Commit c997e901 authored by runge's avatar runge

x11vnc: gui speedup and fixes. -unixpw and -inetd

parent a9a9c812
2006-03-06 Karl Runge <runge@karlrunge.com>
* x11vnc: switch remote control to X11VNC_REMOTE property. Put
in -unixpw constraints for reverse connections under -inetd.
-inetd won't quit when reverse conn client leaves. Allow keyboard
input for viewonly -unixpw logins. "%*" utils for testing
-unixpw. improve start time fix bugs, small screen in gui.
2006-03-04 Karl Runge <runge@karlrunge.com> 2006-03-04 Karl Runge <runge@karlrunge.com>
* x11vnc: -unixpw on *bsd, hpux and tru64. Add -unixpw_nis for * x11vnc: -unixpw on *bsd, hpux and tru64. Add -unixpw_nis for
non-shadow systems. check stunnel dying. check SSH_CONNECTION non-shadow systems. check stunnel dying. check SSH_CONNECTION
......
x11vnc README file Date: Sat Mar 4 17:57:40 EST 2006 x11vnc README file Date: Mon Mar 6 10:24:41 EST 2006
The following information is taken from these URLs: The following information is taken from these URLs:
...@@ -5382,7 +5382,7 @@ x11vnc: a VNC server for real X displays ...@@ -5382,7 +5382,7 @@ x11vnc: a VNC server for real X displays
Here are all of x11vnc command line options: Here are all of x11vnc command line options:
% x11vnc -opts (see below for -help long descriptions) % x11vnc -opts (see below for -help long descriptions)
x11vnc: allow VNC connections to real X11 displays. 0.8.1 lastmod: 2006-03-04 x11vnc: allow VNC connections to real X11 displays. 0.8.1 lastmod: 2006-03-06
x11vnc options: x11vnc options:
-display disp -auth file -display disp -auth file
...@@ -5495,7 +5495,7 @@ libvncserver-tight-extension options: ...@@ -5495,7 +5495,7 @@ libvncserver-tight-extension options:
% x11vnc -help % x11vnc -help
x11vnc: allow VNC connections to real X11 displays. 0.8.1 lastmod: 2006-03-04 x11vnc: allow VNC connections to real X11 displays. 0.8.1 lastmod: 2006-03-06
Typical usage is: Typical usage is:
...@@ -5793,8 +5793,9 @@ Options: ...@@ -5793,8 +5793,9 @@ Options:
-novncconnect VNC program vncconnect(1). When the property is -novncconnect VNC program vncconnect(1). When the property is
set to "host" or "host:port" establish a reverse set to "host" or "host:port" establish a reverse
connection. Using xprop(1) instead of vncconnect may connection. Using xprop(1) instead of vncconnect may
work (see the FAQ). The -remote control mechanism also work (see the FAQ). The -remote control mechanism uses
uses this VNC_CONNECT channel. Default: -vncconnect X11VNC_REMOTE channel, and this option disables/enables
it as well. Default: -vncconnect
-allow host1[,host2..] Only allow client connections from hosts matching -allow host1[,host2..] Only allow client connections from hosts matching
the comma separated list of hostnames or IP addresses. the comma separated list of hostnames or IP addresses.
...@@ -5909,8 +5910,8 @@ Options: ...@@ -5909,8 +5910,8 @@ Options:
x11vnc as root with the "-users +nobody" option to x11vnc as root with the "-users +nobody" option to
immediately switch to user nobody. Another source of immediately switch to user nobody. Another source of
problems are PAM modules that prompt for extra info, problems are PAM modules that prompt for extra info,
e.g. password aging modules. These logins will always e.g. password aging modules. These logins will fail
fail as well. as well even when the correct password is supplied.
*IMPORTANT*: to prevent the Unix password being sent in *IMPORTANT*: to prevent the Unix password being sent in
*clear text* over the network, two x11vnc options are *clear text* over the network, two x11vnc options are
...@@ -5937,17 +5938,28 @@ Options: ...@@ -5937,17 +5938,28 @@ Options:
is set and appears reasonable. If it does, then the is set and appears reasonable. If it does, then the
stunnel requirement is dropped since it is assumed stunnel requirement is dropped since it is assumed
you are using ssh for the encrypted tunnelling. you are using ssh for the encrypted tunnelling.
Use -stunnel to force stunnel usage. Use -stunnel to force stunnel usage for this case.
Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost
requirement. One should never do this (i.e. allow the requirement. One should never do this (i.e. allow the
Unix passwords to be sniffed on the network). Unix passwords to be sniffed on the network).
NOTE: in -inetd mode the two settings are not enforced Regarding reverse connections (e.g. -R connect:host),
since x11vnc does not make network connections in the -localhost constraint is in effect and the reverse
that case. Be sure to use encryption from the viewer connections can only be used to connect to the same
to inetd. One can also have your own stunnel spawn machine x11vnc is running on (default port 5500).
x11vnc in -inetd mode. See the FAQ. Please use a ssh or stunnel port redirection to the
viewer machine to tunnel the reverse connection over
an encrypted channel. Note that Unix username and
password *will* be prompted for (unlike VNC passwords
that are skipped for reverse connections).
NOTE: in -inetd mode the two settings are attempted
to be enforced for reverse connections. Be sure to
use encryption from the viewer to inetd since x11vnc
cannot guess easily if it is encrpyted. Note: you can
also have your own stunnel spawn x11vnc in -inetd mode
(i.e. bypassing inetd). See the FAQ.
The user names in the comma separated [list] can have The user names in the comma separated [list] can have
per-user options after a ":", e.g. "fred:opts" per-user options after a ":", e.g. "fred:opts"
...@@ -5962,16 +5974,21 @@ Options: ...@@ -5962,16 +5974,21 @@ Options:
Use "deny" to explicitly deny some users if you use Use "deny" to explicitly deny some users if you use
"*" to set a global option. "*" to set a global option.
-unixpw_nis [list] As -unixpw above, however do not run su(1) but rather There are also some tools for testing password if [list]
use the traditional getpwnam() + crypt() method instead. starts with the "%" character. See the quick_pw()
This requires that the encrpyted passwords be readable. function for details.
Passwords stored in /etc/shadow will be inaccessible
unless run as root. This is called "NIS" mode -unixpw_nis [list] As -unixpw above, however do not use su(1) but rather
simply because in most NIS setups the user encrypted use the traditional getpwnam(3) + crypt(3) method
passwords are accessible (e.g. "ypcat passwd"). instead. This requires that the encrpyted passwords
NIS is not required for this mode to work, but it be readable. Passwords stored in /etc/shadow will
is unlikely it will work for any other environment. be inaccessible unless run as root. This is called
All of the -unixpw options and contraints apply. "NIS" mode simply because in most NIS setups the
user encrypted passwords are accessible (e.g. "ypcat
passwd"). NIS is not required for this mode to
work, but it is unlikely it will work for any other
environment. All of the -unixpw options and contraints
apply.
-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide -stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide
an encrypted SSL tunnel between viewers and x11vnc. an encrypted SSL tunnel between viewers and x11vnc.
...@@ -7238,7 +7255,7 @@ n ...@@ -7238,7 +7255,7 @@ n
-remote command. -remote command.
The default communication channel is that of X The default communication channel is that of X
properties (specifically VNC_CONNECT), and so this properties (specifically X11VNC_REMOTE), and so this
command must be run with correct settings for DISPLAY command must be run with correct settings for DISPLAY
and possibly XAUTHORITY to connect to the X server and possibly XAUTHORITY to connect to the X server
and set the property. Alternatively, use the -display and set the property. Alternatively, use the -display
...@@ -7520,9 +7537,9 @@ n ...@@ -7520,9 +7537,9 @@ n
it comes back with prefix "aro=" instead of "ans=". it comes back with prefix "aro=" instead of "ans=".
Some -remote commands are pure actions that do not make Some -remote commands are pure actions that do not make
sense as variables, e.g. "stop" or "disconnect", sense as variables, e.g. "stop" or "disconnect", in
in these cases the value returned is "N/A". To direct these cases the value returned is "N/A". To direct a
a query straight to the VNC_CONNECT property or connect query straight to the X11VNC_REMOTE property or connect
file use "qry=..." instead of "cmd=..." file use "qry=..." instead of "cmd=..."
Here is the current list of "variables" that can Here is the current list of "variables" that can
...@@ -7621,9 +7638,9 @@ n ...@@ -7621,9 +7638,9 @@ n
A note about security wrt remote control commands. A note about security wrt remote control commands.
If someone can connect to the X display and change If someone can connect to the X display and change
the property VNC_CONNECT, then they can remotely the property X11VNC_REMOTE, then they can remotely
control x11vnc. Normally access to the X display is control x11vnc. Normally access to the X display is
protected. Note that if they can modify VNC_CONNECT protected. Note that if they can modify X11VNC_REMOTE
on the X server, they have enough permissions to also on the X server, they have enough permissions to also
run their own x11vnc and thus have complete control run their own x11vnc and thus have complete control
of the desktop. If the "-connect /path/to/file" of the desktop. If the "-connect /path/to/file"
...@@ -7633,9 +7650,9 @@ n ...@@ -7633,9 +7650,9 @@ n
permissions. See -privremote below. permissions. See -privremote below.
If you are paranoid and do not think -noremote is If you are paranoid and do not think -noremote is
enough, to disable the VNC_CONNECT property channel enough, to disable the X11VNC_REMOTE property channel
completely use -novncconnect, or use the -safer completely use -novncconnect, or use the -safer option
option that shuts many things off. that shuts many things off.
-unsafe A few remote commands are disabled by default -unsafe A few remote commands are disabled by default
(currently: id:pick, accept:<cmd>, gone:<cmd>, and (currently: id:pick, accept:<cmd>, gone:<cmd>, and
......
...@@ -19,6 +19,9 @@ ...@@ -19,6 +19,9 @@
/* string for the VNC_CONNECT property */ /* string for the VNC_CONNECT property */
char vnc_connect_str[VNC_CONNECT_MAX+1]; char vnc_connect_str[VNC_CONNECT_MAX+1];
Atom vnc_connect_prop = None; Atom vnc_connect_prop = None;
char x11vnc_remote_str[X11VNC_REMOTE_MAX+1];
Atom x11vnc_remote_prop = None;
rfbClientPtr inetd_client = NULL;
int all_clients_initialized(void); int all_clients_initialized(void);
char *list_clients(void); char *list_clients(void);
...@@ -29,7 +32,9 @@ void set_client_input(char *str); ...@@ -29,7 +32,9 @@ void set_client_input(char *str);
void set_child_info(void); void set_child_info(void);
void reverse_connect(char *str); void reverse_connect(char *str);
void set_vnc_connect_prop(char *str); void set_vnc_connect_prop(char *str);
void read_vnc_connect_prop(void); void read_vnc_connect_prop(int);
void set_x11vnc_remote_prop(char *str);
void read_x11vnc_remote_prop(int);
void check_connect_inputs(void); void check_connect_inputs(void);
void check_gui_inputs(void); void check_gui_inputs(void);
enum rfbNewClientAction new_client(rfbClientPtr client); enum rfbNewClientAction new_client(rfbClientPtr client);
...@@ -604,8 +609,8 @@ static void client_gone(rfbClientPtr client) { ...@@ -604,8 +609,8 @@ static void client_gone(rfbClientPtr client) {
free_client_data(client); free_client_data(client);
if (inetd) { if (inetd && client == inetd_client) {
rfbLog("viewer exited.\n"); rfbLog("inetd viewer exited.\n");
clean_up_exit(0); clean_up_exit(0);
} }
if (connect_once) { if (connect_once) {
...@@ -1463,6 +1468,21 @@ static int do_reverse_connect(char *str) { ...@@ -1463,6 +1468,21 @@ static int do_reverse_connect(char *str) {
*p = '\0'; *p = '\0';
} }
if (inetd && unixpw) {
if(strcmp(host, "localhost") && strcmp(host, "127.0.0.1")) {
if (! getenv("UNIXPW_DISABLE_LOCALHOST")) {
rfbLog("reverse_connect: in -inetd only localhost\n");
rfbLog("connections allowed under -unixpw\n");
return 0;
}
}
if (! getenv("UNIXPW_DISABLE_STUNNEL") && ! have_ssh_env()) {
rfbLog("reverse_connect: in -inetd stunnel/ssh\n");
rfbLog("required under -unixpw\n");
return 0;
}
}
cl = rfbReverseConnection(screen, host, rport); cl = rfbReverseConnection(screen, host, rport);
free(host); free(host);
...@@ -1529,15 +1549,20 @@ void reverse_connect(char *str) { ...@@ -1529,15 +1549,20 @@ void reverse_connect(char *str) {
} }
/* /*
* Routines for monitoring the VNC_CONNECT property for changes. * Routines for monitoring the VNC_CONNECT and X11VNC_REMOTE properties
* The vncconnect(1) will set it on our X display. * for changes. The vncconnect(1) will set it on our X display.
*/ */
void set_vnc_connect_prop(char *str) { void set_vnc_connect_prop(char *str) {
XChangeProperty(dpy, rootwin, vnc_connect_prop, XA_STRING, 8, XChangeProperty(dpy, rootwin, vnc_connect_prop, XA_STRING, 8,
PropModeReplace, (unsigned char *)str, strlen(str)); PropModeReplace, (unsigned char *)str, strlen(str));
} }
void read_vnc_connect_prop(void) { void set_x11vnc_remote_prop(char *str) {
XChangeProperty(dpy, rootwin, x11vnc_remote_prop, XA_STRING, 8,
PropModeReplace, (unsigned char *)str, strlen(str));
}
void read_vnc_connect_prop(int nomsg) {
Atom type; Atom type;
int format, slen, dlen; int format, slen, dlen;
unsigned long nitems = 0, bytes_after = 0; unsigned long nitems = 0, bytes_after = 0;
...@@ -1575,28 +1600,73 @@ void read_vnc_connect_prop(void) { ...@@ -1575,28 +1600,73 @@ void read_vnc_connect_prop(void) {
} while (bytes_after > 0); } while (bytes_after > 0);
vnc_connect_str[VNC_CONNECT_MAX] = '\0'; vnc_connect_str[VNC_CONNECT_MAX] = '\0';
if (! db) { if (! db || nomsg) {
; ;
} else if (strstr(vnc_connect_str, "ans=stop:N/A,ans=quit:N/A,ans=")) { } else {
rfbLog("read VNC_CONNECT: %s\n", vnc_connect_str);
}
}
void read_x11vnc_remote_prop(int nomsg) {
Atom type;
int format, slen, dlen;
unsigned long nitems = 0, bytes_after = 0;
unsigned char* data = NULL;
int db = 1;
x11vnc_remote_str[0] = '\0';
slen = 0;
if (! vnc_connect || x11vnc_remote_prop == None) {
/* not active or problem with X11VNC_REMOTE atom */
return;
}
/* read the property value into x11vnc_remote_str: */
do {
if (XGetWindowProperty(dpy, DefaultRootWindow(dpy),
x11vnc_remote_prop, nitems/4, X11VNC_REMOTE_MAX/16, False,
AnyPropertyType, &type, &format, &nitems, &bytes_after,
&data) == Success) {
dlen = nitems * (format/8);
if (slen + dlen > X11VNC_REMOTE_MAX) {
/* too big */
rfbLog("warning: truncating large X11VNC_REMOTE"
" string > %d bytes.\n", X11VNC_REMOTE_MAX);
XFree(data);
break;
}
memcpy(x11vnc_remote_str+slen, data, dlen);
slen += dlen;
x11vnc_remote_str[slen] = '\0';
XFree(data);
}
} while (bytes_after > 0);
x11vnc_remote_str[X11VNC_REMOTE_MAX] = '\0';
if (! db || nomsg) {
;
} else if (strstr(x11vnc_remote_str, "ans=stop:N/A,ans=quit:N/A,ans=")) {
; ;
} else if (strstr(vnc_connect_str, "qry=stop,quit,exit")) { } else if (strstr(x11vnc_remote_str, "qry=stop,quit,exit")) {
; ;
} else if (strstr(vnc_connect_str, "ack=") == vnc_connect_str) { } else if (strstr(x11vnc_remote_str, "ack=") == x11vnc_remote_str) {
; ;
} else if (quiet && strstr(vnc_connect_str, "qry=ping") == } else if (quiet && strstr(x11vnc_remote_str, "qry=ping") ==
vnc_connect_str) { x11vnc_remote_str) {
; ;
} else if (strstr(vnc_connect_str, "cmd=") && } else if (strstr(x11vnc_remote_str, "cmd=") &&
strstr(vnc_connect_str, "passwd")) { strstr(x11vnc_remote_str, "passwd")) {
rfbLog("read VNC_CONNECT: *\n"); rfbLog("read X11VNC_REMOTE: *\n");
} else if (strlen(vnc_connect_str) > 38) { } else if (strlen(x11vnc_remote_str) > 38) {
char trim[100]; char trim[100];
trim[0] = '\0'; trim[0] = '\0';
strncat(trim, vnc_connect_str, 38); strncat(trim, x11vnc_remote_str, 38);
rfbLog("read VNC_CONNECT: %s ...\n", trim); rfbLog("read X11VNC_REMOTE: %s ...\n", trim);
} else { } else {
rfbLog("read VNC_CONNECT: %s\n", vnc_connect_str); rfbLog("read X11VNC_REMOTE: %s\n", x11vnc_remote_str);
} }
} }
...@@ -1643,6 +1713,13 @@ void check_connect_inputs(void) { ...@@ -1643,6 +1713,13 @@ void check_connect_inputs(void) {
vnc_connect_str[0] = '\0'; vnc_connect_str[0] = '\0';
} }
send_client_connect(); send_client_connect();
/* X11VNC_REMOTE property */
if (vnc_connect && *x11vnc_remote_str != '\0') {
client_connect = strdup(x11vnc_remote_str);
x11vnc_remote_str[0] = '\0';
}
send_client_connect();
} }
void check_gui_inputs(void) { void check_gui_inputs(void) {
...@@ -1650,7 +1727,7 @@ void check_gui_inputs(void) { ...@@ -1650,7 +1727,7 @@ void check_gui_inputs(void) {
int socks[ICON_MODE_SOCKS]; int socks[ICON_MODE_SOCKS];
fd_set fds; fd_set fds;
struct timeval tv; struct timeval tv;
char buf[VNC_CONNECT_MAX+1]; char buf[X11VNC_REMOTE_MAX+1];
ssize_t nbytes; ssize_t nbytes;
if (unixpw_in_progress) return; if (unixpw_in_progress) return;
...@@ -1686,10 +1763,10 @@ void check_gui_inputs(void) { ...@@ -1686,10 +1763,10 @@ void check_gui_inputs(void) {
if (! FD_ISSET(fd, &fds)) { if (! FD_ISSET(fd, &fds)) {
continue; continue;
} }
for (k=0; k<=VNC_CONNECT_MAX; k++) { for (k=0; k<=X11VNC_REMOTE_MAX; k++) {
buf[k] = '\0'; buf[k] = '\0';
} }
nbytes = read(fd, buf, VNC_CONNECT_MAX); nbytes = read(fd, buf, X11VNC_REMOTE_MAX);
if (nbytes <= 0) { if (nbytes <= 0) {
close(fd); close(fd);
icon_mode_socks[socks[i]] = -1; icon_mode_socks[socks[i]] = -1;
...@@ -1726,15 +1803,20 @@ enum rfbNewClientAction new_client(rfbClientPtr client) { ...@@ -1726,15 +1803,20 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
last_event = last_input = time(0); last_event = last_input = time(0);
if (inetd) { if (inetd) {
/* /*
* Set this so we exit as soon as connection closes, * Set this so we exit as soon as connection closes,
* otherwise client_gone is only called after RFB_CLIENT_ACCEPT * otherwise client_gone is only called after RFB_CLIENT_ACCEPT
*/ */
if (inetd_client == NULL) {
inetd_client = client;
client->clientGoneHook = client_gone; client->clientGoneHook = client_gone;
} }
}
clients_served++; clients_served++;
if (0) fprintf(stderr, "new_client: %s %d\n", client->host, clients_served);
if (unixpw && unixpw_in_progress) { if (unixpw && unixpw_in_progress) {
rfbLog("denying additional client: %s during -unixpw login.\n", rfbLog("denying additional client: %s during -unixpw login.\n",
...@@ -1822,6 +1904,11 @@ enum rfbNewClientAction new_client(rfbClientPtr client) { ...@@ -1822,6 +1904,11 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
if (unixpw) { if (unixpw) {
unixpw_in_progress = 1; unixpw_in_progress = 1;
unixpw_client = client; unixpw_client = client;
unixpw_login_viewonly = 0;
if (client->viewOnly) {
unixpw_login_viewonly = 1;
client->viewOnly = FALSE;
}
unixpw_last_try_time = time(0); unixpw_last_try_time = time(0);
unixpw_screen(1); unixpw_screen(1);
unixpw_keystroke(0, 0, 1); unixpw_keystroke(0, 0, 1);
...@@ -1926,6 +2013,7 @@ void send_client_info(char *str) { ...@@ -1926,6 +2013,7 @@ void send_client_info(char *str) {
strcat(pstr, "\n"); strcat(pstr, "\n");
if (icon_mode_fh) { if (icon_mode_fh) {
if (0) fprintf(icon_mode_fh, "\n");
fprintf(icon_mode_fh, "%s", pstr); fprintf(icon_mode_fh, "%s", pstr);
fflush(icon_mode_fh); fflush(icon_mode_fh);
} }
...@@ -1940,6 +2028,7 @@ void send_client_info(char *str) { ...@@ -1940,6 +2028,7 @@ void send_client_info(char *str) {
len = strlen(pstr); len = strlen(pstr);
while (len > 0) { while (len > 0) {
if (0) write(sock, "\n", 1);
n = write(sock, buf, len); n = write(sock, buf, len);
if (n > 0) { if (n > 0) {
buf += n; buf += n;
...@@ -1965,7 +2054,11 @@ void check_new_clients(void) { ...@@ -1965,7 +2054,11 @@ void check_new_clients(void) {
int run_after_accept = 0; int run_after_accept = 0;
if (unixpw_in_progress) { if (unixpw_in_progress) {
if (time(0) > unixpw_last_try_time + 30) { if (unixpw_client && unixpw_client->viewOnly) {
unixpw_login_viewonly = 1;
unixpw_client->viewOnly = FALSE;
}
if (time(0) > unixpw_last_try_time + 25) {
rfbLog("unixpw_deny: timed out waiting for reply.\n"); rfbLog("unixpw_deny: timed out waiting for reply.\n");
unixpw_deny(); unixpw_deny();
} }
...@@ -1992,7 +2085,7 @@ void check_new_clients(void) { ...@@ -1992,7 +2085,7 @@ void check_new_clients(void) {
return; return;
} }
if (! client_count) { if (! client_count) {
send_client_info("none"); send_client_info("clients:none");
return; return;
} }
...@@ -2037,9 +2130,12 @@ void check_new_clients(void) { ...@@ -2037,9 +2130,12 @@ void check_new_clients(void) {
} }
} }
if (send_info) { if (send_info) {
char *str = list_clients(); char *str, *s = list_clients();
str = (char *) malloc(strlen("clients:") + strlen(s) + 1);
sprintf(str, "clients:%s", s);
send_client_info(str); send_client_info(str);
free(str); free(str);
free(s);
} }
} }
......
...@@ -5,6 +5,10 @@ ...@@ -5,6 +5,10 @@
extern char vnc_connect_str[]; extern char vnc_connect_str[];
extern Atom vnc_connect_prop; extern Atom vnc_connect_prop;
extern char x11vnc_remote_str[];
extern Atom x11vnc_remote_prop;
extern rfbClientPtr inetd_client;
extern int all_clients_initialized(void); extern int all_clients_initialized(void);
extern char *list_clients(void); extern char *list_clients(void);
...@@ -15,7 +19,9 @@ extern void set_client_input(char *str); ...@@ -15,7 +19,9 @@ extern void set_client_input(char *str);
extern void set_child_info(void); extern void set_child_info(void);
extern void reverse_connect(char *str); extern void reverse_connect(char *str);
extern void set_vnc_connect_prop(char *str); extern void set_vnc_connect_prop(char *str);
extern void read_vnc_connect_prop(void); extern void read_vnc_connect_prop(int);
extern void set_x11vnc_remote_prop(char *str);
extern void read_x11vnc_remote_prop(int);
extern void check_connect_inputs(void); extern void check_connect_inputs(void);
extern void check_gui_inputs(void); extern void check_gui_inputs(void);
extern enum rfbNewClientAction new_client(rfbClientPtr client); extern enum rfbNewClientAction new_client(rfbClientPtr client);
......
...@@ -22,6 +22,7 @@ int tray_manager_ok = 0; ...@@ -22,6 +22,7 @@ int tray_manager_ok = 0;
Window tray_request = None; Window tray_request = None;
Window tray_window = None; Window tray_window = None;
int tray_unembed = 0; int tray_unembed = 0;
pid_t run_gui_pid = 0;
char *get_gui_code(void); char *get_gui_code(void);
...@@ -183,6 +184,12 @@ static char *icon_mode_embed_id = NULL; ...@@ -183,6 +184,12 @@ static char *icon_mode_embed_id = NULL;
static char *icon_mode_font = NULL; static char *icon_mode_font = NULL;
static char *icon_mode_params = NULL; static char *icon_mode_params = NULL;
static int got_sigusr1 = 0;
static void sigusr1 (int sig) {
got_sigusr1 = 1;
}
static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc, static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc,
int simple_gui, pid_t parent, char *gui_opts) { int simple_gui, pid_t parent, char *gui_opts) {
char *x11vnc_xdisplay = NULL; char *x11vnc_xdisplay = NULL;
...@@ -191,10 +198,11 @@ static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc, ...@@ -191,10 +198,11 @@ static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc,
char cmd[100]; char cmd[100];
char *wish = NULL, *orig_path, *full_path, *tpath, *p; char *wish = NULL, *orig_path, *full_path, *tpath, *p;
char *old_xauth = NULL; char *old_xauth = NULL;
int try_max = 4, sleep = 300; int try_max = 4, sleep = 300, totms;
pid_t mypid = getpid(); pid_t mypid = getpid();
FILE *pipe, *tmpf; FILE *pipe, *tmpf;
if (0) fprintf(stderr, "run_gui: %s -- %d %d\n", gui_xdisplay, connect_to_x11vnc, (int) parent);
if (*gui_code == '\0') { if (*gui_code == '\0') {
rfbLog("gui: gui not compiled into this program.\n"); rfbLog("gui: gui not compiled into this program.\n");
exit(0); exit(0);
...@@ -234,15 +242,34 @@ static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc, ...@@ -234,15 +242,34 @@ static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc,
scr = DefaultScreen(dpy); scr = DefaultScreen(dpy);
rootwin = RootWindow(dpy, scr); rootwin = RootWindow(dpy, scr);
initialize_vnc_connect_prop(); initialize_vnc_connect_prop();
initialize_x11vnc_remote_prop();
} }
usleep(2200*1000);
signal(SIGUSR1, sigusr1);
got_sigusr1 = 0;
totms = 0;
while (totms < 3500) {
usleep(50*1000);
totms += 50;
if (got_sigusr1) {
fprintf(stderr, "\n"); fprintf(stderr, "\n");
if (!quiet) { if (! quiet) rfbLog("gui: got SIGUSR1\n");
break;
}
if (! start_x11vnc && totms >= 150) {
break;
}
}
signal(SIGUSR1, SIG_DFL);
if (! got_sigusr1) fprintf(stderr, "\n");
if (!quiet && ! got_sigusr1) {
rfbLog("gui: trying to contact a x11vnc server at X" rfbLog("gui: trying to contact a x11vnc server at X"
" display %s ...\n", NONUL(x11vnc_xdisplay)); " display %s ...\n", NONUL(x11vnc_xdisplay));
} }
for (i=0; i<try_max; i++) { for (i=0; i<try_max; i++) {
usleep(sleep*1000); if (! got_sigusr1) {
if (!quiet) { if (!quiet) {
rfbLog("gui: pinging %s try=%d ...\n", rfbLog("gui: pinging %s try=%d ...\n",
NONUL(x11vnc_xdisplay), i+1); NONUL(x11vnc_xdisplay), i+1);
...@@ -251,12 +278,17 @@ static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc, ...@@ -251,12 +278,17 @@ static void run_gui(char *gui_xdisplay, int connect_to_x11vnc, int start_x11vnc,
if (rc == 0) { if (rc == 0) {
break; break;
} }
} else {
rc = 0;
break;
}
if (parent && mypid != parent && kill(parent, 0) != 0) { if (parent && mypid != parent && kill(parent, 0) != 0) {
rfbLog("gui: parent process %d has gone" rfbLog("gui: parent process %d has gone"
" away: bailing out.\n", parent); " away: bailing out.\n", parent);
rc = 1; rc = 1;
break; break;
} }
usleep(sleep*1000);
} }
set_env("X11VNC_XDISPLAY", x11vnc_xdisplay); set_env("X11VNC_XDISPLAY", x11vnc_xdisplay);
if (getenv("XAUTHORITY") != NULL) { if (getenv("XAUTHORITY") != NULL) {
...@@ -619,6 +651,9 @@ void do_gui(char *opts, int sleep) { ...@@ -619,6 +651,9 @@ void do_gui(char *opts, int sleep) {
simple_gui, parent, opts); simple_gui, parent, opts);
exit(1); exit(1);
} }
if (connect_to_x11vnc) {
run_gui_pid = p;
}
#else #else
fprintf(stderr, "system does not support fork: start " fprintf(stderr, "system does not support fork: start "
"x11vnc in the gui.\n"); "x11vnc in the gui.\n");
......
...@@ -11,6 +11,7 @@ extern int tray_manager_ok; ...@@ -11,6 +11,7 @@ extern int tray_manager_ok;
extern Window tray_request; extern Window tray_request;
extern Window tray_window; extern Window tray_window;
extern int tray_unembed; extern int tray_unembed;
extern pid_t run_gui_pid;
extern char *get_gui_code(void); extern char *get_gui_code(void);
extern int tray_embed(Window iconwin, int remove); extern int tray_embed(Window iconwin, int remove);
......
...@@ -315,8 +315,9 @@ void print_help(int mode) { ...@@ -315,8 +315,9 @@ void print_help(int mode) {
"-novncconnect VNC program vncconnect(1). When the property is\n" "-novncconnect VNC program vncconnect(1). When the property is\n"
" set to \"host\" or \"host:port\" establish a reverse\n" " set to \"host\" or \"host:port\" establish a reverse\n"
" connection. Using xprop(1) instead of vncconnect may\n" " connection. Using xprop(1) instead of vncconnect may\n"
" work (see the FAQ). The -remote control mechanism also\n" " work (see the FAQ). The -remote control mechanism uses\n"
" uses this VNC_CONNECT channel. Default: %s\n" " X11VNC_REMOTE channel, and this option disables/enables\n"
" it as well. Default: %s\n"
"\n" "\n"
"-allow host1[,host2..] Only allow client connections from hosts matching\n" "-allow host1[,host2..] Only allow client connections from hosts matching\n"
" the comma separated list of hostnames or IP addresses.\n" " the comma separated list of hostnames or IP addresses.\n"
...@@ -431,8 +432,8 @@ void print_help(int mode) { ...@@ -431,8 +432,8 @@ void print_help(int mode) {
" x11vnc as root with the \"-users +nobody\" option to\n" " x11vnc as root with the \"-users +nobody\" option to\n"
" immediately switch to user nobody. Another source of\n" " immediately switch to user nobody. Another source of\n"
" problems are PAM modules that prompt for extra info,\n" " problems are PAM modules that prompt for extra info,\n"
" e.g. password aging modules. These logins will always\n" " e.g. password aging modules. These logins will fail\n"
" fail as well.\n" " as well even when the correct password is supplied.\n"
"\n" "\n"
" *IMPORTANT*: to prevent the Unix password being sent in\n" " *IMPORTANT*: to prevent the Unix password being sent in\n"
" *clear text* over the network, two x11vnc options are\n" " *clear text* over the network, two x11vnc options are\n"
...@@ -459,17 +460,28 @@ void print_help(int mode) { ...@@ -459,17 +460,28 @@ void print_help(int mode) {
" is set and appears reasonable. If it does, then the\n" " is set and appears reasonable. If it does, then the\n"
" stunnel requirement is dropped since it is assumed\n" " stunnel requirement is dropped since it is assumed\n"
" you are using ssh for the encrypted tunnelling.\n" " you are using ssh for the encrypted tunnelling.\n"
" Use -stunnel to force stunnel usage.\n" " Use -stunnel to force stunnel usage for this case.\n"
"\n" "\n"
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" " Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
" requirement. One should never do this (i.e. allow the\n" " requirement. One should never do this (i.e. allow the\n"
" Unix passwords to be sniffed on the network).\n" " Unix passwords to be sniffed on the network).\n"
"\n" "\n"
" NOTE: in -inetd mode the two settings are not enforced\n" " Regarding reverse connections (e.g. -R connect:host),\n"
" since x11vnc does not make network connections in\n" " the -localhost constraint is in effect and the reverse\n"
" that case. Be sure to use encryption from the viewer\n" " connections can only be used to connect to the same\n"
" to inetd. One can also have your own stunnel spawn\n" " machine x11vnc is running on (default port 5500).\n"
" x11vnc in -inetd mode. See the FAQ.\n" " Please use a ssh or stunnel port redirection to the\n"
" viewer machine to tunnel the reverse connection over\n"
" an encrypted channel. Note that Unix username and\n"
" password *will* be prompted for (unlike VNC passwords\n"
" that are skipped for reverse connections).\n"
"\n"
" NOTE: in -inetd mode the two settings are attempted\n"
" to be enforced for reverse connections. Be sure to\n"
" use encryption from the viewer to inetd since x11vnc\n"
" cannot guess easily if it is encrpyted. Note: you can\n"
" also have your own stunnel spawn x11vnc in -inetd mode\n"
" (i.e. bypassing inetd). See the FAQ.\n"
"\n" "\n"
" The user names in the comma separated [list] can have\n" " The user names in the comma separated [list] can have\n"
" per-user options after a \":\", e.g. \"fred:opts\"\n" " per-user options after a \":\", e.g. \"fred:opts\"\n"
...@@ -484,16 +496,21 @@ void print_help(int mode) { ...@@ -484,16 +496,21 @@ void print_help(int mode) {
" Use \"deny\" to explicitly deny some users if you use\n" " Use \"deny\" to explicitly deny some users if you use\n"
" \"*\" to set a global option.\n" " \"*\" to set a global option.\n"
"\n" "\n"
"-unixpw_nis [list] As -unixpw above, however do not run su(1) but rather\n" " There are also some tools for testing password if [list]\n"
" use the traditional getpwnam() + crypt() method instead.\n" " starts with the \"%\" character. See the quick_pw()\n"
" This requires that the encrpyted passwords be readable.\n" " function for details.\n"
" Passwords stored in /etc/shadow will be inaccessible\n" "\n"
" unless run as root. This is called \"NIS\" mode\n" "-unixpw_nis [list] As -unixpw above, however do not use su(1) but rather\n"
" simply because in most NIS setups the user encrypted\n" " use the traditional getpwnam(3) + crypt(3) method\n"
" passwords are accessible (e.g. \"ypcat passwd\").\n" " instead. This requires that the encrpyted passwords\n"
" NIS is not required for this mode to work, but it\n" " be readable. Passwords stored in /etc/shadow will\n"
" is unlikely it will work for any other environment.\n" " be inaccessible unless run as root. This is called\n"
" All of the -unixpw options and contraints apply.\n" " \"NIS\" mode simply because in most NIS setups the\n"
" user encrypted passwords are accessible (e.g. \"ypcat\n"
" passwd\"). NIS is not required for this mode to\n"
" work, but it is unlikely it will work for any other\n"
" environment. All of the -unixpw options and contraints\n"
" apply.\n"
"\n" "\n"
"-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n" "-stunnel [pem] Use the stunnel(1) (www.stunnel.org) to provide\n"
" an encrypted SSL tunnel between viewers and x11vnc.\n" " an encrypted SSL tunnel between viewers and x11vnc.\n"
...@@ -1767,7 +1784,7 @@ void print_help(int mode) { ...@@ -1767,7 +1784,7 @@ void print_help(int mode) {
" -remote command.\n" " -remote command.\n"
"\n" "\n"
" The default communication channel is that of X\n" " The default communication channel is that of X\n"
" properties (specifically VNC_CONNECT), and so this\n" " properties (specifically X11VNC_REMOTE), and so this\n"
" command must be run with correct settings for DISPLAY\n" " command must be run with correct settings for DISPLAY\n"
" and possibly XAUTHORITY to connect to the X server\n" " and possibly XAUTHORITY to connect to the X server\n"
" and set the property. Alternatively, use the -display\n" " and set the property. Alternatively, use the -display\n"
...@@ -2056,9 +2073,9 @@ void print_help(int mode) { ...@@ -2056,9 +2073,9 @@ void print_help(int mode) {
" it comes back with prefix \"aro=\" instead of \"ans=\".\n" " it comes back with prefix \"aro=\" instead of \"ans=\".\n"
"\n" "\n"
" Some -remote commands are pure actions that do not make\n" " Some -remote commands are pure actions that do not make\n"
" sense as variables, e.g. \"stop\" or \"disconnect\",\n" " sense as variables, e.g. \"stop\" or \"disconnect\", in\n"
" in these cases the value returned is \"N/A\". To direct\n" " these cases the value returned is \"N/A\". To direct a\n"
" a query straight to the VNC_CONNECT property or connect\n" " query straight to the X11VNC_REMOTE property or connect\n"
" file use \"qry=...\" instead of \"cmd=...\"\n" " file use \"qry=...\" instead of \"cmd=...\"\n"
"\n" "\n"
" Here is the current list of \"variables\" that can\n" " Here is the current list of \"variables\" that can\n"
...@@ -2157,9 +2174,9 @@ void print_help(int mode) { ...@@ -2157,9 +2174,9 @@ void print_help(int mode) {
"\n" "\n"
" A note about security wrt remote control commands.\n" " A note about security wrt remote control commands.\n"
" If someone can connect to the X display and change\n" " If someone can connect to the X display and change\n"
" the property VNC_CONNECT, then they can remotely\n" " the property X11VNC_REMOTE, then they can remotely\n"
" control x11vnc. Normally access to the X display is\n" " control x11vnc. Normally access to the X display is\n"
" protected. Note that if they can modify VNC_CONNECT\n" " protected. Note that if they can modify X11VNC_REMOTE\n"
" on the X server, they have enough permissions to also\n" " on the X server, they have enough permissions to also\n"
" run their own x11vnc and thus have complete control\n" " run their own x11vnc and thus have complete control\n"
" of the desktop. If the \"-connect /path/to/file\"\n" " of the desktop. If the \"-connect /path/to/file\"\n"
...@@ -2169,9 +2186,9 @@ void print_help(int mode) { ...@@ -2169,9 +2186,9 @@ void print_help(int mode) {
" permissions. See -privremote below.\n" " permissions. See -privremote below.\n"
"\n" "\n"
" If you are paranoid and do not think -noremote is\n" " If you are paranoid and do not think -noremote is\n"
" enough, to disable the VNC_CONNECT property channel\n" " enough, to disable the X11VNC_REMOTE property channel\n"
" completely use -novncconnect, or use the -safer\n" " completely use -novncconnect, or use the -safer option\n"
" option that shuts many things off.\n" " that shuts many things off.\n"
"\n" "\n"
"-unsafe A few remote commands are disabled by default\n" "-unsafe A few remote commands are disabled by default\n"
" (currently: id:pick, accept:<cmd>, gone:<cmd>, and\n" " (currently: id:pick, accept:<cmd>, gone:<cmd>, and\n"
......
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
#define FB_REQ 0x4 #define FB_REQ 0x4
#define VNC_CONNECT_MAX 16384 #define VNC_CONNECT_MAX 16384
#define X11VNC_REMOTE_MAX 16384
#define PROP_MAX (131072L) #define PROP_MAX (131072L)
#define MAXN 256 #define MAXN 256
......
...@@ -55,11 +55,11 @@ int send_remote_cmd(char *cmd, int query, int wait) { ...@@ -55,11 +55,11 @@ int send_remote_cmd(char *cmd, int query, int wait) {
perror("fopen"); perror("fopen");
return 1; return 1;
} }
} else if (vnc_connect_prop == None) { } else if (x11vnc_remote_prop == None) {
initialize_vnc_connect_prop(); initialize_x11vnc_remote_prop();
if (vnc_connect_prop == None) { if (x11vnc_remote_prop == None) {
fprintf(stderr, "send_remote_cmd: could not obtain " fprintf(stderr, "send_remote_cmd: could not obtain "
"VNC_CONNECT X property\n"); "X11VNC_REMOTE X property\n");
return 1; return 1;
} }
} }
...@@ -71,13 +71,13 @@ int send_remote_cmd(char *cmd, int query, int wait) { ...@@ -71,13 +71,13 @@ int send_remote_cmd(char *cmd, int query, int wait) {
fclose(in); fclose(in);
} else { } else {
fprintf(stderr, ">>> sending remote command: \"%s\" via" fprintf(stderr, ">>> sending remote command: \"%s\" via"
" VNC_CONNECT X property.\n", cmd); " X11VNC_REMOTE X property.\n", cmd);
set_vnc_connect_prop(cmd); set_x11vnc_remote_prop(cmd);
XFlush(dpy); XFlush(dpy);
} }
if (query || wait) { if (query || wait) {
char line[VNC_CONNECT_MAX]; char line[X11VNC_REMOTE_MAX];
int rc=1, i=0, max=70, ms_sl=50; int rc=1, i=0, max=70, ms_sl=50;
if (!strcmp(cmd, "cmd=stop")) { if (!strcmp(cmd, "cmd=stop")) {
...@@ -95,7 +95,7 @@ int send_remote_cmd(char *cmd, int query, int wait) { ...@@ -95,7 +95,7 @@ int send_remote_cmd(char *cmd, int query, int wait) {
perror("fopen"); perror("fopen");
return 1; return 1;
} }
fgets(line, VNC_CONNECT_MAX, in); fgets(line, X11VNC_REMOTE_MAX, in);
fclose(in); fclose(in);
q = line; q = line;
while (*q != '\0') { while (*q != '\0') {
...@@ -103,8 +103,9 @@ int send_remote_cmd(char *cmd, int query, int wait) { ...@@ -103,8 +103,9 @@ int send_remote_cmd(char *cmd, int query, int wait) {
q++; q++;
} }
} else { } else {
read_vnc_connect_prop(); read_x11vnc_remote_prop(1);
strncpy(line, vnc_connect_str, VNC_CONNECT_MAX); strncpy(line, x11vnc_remote_str,
X11VNC_REMOTE_MAX);
} }
if (strcmp(cmd, line)){ if (strcmp(cmd, line)){
if (query) { if (query) {
...@@ -581,8 +582,8 @@ char *process_remote_cmd(char *cmd, int stringonly) { ...@@ -581,8 +582,8 @@ char *process_remote_cmd(char *cmd, int stringonly) {
#if REMOTE_CONTROL #if REMOTE_CONTROL
char *p = cmd; char *p = cmd;
char *co = ""; char *co = "";
char buf[VNC_CONNECT_MAX]; char buf[X11VNC_REMOTE_MAX];
int bufn = VNC_CONNECT_MAX; int bufn = X11VNC_REMOTE_MAX;
int query = 0; int query = 0;
static char *prev_cursors_mode = NULL; static char *prev_cursors_mode = NULL;
...@@ -617,7 +618,7 @@ char *process_remote_cmd(char *cmd, int stringonly) { ...@@ -617,7 +618,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
strncat(tmp, q, 500); strncat(tmp, q, 500);
res = process_remote_cmd(tmp, 1); res = process_remote_cmd(tmp, 1);
if (res && strlen(buf)+strlen(res) if (res && strlen(buf)+strlen(res)
>= VNC_CONNECT_MAX - 1) { >= X11VNC_REMOTE_MAX - 1) {
rfbLog("overflow in process_remote_cmd:" rfbLog("overflow in process_remote_cmd:"
" %s -- %s\n", buf, res); " %s -- %s\n", buf, res);
free(res); free(res);
...@@ -3848,7 +3849,7 @@ char *process_remote_cmd(char *cmd, int stringonly) { ...@@ -3848,7 +3849,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
} }
} else { } else {
if (dpy) { /* raw_fb hack */ if (dpy) { /* raw_fb hack */
set_vnc_connect_prop(buf); set_x11vnc_remote_prop(buf);
XFlush(dpy); XFlush(dpy);
} }
} }
......
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
#endif #endif
void check_stunnel(void);
int start_stunnel(int stunnel_port, int x11vnc_port); int start_stunnel(int stunnel_port, int x11vnc_port);
void stop_stunnel(void); void stop_stunnel(void);
void setup_stunnel(int rport, int *argc, char **argv); void setup_stunnel(int rport, int *argc, char **argv);
......
This diff is collapsed.
This diff is collapsed.
...@@ -54,6 +54,7 @@ static void set_db(void); ...@@ -54,6 +54,7 @@ static void set_db(void);
static void unixpw_verify(char *user, char *pass); static void unixpw_verify(char *user, char *pass);
int unixpw_in_progress = 0; int unixpw_in_progress = 0;
int unixpw_login_viewonly = 0;
time_t unixpw_last_try_time = 0; time_t unixpw_last_try_time = 0;
rfbClientPtr unixpw_client = NULL; rfbClientPtr unixpw_client = NULL;
...@@ -975,6 +976,9 @@ static void apply_opts (char *user) { ...@@ -975,6 +976,9 @@ static void apply_opts (char *user) {
void unixpw_accept(char *user) { void unixpw_accept(char *user) {
apply_opts(user); apply_opts(user);
if (unixpw_login_viewonly) {
unixpw_client->viewOnly = TRUE;
}
unixpw_in_progress = 0; unixpw_in_progress = 0;
unixpw_client = NULL; unixpw_client = NULL;
mark_rect_as_modified(0, 0, dpy_x, dpy_y, 0); mark_rect_as_modified(0, 0, dpy_x, dpy_y, 0);
......
...@@ -11,6 +11,7 @@ extern int su_verify(char *user, char *pass); ...@@ -11,6 +11,7 @@ extern int su_verify(char *user, char *pass);
extern int crypt_verify(char *user, char *pass); extern int crypt_verify(char *user, char *pass);
extern int unixpw_in_progress; extern int unixpw_in_progress;
extern int unixpw_login_viewonly;
extern time_t unixpw_last_try_time; extern time_t unixpw_last_try_time;
extern rfbClientPtr unixpw_client; extern rfbClientPtr unixpw_client;
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
.TH X11VNC "1" "March 2006" "x11vnc " "User Commands" .TH X11VNC "1" "March 2006" "x11vnc " "User Commands"
.SH NAME .SH NAME
x11vnc - allow VNC connections to real X11 displays x11vnc - allow VNC connections to real X11 displays
version: 0.8.1, lastmod: 2006-03-04 version: 0.8.1, lastmod: 2006-03-06
.SH SYNOPSIS .SH SYNOPSIS
.B x11vnc .B x11vnc
[OPTION]... [OPTION]...
...@@ -391,8 +391,9 @@ set to "host" or "host:port" establish a reverse ...@@ -391,8 +391,9 @@ set to "host" or "host:port" establish a reverse
connection. Using connection. Using
.IR xprop (1) .IR xprop (1)
instead of vncconnect may instead of vncconnect may
work (see the FAQ). The \fB-remote\fR control mechanism also work (see the FAQ). The \fB-remote\fR control mechanism uses
uses this VNC_CONNECT channel. Default: \fB-vncconnect\fR X11VNC_REMOTE channel, and this option disables/enables
it as well. Default: \fB-vncconnect\fR
.PP .PP
\fB-allow\fR \fIhost1[,host2..]\fR \fB-allow\fR \fIhost1[,host2..]\fR
.IP .IP
...@@ -530,8 +531,8 @@ this case. A possible workaround would be to start ...@@ -530,8 +531,8 @@ this case. A possible workaround would be to start
x11vnc as root with the "\fB-users\fR \fI+nobody\fR" option to x11vnc as root with the "\fB-users\fR \fI+nobody\fR" option to
immediately switch to user nobody. Another source of immediately switch to user nobody. Another source of
problems are PAM modules that prompt for extra info, problems are PAM modules that prompt for extra info,
e.g. password aging modules. These logins will always e.g. password aging modules. These logins will fail
fail as well. as well even when the correct password is supplied.
.IP .IP
*IMPORTANT*: to prevent the Unix password being sent in *IMPORTANT*: to prevent the Unix password being sent in
*clear text* over the network, two x11vnc options are *clear text* over the network, two x11vnc options are
...@@ -564,17 +565,28 @@ will check if the environment variable SSH_CONNECTION ...@@ -564,17 +565,28 @@ will check if the environment variable SSH_CONNECTION
is set and appears reasonable. If it does, then the is set and appears reasonable. If it does, then the
stunnel requirement is dropped since it is assumed stunnel requirement is dropped since it is assumed
you are using ssh for the encrypted tunnelling. you are using ssh for the encrypted tunnelling.
Use \fB-stunnel\fR to force stunnel usage. Use \fB-stunnel\fR to force stunnel usage for this case.
.IP .IP
Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
requirement. One should never do this (i.e. allow the requirement. One should never do this (i.e. allow the
Unix passwords to be sniffed on the network). Unix passwords to be sniffed on the network).
.IP .IP
NOTE: in \fB-inetd\fR mode the two settings are not enforced Regarding reverse connections (e.g. \fB-R\fR connect:host),
since x11vnc does not make network connections in the \fB-localhost\fR constraint is in effect and the reverse
that case. Be sure to use encryption from the viewer connections can only be used to connect to the same
to inetd. One can also have your own stunnel spawn machine x11vnc is running on (default port 5500).
x11vnc in \fB-inetd\fR mode. See the FAQ. Please use a ssh or stunnel port redirection to the
viewer machine to tunnel the reverse connection over
an encrypted channel. Note that Unix username and
password *will* be prompted for (unlike VNC passwords
that are skipped for reverse connections).
.IP
NOTE: in \fB-inetd\fR mode the two settings are attempted
to be enforced for reverse connections. Be sure to
use encryption from the viewer to inetd since x11vnc
cannot guess easily if it is encrpyted. Note: you can
also have your own stunnel spawn x11vnc in \fB-inetd\fR mode
(i.e. bypassing inetd). See the FAQ.
.IP .IP
The user names in the comma separated [list] can have The user names in the comma separated [list] can have
per-user options after a ":", e.g. "fred:opts" per-user options after a ":", e.g. "fred:opts"
...@@ -588,21 +600,30 @@ options apply to all users. It also means all users ...@@ -588,21 +600,30 @@ options apply to all users. It also means all users
are allowed to log in after supplying a valid password. are allowed to log in after supplying a valid password.
Use "deny" to explicitly deny some users if you use Use "deny" to explicitly deny some users if you use
"*" to set a global option. "*" to set a global option.
.IP
There are also some tools for testing password if [list]
starts with the "%" character. See the quick_pw()
function for details.
.PP .PP
\fB-unixpw_nis\fR \fI[list]\fR \fB-unixpw_nis\fR \fI[list]\fR
.IP .IP
As \fB-unixpw\fR above, however do not run As \fB-unixpw\fR above, however do not use
.IR su (1) .IR su (1)
but rather but rather
use the traditional getpwnam() + crypt() method instead. use the traditional
This requires that the encrpyted passwords be readable. .IR getpwnam (3)
Passwords stored in /etc/shadow will be inaccessible +
unless run as root. This is called "NIS" mode .IR crypt (3)
simply because in most NIS setups the user encrypted method
passwords are accessible (e.g. "ypcat passwd"). instead. This requires that the encrpyted passwords
NIS is not required for this mode to work, but it be readable. Passwords stored in /etc/shadow will
is unlikely it will work for any other environment. be inaccessible unless run as root. This is called
All of the \fB-unixpw\fR options and contraints apply. "NIS" mode simply because in most NIS setups the
user encrypted passwords are accessible (e.g. "ypcat
passwd"). NIS is not required for this mode to
work, but it is unlikely it will work for any other
environment. All of the \fB-unixpw\fR options and contraints
apply.
.PP .PP
\fB-stunnel\fR \fI[pem]\fR \fB-stunnel\fR \fI[pem]\fR
.IP .IP
...@@ -2163,7 +2184,7 @@ command exits. You can often use the \fB-query\fR command ...@@ -2163,7 +2184,7 @@ command exits. You can often use the \fB-query\fR command
\fB-remote\fR command. \fB-remote\fR command.
.IP .IP
The default communication channel is that of X The default communication channel is that of X
properties (specifically VNC_CONNECT), and so this properties (specifically X11VNC_REMOTE), and so this
command must be run with correct settings for DISPLAY command must be run with correct settings for DISPLAY
and possibly XAUTHORITY to connect to the X server and possibly XAUTHORITY to connect to the X server
and set the property. Alternatively, use the \fB-display\fR and set the property. Alternatively, use the \fB-display\fR
...@@ -2655,9 +2676,9 @@ to the standard output. If a variable is read-only, ...@@ -2655,9 +2676,9 @@ to the standard output. If a variable is read-only,
it comes back with prefix "aro=" instead of "ans=". it comes back with prefix "aro=" instead of "ans=".
.IP .IP
Some \fB-remote\fR commands are pure actions that do not make Some \fB-remote\fR commands are pure actions that do not make
sense as variables, e.g. "stop" or "disconnect", sense as variables, e.g. "stop" or "disconnect", in
in these cases the value returned is "N/A". To direct these cases the value returned is "N/A". To direct a
a query straight to the VNC_CONNECT property or connect query straight to the X11VNC_REMOTE property or connect
file use "qry=..." instead of "cmd=..." file use "qry=..." instead of "cmd=..."
.IP .IP
Here is the current list of "variables" that can Here is the current list of "variables" that can
...@@ -2762,9 +2783,9 @@ Default: \fB-yesremote\fR ...@@ -2762,9 +2783,9 @@ Default: \fB-yesremote\fR
.IP .IP
A note about security wrt remote control commands. A note about security wrt remote control commands.
If someone can connect to the X display and change If someone can connect to the X display and change
the property VNC_CONNECT, then they can remotely the property X11VNC_REMOTE, then they can remotely
control x11vnc. Normally access to the X display is control x11vnc. Normally access to the X display is
protected. Note that if they can modify VNC_CONNECT protected. Note that if they can modify X11VNC_REMOTE
on the X server, they have enough permissions to also on the X server, they have enough permissions to also
run their own x11vnc and thus have complete control run their own x11vnc and thus have complete control
of the desktop. If the "\fB-connect\fR \fI/path/to/file\fR" of the desktop. If the "\fB-connect\fR \fI/path/to/file\fR"
...@@ -2774,9 +2795,9 @@ sure to protect the X display and that file's write ...@@ -2774,9 +2795,9 @@ sure to protect the X display and that file's write
permissions. See \fB-privremote\fR below. permissions. See \fB-privremote\fR below.
.IP .IP
If you are paranoid and do not think \fB-noremote\fR is If you are paranoid and do not think \fB-noremote\fR is
enough, to disable the VNC_CONNECT property channel enough, to disable the X11VNC_REMOTE property channel
completely use \fB-novncconnect,\fR or use the \fB-safer\fR completely use \fB-novncconnect,\fR or use the \fB-safer\fR option
option that shuts many things off. that shuts many things off.
.PP .PP
\fB-unsafe\fR \fB-unsafe\fR
.IP .IP
......
...@@ -139,6 +139,7 @@ ...@@ -139,6 +139,7 @@
#include "rates.h" #include "rates.h"
#include "unixpw.h" #include "unixpw.h"
#include "inet.h" #include "inet.h"
#include "sslcmds.h"
/* /*
* main routine for the x11vnc program * main routine for the x11vnc program
...@@ -920,6 +921,8 @@ static void quick_pw(char *str) { ...@@ -920,6 +921,8 @@ static void quick_pw(char *str) {
* *
* starting "%/" or "%." means read the first line from that file. * starting "%/" or "%." means read the first line from that file.
* *
* "%%" or "%" means prompt user.
*
* otherwise: %user:pass * otherwise: %user:pass
*/ */
if (!strcmp(str, "%-") || !strcmp(str, "%stdin")) { if (!strcmp(str, "%-") || !strcmp(str, "%stdin")) {
...@@ -932,6 +935,31 @@ static void quick_pw(char *str) { ...@@ -932,6 +935,31 @@ static void quick_pw(char *str) {
exit(1); exit(1);
} }
q = strdup(getenv("UNIXPW")); q = strdup(getenv("UNIXPW"));
} else if (!strcmp(str, "%%") || !strcmp(str, "%")) {
char *t, inp[1024];
fprintf(stdout, "username: ");
if(fgets(tmp, 128, stdin) == NULL) {
exit(1);
}
strcpy(inp, tmp);
t = strchr(inp, '\n');
if (t) {
*t = ':';
} else {
strcat(inp, ":");
}
fprintf(stdout, "password: ");
system("stty -echo");
if(fgets(tmp, 128, stdin) == NULL) {
fprintf(stdout, "\n");
system("stty echo");
exit(1);
}
system("stty echo");
fprintf(stdout, "\n");
strcat(inp, tmp);
q = strdup(inp);
} else if (str[1] == '/' || str[1] == '.') { } else if (str[1] == '/' || str[1] == '.') {
FILE *in = fopen(str+1, "r"); FILE *in = fopen(str+1, "r");
if (in == NULL) { if (in == NULL) {
...@@ -1235,6 +1263,10 @@ static void check_loop_mode(int argc, char* argv[]) { ...@@ -1235,6 +1263,10 @@ static void check_loop_mode(int argc, char* argv[]) {
} }
} }
#define SHOW_NO_PASSWORD_WARNING \
(!got_passwd && !got_rfbauth && (!got_passwdfile || !passwd_list) \
&& !query_cmd && !remote_cmd && !unixpw && !got_gui_pw)
int main(int argc, char* argv[]) { int main(int argc, char* argv[]) {
int i, len, tmpi; int i, len, tmpi;
...@@ -1244,6 +1276,7 @@ int main(int argc, char* argv[]) { ...@@ -1244,6 +1276,7 @@ int main(int argc, char* argv[]) {
char *remote_cmd = NULL; char *remote_cmd = NULL;
char *query_cmd = NULL; char *query_cmd = NULL;
char *gui_str = NULL; char *gui_str = NULL;
int got_gui_pw = 0;
int pw_loc = -1, got_passwd = 0, got_rfbauth = 0, nopw = NOPW; int pw_loc = -1, got_passwd = 0, got_rfbauth = 0, nopw = NOPW;
int got_viewpasswd = 0, got_localhost = 0, got_passwdfile = 0; int got_viewpasswd = 0, got_localhost = 0, got_passwdfile = 0;
int got_stunnel = 0; int got_stunnel = 0;
...@@ -1448,7 +1481,7 @@ int main(int argc, char* argv[]) { ...@@ -1448,7 +1481,7 @@ int main(int argc, char* argv[]) {
unixpw_nis = 1; unixpw_nis = 1;
} }
if (i < argc-1) { if (i < argc-1) {
char *p, *q, *s = argv[i+1]; char *s = argv[i+1];
if (s[0] != '-') { if (s[0] != '-') {
unixpw_list = strdup(s); unixpw_list = strdup(s);
i++; i++;
...@@ -1875,6 +1908,9 @@ int main(int argc, char* argv[]) { ...@@ -1875,6 +1908,9 @@ int main(int argc, char* argv[]) {
char *s = argv[i+1]; char *s = argv[i+1];
if (*s != '-') { if (*s != '-') {
gui_str = strdup(s); gui_str = strdup(s);
if (strstr(gui_str, "setp")) {
got_gui_pw = 1;
}
i++; i++;
} }
} }
...@@ -2005,8 +2041,8 @@ int main(int argc, char* argv[]) { ...@@ -2005,8 +2041,8 @@ int main(int argc, char* argv[]) {
} }
if (launch_gui) { if (launch_gui) {
int sleep = 0; int sleep = 0;
if (!got_passwd && !got_rfbauth && !got_passwdfile && !nopw) { if (SHOW_NO_PASSWORD_WARNING && !nopw) {
sleep = 3; sleep = 2;
} }
do_gui(gui_str, sleep); do_gui(gui_str, sleep);
} }
...@@ -2132,8 +2168,7 @@ int main(int argc, char* argv[]) { ...@@ -2132,8 +2168,7 @@ int main(int argc, char* argv[]) {
exit(1); exit(1);
} }
if (!got_passwd && !got_rfbauth && (!got_passwdfile || !passwd_list) if (SHOW_NO_PASSWORD_WARNING) {
&& !query_cmd && !remote_cmd && !unixpw) {
char message[] = "-rfbauth, -passwdfile, -passwd password, " char message[] = "-rfbauth, -passwdfile, -passwd password, "
"or -unixpw required."; "or -unixpw required.";
if (! nopw) { if (! nopw) {
...@@ -2834,8 +2869,7 @@ int main(int argc, char* argv[]) { ...@@ -2834,8 +2869,7 @@ int main(int argc, char* argv[]) {
} }
if (! quiet) { if (! quiet) {
rfbLog("screen setup finished.\n"); rfbLog("screen setup finished.\n");
if (!got_passwd && !got_rfbauth && !got_passwdfile && !unixpw if (SHOW_NO_PASSWORD_WARNING && !nopw) {
&& !nopw) {
rfbLog("\n"); rfbLog("\n");
rfbLog("WARNING: You are running x11vnc WITHOUT" rfbLog("WARNING: You are running x11vnc WITHOUT"
" a password. See\n"); " a password. See\n");
......
...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; ...@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
int xdamage_base_event_type = 0; int xdamage_base_event_type = 0;
/* date +'lastmod: %Y-%m-%d' */ /* date +'lastmod: %Y-%m-%d' */
char lastmod[] = "0.8.1 lastmod: 2006-03-04"; char lastmod[] = "0.8.1 lastmod: 2006-03-06";
/* X display info */ /* X display info */
......
...@@ -18,6 +18,7 @@ int grab_buster = 0; ...@@ -18,6 +18,7 @@ int grab_buster = 0;
int sync_tod_delay = 3; int sync_tod_delay = 3;
void initialize_vnc_connect_prop(void); void initialize_vnc_connect_prop(void);
void initialize_x11vnc_remote_prop(void);
void spawn_grab_buster(void); void spawn_grab_buster(void);
void sync_tod_with_servertime(void); void sync_tod_with_servertime(void);
void check_keycode_state(void); void check_keycode_state(void);
...@@ -39,10 +40,16 @@ void initialize_vnc_connect_prop(void) { ...@@ -39,10 +40,16 @@ void initialize_vnc_connect_prop(void) {
vnc_connect_prop = XInternAtom(dpy, "VNC_CONNECT", False); vnc_connect_prop = XInternAtom(dpy, "VNC_CONNECT", False);
} }
void initialize_x11vnc_remote_prop(void) {
x11vnc_remote_str[0] = '\0';
x11vnc_remote_prop = XInternAtom(dpy, "X11VNC_REMOTE", False);
}
static void initialize_xevents(void) { static void initialize_xevents(void) {
static int did_xselect_input = 0; static int did_xselect_input = 0;
static int did_xcreate_simple_window = 0; static int did_xcreate_simple_window = 0;
static int did_vnc_connect_prop = 0; static int did_vnc_connect_prop = 0;
static int did_x11vnc_remote_prop = 0;
static int did_xfixes = 0; static int did_xfixes = 0;
static int did_xdamage = 0; static int did_xdamage = 0;
static int did_xrandr = 0; static int did_xrandr = 0;
...@@ -75,6 +82,14 @@ static void initialize_xevents(void) { ...@@ -75,6 +82,14 @@ static void initialize_xevents(void) {
initialize_vnc_connect_prop(); initialize_vnc_connect_prop();
did_vnc_connect_prop = 1; did_vnc_connect_prop = 1;
} }
if (vnc_connect && !did_x11vnc_remote_prop) {
initialize_x11vnc_remote_prop();
did_x11vnc_remote_prop = 1;
}
if (run_gui_pid > 0) {
kill(run_gui_pid, SIGUSR1);
run_gui_pid = 0;
}
if (xfixes_present && use_xfixes && !did_xfixes) { if (xfixes_present && use_xfixes && !did_xfixes) {
initialize_xfixes(); initialize_xfixes();
did_xfixes = 1; did_xfixes = 1;
...@@ -744,11 +759,16 @@ void check_xevents(void) { ...@@ -744,11 +759,16 @@ void check_xevents(void) {
set_cutbuffer = 0; set_cutbuffer = 0;
} else if (vnc_connect && vnc_connect_prop != None } else if (vnc_connect && vnc_connect_prop != None
&& xev.xproperty.atom == vnc_connect_prop) { && xev.xproperty.atom == vnc_connect_prop) {
/* /*
* Go retrieve VNC_CONNECT string. * Go retrieve VNC_CONNECT string.
*/ */
read_vnc_connect_prop(); read_vnc_connect_prop(0);
} else if (vnc_connect && x11vnc_remote_prop != None
&& xev.xproperty.atom == x11vnc_remote_prop) {
/*
* Go retrieve X11VNC_REMOTE string.
*/
read_x11vnc_remote_prop(0);
} }
} }
} }
......
...@@ -7,6 +7,7 @@ extern int grab_buster; ...@@ -7,6 +7,7 @@ extern int grab_buster;
extern int sync_tod_delay; extern int sync_tod_delay;
extern void initialize_vnc_connect_prop(void); extern void initialize_vnc_connect_prop(void);
extern void initialize_x11vnc_remote_prop(void);
extern void spawn_grab_buster(void); extern void spawn_grab_buster(void);
extern void sync_tod_with_servertime(void); extern void sync_tod_with_servertime(void);
extern void check_keycode_state(void); extern void check_keycode_state(void);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment