/screen.c
View file @ be2b77f2
...@@ -880,7 +880,8 @@ if (db) fprintf(stderr, "initialize_raw_fb reset\n"); ...@@ -880,7 +880,8 @@ if (db) fprintf(stderr, "initialize_raw_fb reset\n");
if (! raw_fb_str) { if (! raw_fb_str) {
return NULL; return NULL;
} }
if (!strcasecmp(raw_fb_str, "NULL") || !strcasecmp(raw_fb_str, "ZERO")) { if (!strcasecmp(raw_fb_str, "NULL") || !strcasecmp(raw_fb_str, "ZERO")
|| !strcasecmp(raw_fb_str, "NONE")) {
raw_fb_str = strdup("map:/dev/zero@640x480x32"); raw_fb_str = strdup("map:/dev/zero@640x480x32");
} }
if (!strcasecmp(raw_fb_str, "RAND")) { if (!strcasecmp(raw_fb_str, "RAND")) {
......
x11vnc/unixpw.c
View file @ be2b77f2
...@@ -584,6 +584,11 @@ if (db) fprintf(stderr, "slave is: %s fd=%d\n", slave, fd); ...@@ -584,6 +584,11 @@ if (db) fprintf(stderr, "slave is: %s fd=%d\n", slave, fd);
try_to_be_nobody(); try_to_be_nobody();
#if LIBVNCSERVER_HAVE_GETUID #if LIBVNCSERVER_HAVE_GETUID
if (0 && db > 1) {
/* does not work, writes to pty... */
fprintf(stderr, "getuid=%d geteuid=%d\n",
getuid(), geteuid());
}
if (getuid() == 0 || geteuid() == 0) { if (getuid() == 0 || geteuid() == 0) {
exit(1); exit(1);
} }
...@@ -594,6 +599,11 @@ if (db) fprintf(stderr, "slave is: %s fd=%d\n", slave, fd); ...@@ -594,6 +599,11 @@ if (db) fprintf(stderr, "slave is: %s fd=%d\n", slave, fd);
set_env("LC_ALL", "C"); set_env("LC_ALL", "C");
set_env("LANG", "C"); set_env("LANG", "C");
set_env("SHELL", "/bin/sh"); set_env("SHELL", "/bin/sh");
if (!cmd && getenv("DISPLAY")) {
/* this will cause timeout problems with pam_xauth */
char *s = getenv("DISPLAY");
if (s) *(s-2) = '_';
}
/* synchronize with parent: */ /* synchronize with parent: */
write(2, "C", 1); write(2, "C", 1);
......
x11vnc/x11vnc.1
View file @ be2b77f2
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
.TH X11VNC "1" "September 2006" "x11vnc " "User Commands" .TH X11VNC "1" "September 2006" "x11vnc " "User Commands"
.SH NAME .SH NAME
x11vnc - allow VNC connections to real X11 displays x11vnc - allow VNC connections to real X11 displays
version: 0.8.3, lastmod: 2006-09-13 version: 0.8.3, lastmod: 2006-09-15
.SH SYNOPSIS .SH SYNOPSIS
.B x11vnc .B x11vnc
[OPTION]... [OPTION]...
...@@ -692,22 +692,33 @@ use the traditional ...@@ -692,22 +692,33 @@ use the traditional
+ +
.IR crypt (3) .IR crypt (3)
method to method to
verify passwords instead. This requires that the verify passwords. All of the above \fB-unixpw\fR options and
encrypted passwords be readable. Passwords stored contraints apply.
in /etc/shadow will be inaccessible unless x11vnc .IP
is run as root. This mode requires that the encrypted passwords be
readable. Encrypted passwords stored in /etc/shadow
will be inaccessible unless x11vnc is run as root.
.IP .IP
This is called "NIS" mode simply because in most This is called "NIS" mode simply because in most
NIS setups the user encrypted passwords are accessible NIS setups user encrypted passwords are accessible
(e.g. "ypcat passwd"). NIS is not required for this (e.g. "ypcat passwd") by an ordinary user and so that
mode to work (only that user can authenticate ANY user.
.IP
NIS is not required for this mode to work (only that
.IR getpwnam (3) .IR getpwnam (3)
return the encrypted return the encrypted password is required),
password is required), but it is unlikely it will work but it is unlikely it will work for any most modern
for any other modern environment unless x11vnc is run environments unless x11vnc is run as root to be able
as root (which, btw, is often done when running x11vnc to access /etc/shadow (note running as root is often
from inetd and xdm/gdm/kdm). All of the \fB-unixpw\fR options done when running x11vnc from inetd and xdm/gdm/kdm).
and contraints apply. .IP
Looked at another way, if you do not want to use the
.IR su (1)
method provided by \fB-unixpw,\fR you can run x11vnc
as root and use \fB-unixpw_nis.\fR Any users with passwords
in /etc/shadow can then be authenticated. You may want
to use \fB-users\fR unixpw= to switch the process user after
the user logs in.
.PP .PP
\fB-display\fR \fIWAIT:...\fR \fB-display\fR \fIWAIT:...\fR
.IP .IP
...@@ -2801,8 +2812,14 @@ Broken pipe (SIGPIPE) handling. \fIstring\fR can be ...@@ -2801,8 +2812,14 @@ Broken pipe (SIGPIPE) handling. \fIstring\fR can be
"ignore" or "exit". For "ignore" libvncserver "ignore" or "exit". For "ignore" libvncserver
will handle the abrupt loss of a client and continue, will handle the abrupt loss of a client and continue,
for "exit" x11vnc will cleanup and exit at the 1st for "exit" x11vnc will cleanup and exit at the 1st
broken connection. Default: "ignore". This option broken connection.
is obsolete. .IP
This option is not really needed since libvncserver
is doing the correct thing now for quite some time.
However, for convenience you can use it to ignore other
signals, e.g. "\fB-sigpipe\fR \fIignore:HUP,INT,TERM\fR" in case
that would be useful for some sort of application.
You can also put "exit:.." in there.
.PP .PP
\fB-threads,\fR \fB-nothreads\fR \fB-threads,\fR \fB-nothreads\fR
.IP .IP
......
x11vnc/x11vnc_defs.c
View file @ be2b77f2
...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; ...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.8.3 lastmod: 2006-09-13"; char lastmod[] = "0.8.3 lastmod: 2006-09-15";
/* X display info */ /* X display info */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment