Support username alias in PlainUsers

Resolves: RHEL-4258
2023-10-09 09:03:02 +02:00 · 2023-10-09 09:03:02 +02:00 · 38aa048031
commit 38aa048031
parent 13cc84c5f4
2 changed files with 144 additions and 1 deletions
--- a/tigervnc-support-username-alias-in-plainusers.patch
+++ b/tigervnc-support-username-alias-in-plainusers.patch
@ -0,0 +1,135 @@
+diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
+index 6f65e87..3142ba3 100644
+--- a/common/rfb/SSecurityPlain.cxx
+++ b/common/rfb/SSecurityPlain.cxx
+@@ -27,6 +27,8 @@
+ #include <rdr/InStream.h>
+ #if !defined(WIN32) && !defined(__APPLE__)
+ #include <rfb/UnixPasswordValidator.h>
+#include <unistd.h>
+#include <pwd.h>
+ #endif
+ #ifdef WIN32
+ #include <rfb/WinPasswdValidator.h>
+@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
+
+ bool PasswordValidator::validUser(const char* username)
+ {
+-  CharArray users(plainUsers.getValueStr()), user;
+  std::vector<std::string> users;
+
+-  while (users.buf) {
+-    strSplit(users.buf, ',', &user.buf, &users.buf);
+-#ifdef WIN32
+-    if (0 == stricmp(user.buf, "*"))
+-	  return true;
+-    if (0 == stricmp(user.buf, username))
+-	  return true;
+-#else
+-    if (!strcmp(user.buf, "*"))
+-	  return true;
+-    if (!strcmp(user.buf, username))
+-	  return true;
+  users = split(plainUsers, ',');
+
+  for (size_t i = 0; i < users.size(); i++) {
+    if (users[i] == "*")
+      return true;
+#if !defined(WIN32) && !defined(__APPLE__)
+    if (users[i] == "%u") {
+      struct passwd *pw = getpwnam(username);
+      if (pw && pw->pw_uid == getuid())
+        return true;
+    }
+ #endif
+    if (users[i] == username)
+      return true;
+   }
+   return false;
+ }
+diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
+index 649eb0b..cce73a0 100644
+--- a/common/rfb/util.cxx
+++ b/common/rfb/util.cxx
+@@ -99,6 +99,26 @@ namespace rfb {
+     return false;
+   }
+
+  std::vector<std::string> split(const char* src,
+                                 const char delimiter)
+  {
+    std::vector<std::string> out;
+    const char *start, *stop;
+
+    start = src;
+    do {
+      stop = strchr(start, delimiter);
+      if (stop == NULL) {
+        out.push_back(start);
+      } else {
+        out.push_back(std::string(start, stop-start));
+        start = stop + 1;
+      }
+    } while (stop != NULL);
+
+    return out;
+  }
+
+   bool strContains(const char* src, char c) {
+     int l=strlen(src);
+     for (int i=0; i<l; i++)
+diff --git a/common/rfb/util.h b/common/rfb/util.h
+index f0ac9ef..ed15c28 100644
+--- a/common/rfb/util.h
+++ b/common/rfb/util.h
+@@ -27,6 +27,9 @@
+ #include <limits.h>
+ #include <string.h>
+
+#include <string>
+#include <vector>
+
+ struct timeval;
+
+ #ifdef __GNUC__
+@@ -76,6 +79,10 @@ namespace rfb {
+   // that part of the string.  Obviously, setting both to 0 is not useful...
+   bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
+
+  // Splits a string with the specified delimiter
+  std::vector<std::string> split(const char* src,
+                                 const char delimiter);
+
+   // Returns true if src contains c
+   bool strContains(const char* src, char c);
+
+diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
+index c36ae34..78db730 100644
+--- a/unix/x0vncserver/x0vncserver.man
+++ b/unix/x0vncserver/x0vncserver.man
+@@ -125,8 +125,8 @@ parameter instead.
+ .B \-PlainUsers \fIuser-list\fP
+ A comma separated list of user names that are allowed to authenticate via
+ any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
+-to allow any user to authenticate using this security type. Default is to
+-deny all users.
+to allow any user to authenticate using this security type. Specify \fB%u\fP
+to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
+diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
+index ea87dea..e9fb654 100644
+--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
+@@ -200,8 +200,8 @@ parameter instead.
+ .B \-PlainUsers \fIuser-list\fP
+ A comma separated list of user names that are allowed to authenticate via
+ any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
+-to allow any user to authenticate using this security type. Default is to
+-deny all users.
+to allow any user to authenticate using this security type. Specify \fB%u\fP
+to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -5,7 +5,7 @@

 Name:           tigervnc
 Version:        1.13.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -27,6 +27,7 @@ Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
 Patch3:         tigervnc-dont-install-appstream-metadata-file.patch

 # Upstream patches
+Patch50:        tigervnc-support-username-alias-in-plainusers.patch

 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
@ -187,6 +188,9 @@ popd
 %patch2 -p1 -b .vncsession-restore-script-systemd-service
 %patch3 -p1 -b .dont-install-appstream-metadata-file.patch

+# Upstream patches
+%patch50 -p1 -b .support-username-alias-in-plainusers
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@ -340,6 +344,10 @@ fi
 %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
+- Support username alias in PlainUsers
+  Resolves: RHEL-4258
+
 * Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
 - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
  Escalation Vulnerability