Support username alias in PlainUsers

Resolves: RHEL-4258

tigervnc-support-username-alias-in-plainusers.patch

@@ -0,0 +1,135 @@
+diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
+index 6f65e87..3142ba3 100644
+--- a/common/rfb/SSecurityPlain.cxx
++++ b/common/rfb/SSecurityPlain.cxx
+@@ -27,6 +27,8 @@
+ #include <rdr/InStream.h>
+ #if !defined(WIN32) && !defined(__APPLE__)
+ #include <rfb/UnixPasswordValidator.h>
++#include <unistd.h>
++#include <pwd.h>
+ #endif
+ #ifdef WIN32
+ #include <rfb/WinPasswdValidator.h>
+@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
+
+ bool PasswordValidator::validUser(const char* username)
+ {
+-  CharArray users(plainUsers.getValueStr()), user;
++  std::vector<std::string> users;
+
+-  while (users.buf) {
+-    strSplit(users.buf, ',', &user.buf, &users.buf);
+-#ifdef WIN32
+-    if (0 == stricmp(user.buf, "*"))
+-	  return true;
+-    if (0 == stricmp(user.buf, username))
+-	  return true;
+-#else
+-    if (!strcmp(user.buf, "*"))
+-	  return true;
+-    if (!strcmp(user.buf, username))
+-	  return true;
++  users = split(plainUsers, ',');
++
++  for (size_t i = 0; i < users.size(); i++) {
++    if (users[i] == "*")
++      return true;
++#if !defined(WIN32) && !defined(__APPLE__)
++    if (users[i] == "%u") {
++      struct passwd *pw = getpwnam(username);
++      if (pw && pw->pw_uid == getuid())
++        return true;
++    }
+ #endif
++    if (users[i] == username)
++      return true;
+   }
+   return false;
+ }
+diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
+index 649eb0b..cce73a0 100644
+--- a/common/rfb/util.cxx
++++ b/common/rfb/util.cxx
+@@ -99,6 +99,26 @@ namespace rfb {
+     return false;
+   }
+
++  std::vector<std::string> split(const char* src,
++                                 const char delimiter)
++  {
++    std::vector<std::string> out;
++    const char *start, *stop;
++
++    start = src;
++    do {
++      stop = strchr(start, delimiter);
++      if (stop == NULL) {
++        out.push_back(start);
++      } else {
++        out.push_back(std::string(start, stop-start));
++        start = stop + 1;
++      }
++    } while (stop != NULL);
++
++    return out;
++  }
++
+   bool strContains(const char* src, char c) {
+     int l=strlen(src);
+     for (int i=0; i<l; i++)
+diff --git a/common/rfb/util.h b/common/rfb/util.h
+index f0ac9ef..ed15c28 100644
+--- a/common/rfb/util.h
++++ b/common/rfb/util.h
+@@ -27,6 +27,9 @@
+ #include <limits.h>
+ #include <string.h>
+
++#include <string>
++#include <vector>
++
+ struct timeval;
+
+ #ifdef __GNUC__
+@@ -76,6 +79,10 @@ namespace rfb {
+   // that part of the string.  Obviously, setting both to 0 is not useful...
+   bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
+
++  // Splits a string with the specified delimiter
++  std::vector<std::string> split(const char* src,
++                                 const char delimiter);
++
+   // Returns true if src contains c
+   bool strContains(const char* src, char c);
+
+diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
+index c36ae34..78db730 100644
+--- a/unix/x0vncserver/x0vncserver.man
++++ b/unix/x0vncserver/x0vncserver.man
+@@ -125,8 +125,8 @@ parameter instead.
+ .B \-PlainUsers \fIuser-list\fP
+ A comma separated list of user names that are allowed to authenticate via
+ any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
+-to allow any user to authenticate using this security type. Default is to
+-deny all users.
++to allow any user to authenticate using this security type. Specify \fB%u\fP
++to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
+diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
+index ea87dea..e9fb654 100644
+--- a/unix/xserver/hw/vnc/Xvnc.man
++++ b/unix/xserver/hw/vnc/Xvnc.man
+@@ -200,8 +200,8 @@ parameter instead.
+ .B \-PlainUsers \fIuser-list\fP
+ A comma separated list of user names that are allowed to authenticate via
+ any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
+-to allow any user to authenticate using this security type. Default is to
+-deny all users.
++to allow any user to authenticate using this security type. Specify \fB%u\fP
++to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP

tigervnc.spec

@@ -5,7 +5,7 @@
 
 Name:           tigervnc
 Version:        1.13.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -27,6 +27,7 @@ Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
 Patch3:         tigervnc-dont-install-appstream-metadata-file.patch
 
 # Upstream patches
+Patch50:        tigervnc-support-username-alias-in-plainusers.patch
 
 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
@@ -187,6 +188,9 @@ popd
 %patch2 -p1 -b .vncsession-restore-script-systemd-service
 %patch3 -p1 -b .dont-install-appstream-metadata-file.patch
 
+# Upstream patches
+%patch50 -p1 -b .support-username-alias-in-plainusers
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@@ -340,6 +344,10 @@ fi
 %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
+* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
+- Support username alias in PlainUsers
+  Resolves: RHEL-4258
+
 * Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
 - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
   Escalation Vulnerability