commit a918414e749f7da482a22e965b2d5296dafa445e Author: CentOS Sources Date: Tue May 17 04:51:15 2022 -0400 import tigervnc-1.11.0-21.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d48d90b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tigervnc-1.11.0.tar.gz diff --git a/.tigervnc.metadata b/.tigervnc.metadata new file mode 100644 index 0000000..c7c0b3c --- /dev/null +++ b/.tigervnc.metadata @@ -0,0 +1 @@ +6f6b621a76b734888748de10c32c2b5b59d40b19 SOURCES/tigervnc-1.11.0.tar.gz diff --git a/SOURCES/0001-rpath-hack.patch b/SOURCES/0001-rpath-hack.patch new file mode 100644 index 0000000..4e438dd --- /dev/null +++ b/SOURCES/0001-rpath-hack.patch @@ -0,0 +1,24 @@ +From 2489f2f38eb32d9dd03718a36cbdbdf13d2f8b9b Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Thu, 12 Nov 2015 11:10:11 -0500 +Subject: [PATCH] rpath hack + +Normally, rpath is undesirable. But for the X server we _know_ we need +Mesa's libGL, which will always be in %{_libdir}, and not any third-party +libGL that may be configured using ld.so.conf. + +--- + configure.ac | 1 + + 1 files changed, 1 insertions(+), 0 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fa15a2d..a5af1e0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1261,6 +1261,7 @@ AM_CONDITIONAL(GLX, test "x$GLX" = xyes) + + AM_CONDITIONAL(HASHTABLE, test "x$HASHTABLE" = xyes) + ++GLX_SYS_LIBS="$GLX_SYS_LIBS -Wl,-rpath=\$(libdir)" + AC_SUBST([GLX_DEFINES]) + AC_SUBST([GLX_SYS_LIBS]) diff --git a/SOURCES/10-libvnc.conf b/SOURCES/10-libvnc.conf new file mode 100644 index 0000000..a053a7d --- /dev/null +++ b/SOURCES/10-libvnc.conf @@ -0,0 +1,19 @@ +# This file contains configuration of libvnc.so module +# +# To get libvnc.so module working, do this: +# 1. run "vncpasswd" from tigervnc-server package as root user +# 2. uncomment configuration lines below +# +# Please note you can specify any option which Xvnc accepts. +# Refer to `Xvnc -help` output for detailed list of options. + +#Section "Module" +# Load "vnc" +#EndSection + +#Section "Screen" +# Identifier "Screen0 +# DefaultDepth 16 +# Option "SecurityTypes" "VncAuth" +# Option "PasswordFile" "/root/.vnc/passwd" +#EndSection diff --git a/SOURCES/HOWTO.md b/SOURCES/HOWTO.md new file mode 100644 index 0000000..28b710d --- /dev/null +++ b/SOURCES/HOWTO.md @@ -0,0 +1,110 @@ +# What has changed +The previous Tigervnc versions had a wrapper script called `vncserver` which +could be run as a user manually to start *Xvnc* process. The usage was quite +simple as you just run +``` +$ vncserver :x [vncserver options] [Xvnc options] +``` +and that was it. While this was working just fine, there were issues when users +wanted to start a Tigervnc server using *systemd*. For these reasons things were +completely changed and there is now a new way how this all is supposed to work. + + # How to start Tigervnc server +  +## Add a user mapping +With this you can map a user to a particular port. The mapping should be done in +`/etc/tigervnc/vncserver.users` configuration file. It should be pretty +straightforward once you open the file as there are some examples, but basically +the mapping is in form +``` +:x=user +``` +For example you can have +``` +:1=test +:2=vncuser +``` + +## Configure Xvnc options +To configure Xvnc parameters, you need to go to the same directory where you did +the user mapping and open `vncserver-config-defaults` configuration file. This +file is for the default Xvnc configuration and will be applied to every user +unless any of the following applies: +* The user has its own configuration in `$HOME/.vnc/config` +* The same option with different value is configured in +  `vncserver-config-mandatory` configuration file, which replaces the default +  configuration and has even a higher priority than the per-user configuration. +  This option is for system administrators when they want to force particular +  *Xvnc* options. + +Format of the configuration file is also quite simple as the configuration is +in form of +``` +option=value +option +``` +for example +``` +session=gnome +securitytypes=vncauth,tlsvnc +desktop=sandbox +geometry=2000x1200 +localhost +alwaysshared +``` +### Note: +There is one important option you need to set and that option is the session you +want to start. E.g when you want to start GNOME desktop, then you have to use +``` +session=gnome +``` +which should match the name of a session desktop file from `/usr/share/xsessions` +directory. + +## Set VNC password +You need to set a password for each user in order to be able to start the +Tigervnc server. In order to create a password, you just run +``` +$ vncpasswd +``` +as the user you will be starting the server for. +### Note: +If you were using Tigervnc before for your user and you already created a +password, then you will have to make sure the `$HOME/.vnc` folder created by +`vncpasswd` will have the correct *SELinux* context. You either can delete this +folder and recreate it again by creating the password one more time, or +alternatively you can run +``` +$ restorecon -RFv /home//.vnc +``` + +## Start the Tigervnc server +Finally you can start the server using systemd service. To do so just run +``` +$ systemctl start vncserver@:x +``` +as root or +``` +$ sudo systemctl start vncserver@:x +``` +as a regular user in case it has permissions to run `sudo`. Don't forget to +replace the `:x` by the actual number you configured in the user mapping file. +Following our example by running +``` +$ systemctl start vncserver@:1 +``` +you will start a Tigervnc server for user `test` with a GNOME session. + +### Note: +If you were previously using Tigervnc and you were used to start it using +*systemd* then you will need to remove previous *systemd* configuration files, +those you most likely copied to `/etc/systemd/system/vncserver@.service`, +otherwise this service file will be preferred over the new one installed with +latest Tigervnc. + +# Limitations +You will not be able to start a Tigervnc server for a user who is already +logged into a graphical session. Avoid running the server as the `root` user as +it's not a safe thing to do. While running the server as the `root` should work +in general, it's not recommended to do so and there might be some things which +are not working properly. diff --git a/SOURCES/tigervnc-argb-runtime-ximage-byteorder-selection.patch b/SOURCES/tigervnc-argb-runtime-ximage-byteorder-selection.patch new file mode 100644 index 0000000..24fc077 --- /dev/null +++ b/SOURCES/tigervnc-argb-runtime-ximage-byteorder-selection.patch @@ -0,0 +1,43 @@ +From 7ab92639848a6059e2b6b88499b008b9606f3af6 Mon Sep 17 00:00:00 2001 +From: johnmartin-oracle <55413843+johnmartin-oracle@users.noreply.github.com> +Date: Thu, 27 Aug 2020 22:30:23 -0400 +Subject: [PATCH] Update Surface_X11.cxx + +Runtime sellection of ARGB XImage byte order +--- + vncviewer/Surface_X11.cxx | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/vncviewer/Surface_X11.cxx b/vncviewer/Surface_X11.cxx +index 6562634dc..8944c3f71 100644 +--- a/vncviewer/Surface_X11.cxx ++++ b/vncviewer/Surface_X11.cxx +@@ -123,17 +123,17 @@ void Surface::alloc() + // we find such a format + templ.type = PictTypeDirect; + templ.depth = 32; +-#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ +- templ.direct.alpha = 0; +- templ.direct.red = 8; +- templ.direct.green = 16; +- templ.direct.blue = 24; +-#else +- templ.direct.alpha = 24; +- templ.direct.red = 16; +- templ.direct.green = 8; +- templ.direct.blue = 0; +-#endif ++ if (XImageByteOrder(fl_display) == MSBFirst) { ++ templ.direct.alpha = 0; ++ templ.direct.red = 8; ++ templ.direct.green = 16; ++ templ.direct.blue = 24; ++ } else { ++ templ.direct.alpha = 24; ++ templ.direct.red = 16; ++ templ.direct.green = 8; ++ templ.direct.blue = 0; ++ } + templ.direct.alphaMask = 0xff; + templ.direct.redMask = 0xff; + templ.direct.greenMask = 0xff; diff --git a/SOURCES/tigervnc-correctly-start-vncsession-as-daemon.patch b/SOURCES/tigervnc-correctly-start-vncsession-as-daemon.patch new file mode 100644 index 0000000..af5e7f2 --- /dev/null +++ b/SOURCES/tigervnc-correctly-start-vncsession-as-daemon.patch @@ -0,0 +1,13 @@ +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index 2b47f5f5..f78c096f 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -99,7 +99,7 @@ begin_daemon(void) + return -1; + } + +- if (pid == 0) ++ if (pid != 0) + _exit(0); + + /* Send all stdio to /dev/null */ diff --git a/SOURCES/tigervnc-let-user-know-about-not-using-view-only-password.patch b/SOURCES/tigervnc-let-user-know-about-not-using-view-only-password.patch new file mode 100644 index 0000000..e95b145 --- /dev/null +++ b/SOURCES/tigervnc-let-user-know-about-not-using-view-only-password.patch @@ -0,0 +1,22 @@ +From dbf76d2ee8da157c2c2970c937bcc0ed9ef08a6f Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Tue, 25 May 2021 14:14:33 +0200 +Subject: [PATCH] Let user know that a view-only password is not used + +--- + unix/vncpasswd/vncpasswd.cxx | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx +index 3055223ef..8f3649fe9 100644 +--- a/unix/vncpasswd/vncpasswd.cxx ++++ b/unix/vncpasswd/vncpasswd.cxx +@@ -160,6 +160,8 @@ int main(int argc, char** argv) + char yesno[3]; + if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) { + obfuscatedReadOnly = readpassword(); ++ } else { ++ fprintf(stderr, "A view-only password is not used\n"); + } + + FILE* fp = fopen(fname,"w"); diff --git a/SOURCES/tigervnc-passwd-crash-with-malloc-checks.patch b/SOURCES/tigervnc-passwd-crash-with-malloc-checks.patch new file mode 100644 index 0000000..06a8d0f --- /dev/null +++ b/SOURCES/tigervnc-passwd-crash-with-malloc-checks.patch @@ -0,0 +1,38 @@ +From 5d834359bef6727df82cf4f2c2f3f255145f7785 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Tue, 25 May 2021 14:18:48 +0200 +Subject: [PATCH] CharArray: pre-fill empty array with zeroes + +CharArray should always be null-terminated. There is a potential +scenario where this all might lead to crash. In Password we call +memset(), passing length of the array we get with strlen(), but +this won't return correct value when the array is not properly +null-terminated. +--- + common/rfb/util.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/common/rfb/util.h b/common/rfb/util.h +index 3100f90fd..71caac426 100644 +--- a/common/rfb/util.h ++++ b/common/rfb/util.h +@@ -52,14 +52,17 @@ namespace rfb { + CharArray(char* str) : buf(str) {} // note: assumes ownership + CharArray(size_t len) { + buf = new char[len](); ++ memset(buf, 0, len); + } + ~CharArray() { +- delete [] buf; ++ if (buf) { ++ delete [] buf; ++ } + } + void format(const char *fmt, ...) __printf_attr(2, 3); + // Get the buffer pointer & clear it (i.e. caller takes ownership) + char* takeBuf() {char* tmp = buf; buf = 0; return tmp;} +- void replaceBuf(char* b) {delete [] buf; buf = b;} ++ void replaceBuf(char* b) {if (buf) delete [] buf; buf = b;} + char* buf; + private: + CharArray(const CharArray&); diff --git a/SOURCES/tigervnc-root-user-selinux-context.patch b/SOURCES/tigervnc-root-user-selinux-context.patch new file mode 100644 index 0000000..e396b99 --- /dev/null +++ b/SOURCES/tigervnc-root-user-selinux-context.patch @@ -0,0 +1,26 @@ +From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 7 Feb 2022 10:45:41 +0100 +Subject: [PATCH] SELinux: use /root/.vnc in file context specification + +Instead of HOME_ROOT/.vnc, /root/.vnc should be used +for user root's home to specify default file context +as HOME_ROOT actually means base for home dirs (usually /home). +--- + unix/vncserver/selinux/vncsession.fc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc +index ae768ba..5c03e46 100644 +--- a/unix/vncserver/selinux/vncsession.fc ++++ b/unix/vncserver/selinux/vncsession.fc +@@ -18,7 +18,7 @@ + # + + HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) +-HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) ++/root/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) + + /usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0) + /usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0) + diff --git a/SOURCES/tigervnc-selinux-missing-compression-and-correct-location.patch b/SOURCES/tigervnc-selinux-missing-compression-and-correct-location.patch new file mode 100644 index 0000000..9507228 --- /dev/null +++ b/SOURCES/tigervnc-selinux-missing-compression-and-correct-location.patch @@ -0,0 +1,38 @@ +From 6125695b80f6a43002f454786115b0a6c1730831 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Mon, 17 May 2021 13:44:32 +0200 +Subject: [PATCH 1/2] SELinux: Add missing compression and install policy to + correct directory + +--- + unix/vncserver/selinux/Makefile | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile +index 7497bf846..b23f20f60 100644 +--- a/unix/vncserver/selinux/Makefile ++++ b/unix/vncserver/selinux/Makefile +@@ -10,15 +10,18 @@ + PREFIX=/usr + DATADIR=$(PREFIX)/share + +-all: vncsession.pp ++all: vncsession.pp.bz2 ++ ++%.pp.bz2: %.pp ++ bzip2 -9 $^ + + %.pp: %.te + make -f $(DATADIR)/selinux/devel/Makefile $@ + + clean: +- rm -f *.pp ++ rm -f *.pp *.pp.bz2 + rm -rf tmp + +-install: vncsession.pp +- mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages +- install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp ++install: vncsession.pp.bz2 ++ mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages/targeted/ ++ install vncsession.pp.bz2 $(DESTDIR)$(DATADIR)/selinux/packages/targeted/vncsession.pp.bz2 diff --git a/SOURCES/tigervnc-selinux-policy-improvements.patch b/SOURCES/tigervnc-selinux-policy-improvements.patch new file mode 100644 index 0000000..c797b18 --- /dev/null +++ b/SOURCES/tigervnc-selinux-policy-improvements.patch @@ -0,0 +1,183 @@ +From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 18 May 2021 12:23:15 +0200 +Subject: [PATCH] selinux: Fix issues reported by SELint + +Style guide [1] issues only. No impact on policy functionality. + +[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide +--- + unix/vncserver/selinux/vncsession.te | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index a773fed39..63ad8a85f 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -17,7 +17,7 @@ + # USA. + # + +-policy_module(vncsession, 1.0.0); ++policy_module(vncsession, 1.0.0) + + gen_require(` + attribute userdomain; +@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t) + userdom_spec_domtrans_all_users(vnc_session_t) + userdom_signal_all_users(vnc_session_t) + +-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource }; +-allow vnc_session_t self:process { getcap setsched setexec setrlimit }; ++allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; ++allow vnc_session_t self:process { getcap setexec setrlimit setsched }; + allow vnc_session_t self:fifo_file rw_fifo_file_perms; + + manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) +@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t) + + mcs_process_set_categories(vnc_session_t) + mcs_killall(vnc_session_t) +- +From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 18 May 2021 13:31:53 +0200 +Subject: [PATCH] selinux: further style and comprehensibility improvements + +Sections and rules blocks reordered according to the Style guide. + +https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide +--- + unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++----------- + 1 file changed, 36 insertions(+), 23 deletions(-) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index 63ad8a85f..86fd6e5ef 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -20,48 +20,61 @@ + policy_module(vncsession, 1.0.0) + + gen_require(` +- attribute userdomain; +- type xdm_home_t; ++ attribute userdomain; ++ type xdm_home_t; + ') + +-type vnc_session_exec_t; +-corecmd_executable_file(vnc_session_exec_t) + type vnc_session_t; ++type vnc_session_exec_t; + init_daemon_domain(vnc_session_t, vnc_session_exec_t) +-auth_login_pgm_domain(vnc_session_t) ++can_exec(vnc_session_t, vnc_session_exec_t) + + type vnc_session_var_run_t; + files_pid_file(vnc_session_var_run_t) +-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; +-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) +- +-auth_write_login_records(vnc_session_t) +- +-can_exec(vnc_session_t, vnc_session_exec_t) +- +-userdom_spec_domtrans_all_users(vnc_session_t) +-userdom_signal_all_users(vnc_session_t) + + allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; + allow vnc_session_t self:process { getcap setexec setrlimit setsched }; + allow vnc_session_t self:fifo_file rw_fifo_file_perms; + ++allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; ++files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) ++ + manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) + manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) + manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) + manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) +-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") +-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") +- +-# This also affects other tools, e.g. vncpasswd +-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") +-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") +- +-miscfiles_read_localization(vnc_session_t) + + kernel_read_kernel_sysctls(vnc_session_t) + +-logging_append_all_logs(vnc_session_t) ++corecmd_executable_file(vnc_session_exec_t) + + mcs_process_set_categories(vnc_session_t) + mcs_killall(vnc_session_t) ++ ++optional_policy(` ++ auth_login_pgm_domain(vnc_session_t) ++ auth_write_login_records(vnc_session_t) ++') ++ ++optional_policy(` ++ logging_append_all_logs(vnc_session_t) ++') ++ ++optional_policy(` ++ miscfiles_read_localization(vnc_session_t) ++') ++ ++optional_policy(` ++ userdom_spec_domtrans_all_users(vnc_session_t) ++ userdom_signal_all_users(vnc_session_t) ++ ++ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") ++ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") ++ ++ # This also affects other tools, e.g. vncpasswd ++ gen_require(` ++ attribute userdomain; ++ ') ++ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") ++ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") ++') +From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 18 May 2021 13:39:11 +0200 +Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally + +The permissions set to manage directories and files with the nfs_t type +is allowed when the use_nfs_home_dirs boolean is turned on. + +Resolves: https://github.com/TigerVNC/tigervnc/issues/1189 +--- + unix/vncserver/selinux/vncsession.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index 86fd6e5ef..46e699117 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t) + mcs_process_set_categories(vnc_session_t) + mcs_killall(vnc_session_t) + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(vnc_session_t) ++ fs_manage_nfs_files(vnc_session_t) ++') ++ + optional_policy(` + auth_login_pgm_domain(vnc_session_t) + auth_write_login_records(vnc_session_t) +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index 46e69911..f1108ec8 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -20,7 +20,6 @@ + policy_module(vncsession, 1.0.0) + + gen_require(` +- attribute userdomain; + type xdm_home_t; + ') + diff --git a/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch b/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch new file mode 100644 index 0000000..f362522 --- /dev/null +++ b/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch @@ -0,0 +1,81 @@ +From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Thu, 11 Nov 2021 13:52:41 +0100 +Subject: [PATCH] SELinux: restore SELinux context in case of different + policies + +--- + CMakeLists.txt | 13 +++++++++++++ + unix/vncserver/CMakeLists.txt | 2 +- + unix/vncserver/vncsession.c | 16 ++++++++++++++++ + 3 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 7bf9944..85be468 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -276,6 +276,19 @@ if(UNIX AND NOT APPLE) + endif() + endif() + ++# Check for SELinux library ++if(UNIX AND NOT APPLE) ++ check_include_files(selinux/selinux.h HAVE_SELINUX_H) ++ if(HAVE_SELINUX_H) ++ set(CMAKE_REQUIRED_LIBRARIES -lselinux) ++ set(CMAKE_REQUIRED_LIBRARIES) ++ set(SELINUX_LIBS selinux) ++ add_definitions("-DHAVE_SELINUX") ++ else() ++ message(WARNING "Could not find SELinux development files") ++ endif() ++endif() ++ + # Generate config.h and make sure the source finds it + configure_file(config.h.in config.h) + add_definitions(-DHAVE_CONFIG_H) +diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt +index eeb4b7b..bce1c3e 100644 +--- a/unix/vncserver/CMakeLists.txt ++++ b/unix/vncserver/CMakeLists.txt +@@ -1,5 +1,5 @@ + add_executable(vncsession vncsession.c) +-target_link_libraries(vncsession ${PAM_LIBS}) ++target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS}) + + configure_file(vncserver@.service.in vncserver@.service @ONLY) + configure_file(vncsession-start.in vncsession-start @ONLY) +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index f78c096..141f689 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -37,6 +37,11 @@ + #include + #include + ++#ifdef HAVE_SELINUX ++#include ++#include ++#endif ++ + extern char **environ; + + // PAM service name +@@ -359,6 +364,17 @@ redir_stdio(const char *homedir, const char *display) + perror("mkdir"); + _exit(EX_OSERR); + } ++ ++#ifdef HAVE_SELINUX ++ int result; ++ if (selinux_file_context_verify(logfile, 0) == 0) { ++ result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE); ++ ++ if (result < 0) { ++ syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno)); ++ } ++ } ++#endif + } + + if (gethostname(hostname, sizeof(hostname)) == -1) { diff --git a/SOURCES/tigervnc-systemd-service.patch b/SOURCES/tigervnc-systemd-service.patch new file mode 100644 index 0000000..846a34b --- /dev/null +++ b/SOURCES/tigervnc-systemd-service.patch @@ -0,0 +1,47 @@ +From 40f104ffe1e36df9613f8d316f616fb2b089cc86 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Tue, 29 Sep 2020 13:37:16 +0200 +Subject: [PATCH] Use /run instead of /var/run which is just a symlink + +--- + unix/vncserver/selinux/vncsession.fc | 2 +- + unix/vncserver/vncserver@.service.in | 2 +- + unix/vncserver/vncsession.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc +index 121cdd237..ae768baa4 100644 +--- a/unix/vncserver/selinux/vncsession.fc ++++ b/unix/vncserver/selinux/vncsession.fc +@@ -23,4 +23,4 @@ HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) + /usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0) + /usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0) + +-/var/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0) ++/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0) +diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in +index 584ecf4b1..5624dff76 100644 +--- a/unix/vncserver/vncserver@.service.in ++++ b/unix/vncserver/vncserver@.service.in +@@ -36,7 +36,7 @@ After=syslog.target network.target + [Service] + Type=forking + ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i +-PIDFile=/var/run/vncsession-%i.pid ++PIDFile=/run/vncsession-%i.pid + SELinuxContext=system_u:system_r:vnc_session_t:s0 + + [Install] +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index 3e0c98f0f..2b47f5f55 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -543,7 +543,7 @@ main(int argc, char **argv) + } + + snprintf(pid_file, sizeof(pid_file), +- "/var/run/vncsession-%s.pid", display); ++ "/run/vncsession-%s.pid", display); + f = fopen(pid_file, "w"); + if (f == NULL) { + syslog(LOG_ERR, "Failure creating pid file \"%s\": %s", diff --git a/SOURCES/tigervnc-tolerate-specifying-boolparam.patch b/SOURCES/tigervnc-tolerate-specifying-boolparam.patch new file mode 100644 index 0000000..70ddef3 --- /dev/null +++ b/SOURCES/tigervnc-tolerate-specifying-boolparam.patch @@ -0,0 +1,149 @@ +From 38c6848b30cb1908171f2b4628e345fbf6727b39 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Fri, 18 Sep 2020 10:44:32 +0200 +Subject: [PATCH] Tolerate specifying -BoolParam 0 and similar + +This is needed by vncserver which doesn't know which parameters are +boolean, and it cannot use the -Param=Value form as that isn't tolerated +by the Xorg code. +--- + unix/vncserver/vncserver.in | 8 ++++---- + unix/xserver/hw/vnc/RFBGlue.cc | 16 ++++++++++++++++ + unix/xserver/hw/vnc/RFBGlue.h | 1 + + unix/xserver/hw/vnc/xvnc.c | 14 ++++++++++++++ + vncviewer/vncviewer.cxx | 20 ++++++++++++++++++++ + 5 files changed, 55 insertions(+), 4 deletions(-) + +diff --git a/unix/vncserver/vncserver.in b/unix/vncserver/vncserver.in +index 25fbbd315..261b258f1 100755 +--- a/unix/vncserver/vncserver.in ++++ b/unix/vncserver/vncserver.in +@@ -107,7 +107,7 @@ $default_opts{rfbwait} = 30000; + $default_opts{rfbauth} = "$vncUserDir/passwd"; + $default_opts{rfbport} = $vncPort; + $default_opts{fp} = $fontPath if ($fontPath); +-$default_opts{pn} = ""; ++$default_opts{pn} = undef; + + # Load user-overrideable system defaults + LoadConfig($vncSystemConfigDefaultsFile); +@@ -242,13 +242,13 @@ push(@cmd, "@CMAKE_INSTALL_FULL_BINDIR@/Xvnc", ":$displayNumber"); + + foreach my $k (sort keys %config) { + push(@cmd, "-$k"); +- push(@cmd, $config{$k}) if $config{$k}; ++ push(@cmd, $config{$k}) if defined($config{$k}); + delete $default_opts{$k}; # file options take precedence + } + + foreach my $k (sort keys %default_opts) { + push(@cmd, "-$k"); +- push(@cmd, $default_opts{$k}) if $default_opts{$k}; ++ push(@cmd, $default_opts{$k}) if defined($default_opts{$k}); + } + + warn "\nNew '$desktopName' desktop is $host:$displayNumber\n\n"; +@@ -291,7 +291,7 @@ sub LoadConfig { + # current config file being loaded defined the logical opposite setting + # (NeverShared vs. AlwaysShared, etc etc). + $toggle = lc($1); # must normalize key case +- $config{$toggle} = $k; ++ $config{$toggle} = undef; + } + } + close(IN); +diff --git a/unix/xserver/hw/vnc/RFBGlue.cc b/unix/xserver/hw/vnc/RFBGlue.cc +index f108fae43..7c32bea8f 100644 +--- a/unix/xserver/hw/vnc/RFBGlue.cc ++++ b/unix/xserver/hw/vnc/RFBGlue.cc +@@ -143,6 +143,22 @@ const char* vncGetParamDesc(const char *name) + return param->getDescription(); + } + ++int vncIsParamBool(const char *name) ++{ ++ VoidParameter *param; ++ BoolParameter *bparam; ++ ++ param = rfb::Configuration::getParam(name); ++ if (param == NULL) ++ return false; ++ ++ bparam = dynamic_cast(param); ++ if (bparam == NULL) ++ return false; ++ ++ return true; ++} ++ + int vncGetParamCount(void) + { + int count; +diff --git a/unix/xserver/hw/vnc/RFBGlue.h b/unix/xserver/hw/vnc/RFBGlue.h +index 112405b84..695cea105 100644 +--- a/unix/xserver/hw/vnc/RFBGlue.h ++++ b/unix/xserver/hw/vnc/RFBGlue.h +@@ -41,6 +41,7 @@ int vncSetParam(const char *name, const char *value); + int vncSetParamSimple(const char *nameAndValue); + char* vncGetParam(const char *name); + const char* vncGetParamDesc(const char *name); ++int vncIsParamBool(const char *name); + + int vncGetParamCount(void); + char *vncGetParamList(void); +diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c +index 4eb0b0b13..5744acac8 100644 +--- a/unix/xserver/hw/vnc/xvnc.c ++++ b/unix/xserver/hw/vnc/xvnc.c +@@ -618,6 +618,20 @@ ddxProcessArgument(int argc, char *argv[], int i) + exit(0); + } + ++ /* We need to resolve an ambiguity for booleans */ ++ if (argv[i][0] == '-' && i+1 < argc && ++ vncIsParamBool(&argv[i][1])) { ++ if ((strcasecmp(argv[i+1], "0") == 0) || ++ (strcasecmp(argv[i+1], "1") == 0) || ++ (strcasecmp(argv[i+1], "true") == 0) || ++ (strcasecmp(argv[i+1], "false") == 0) || ++ (strcasecmp(argv[i+1], "yes") == 0) || ++ (strcasecmp(argv[i+1], "no") == 0)) { ++ vncSetParam(&argv[i][1], argv[i+1]); ++ return 2; ++ } ++ } ++ + if (vncSetParamSimple(argv[i])) + return 1; + +diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx +index d4dd3063c..77ba3d3f4 100644 +--- a/vncviewer/vncviewer.cxx ++++ b/vncviewer/vncviewer.cxx +@@ -556,6 +556,26 @@ int main(int argc, char** argv) + } + + for (int i = 1; i < argc;) { ++ /* We need to resolve an ambiguity for booleans */ ++ if (argv[i][0] == '-' && i+1 < argc) { ++ VoidParameter *param; ++ ++ param = Configuration::getParam(&argv[i][1]); ++ if ((param != NULL) && ++ (dynamic_cast(param) != NULL)) { ++ if ((strcasecmp(argv[i+1], "0") == 0) || ++ (strcasecmp(argv[i+1], "1") == 0) || ++ (strcasecmp(argv[i+1], "true") == 0) || ++ (strcasecmp(argv[i+1], "false") == 0) || ++ (strcasecmp(argv[i+1], "yes") == 0) || ++ (strcasecmp(argv[i+1], "no") == 0)) { ++ param->setParam(argv[i+1]); ++ i += 2; ++ continue; ++ } ++ } ++ } ++ + if (Configuration::setParam(argv[i])) { + i++; + continue; diff --git a/SOURCES/tigervnc-use-gnome-as-default-session.patch b/SOURCES/tigervnc-use-gnome-as-default-session.patch new file mode 100644 index 0000000..a767c40 --- /dev/null +++ b/SOURCES/tigervnc-use-gnome-as-default-session.patch @@ -0,0 +1,12 @@ +diff --git a/unix/vncserver/vncserver-config-defaults b/unix/vncserver/vncserver-config-defaults +index 0c217bf..2889347 100644 +--- a/unix/vncserver/vncserver-config-defaults ++++ b/unix/vncserver/vncserver-config-defaults +@@ -13,3 +13,7 @@ + # geometry=2000x1200 + # localhost + # alwaysshared ++ ++# Default to GNOME session ++# Note: change this only when you know what are you doing ++session=gnome diff --git a/SOURCES/tigervnc-utilize-system-crypto-policies.patch b/SOURCES/tigervnc-utilize-system-crypto-policies.patch new file mode 100644 index 0000000..9abf50f --- /dev/null +++ b/SOURCES/tigervnc-utilize-system-crypto-policies.patch @@ -0,0 +1,198 @@ +diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx +index 9900837..59d2086 100644 +--- a/common/rfb/CSecurityTLS.cxx ++++ b/common/rfb/CSecurityTLS.cxx +@@ -210,26 +210,66 @@ void CSecurityTLS::setParam() + static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH"; + + int ret; +- char *prio; +- const char *err; + +- prio = (char*)malloc(strlen(Security::GnuTLSPriority) + +- strlen(kx_anon_priority) + 1); +- if (prio == NULL) +- throw AuthFailureException("Not enough memory for GnuTLS priority string"); ++ // Custom priority string specified? ++ if (strcmp(Security::GnuTLSPriority, "") != 0) { ++ char *prio; ++ const char *err; + +- strcpy(prio, Security::GnuTLSPriority); +- if (anon) ++ prio = (char*)malloc(strlen(Security::GnuTLSPriority) + ++ strlen(kx_anon_priority) + 1); ++ if (prio == NULL) ++ throw AuthFailureException("Not enough memory for GnuTLS priority string"); ++ ++ strcpy(prio, Security::GnuTLSPriority); ++ if (anon) ++ strcat(prio, kx_anon_priority); ++ ++ ret = gnutls_priority_set_direct(session, prio, &err); ++ ++ free(prio); ++ ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } ++ } else if (anon) { ++ const char *err; ++ ++#if GNUTLS_VERSION_NUMBER >= 0x030603 ++ // gnutls_set_default_priority_appends() expects a normal priority string that ++ // doesn't start with ":". ++ ret = gnutls_set_default_priority_append(session, kx_anon_priority + 1, &err, 0); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_default_priority_append failed"); ++ } ++#else ++ // We don't know what the system default priority is, so we guess ++ // it's what upstream GnuTLS has ++ static const char gnutls_default_priority[] = "NORMAL"; ++ char *prio; ++ ++ prio = (char*)malloc(strlen(gnutls_default_priority) + ++ strlen(kx_anon_priority) + 1); ++ if (prio == NULL) ++ throw AuthFailureException("Not enough memory for GnuTLS priority string"); ++ ++ strcpy(prio, gnutls_default_priority); + strcat(prio, kx_anon_priority); + +- ret = gnutls_priority_set_direct(session, prio, &err); ++ ret = gnutls_priority_set_direct(session, prio, &err); + +- free(prio); ++ free(prio); + +- if (ret != GNUTLS_E_SUCCESS) { +- if (ret == GNUTLS_E_INVALID_REQUEST) +- vlog.error("GnuTLS priority syntax error at: %s", err); +- throw AuthFailureException("gnutls_set_priority_direct failed"); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } ++#endif + } + + if (anon) { +diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx +index ef5d8c9..f32f87f 100644 +--- a/common/rfb/SSecurityTLS.cxx ++++ b/common/rfb/SSecurityTLS.cxx +@@ -198,26 +198,66 @@ void SSecurityTLS::setParams(gnutls_session_t session) + static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH"; + + int ret; +- char *prio; +- const char *err; + +- prio = (char*)malloc(strlen(Security::GnuTLSPriority) + +- strlen(kx_anon_priority) + 1); +- if (prio == NULL) +- throw AuthFailureException("Not enough memory for GnuTLS priority string"); ++ // Custom priority string specified? ++ if (strcmp(Security::GnuTLSPriority, "") != 0) { ++ char *prio; ++ const char *err; + +- strcpy(prio, Security::GnuTLSPriority); +- if (anon) ++ prio = (char*)malloc(strlen(Security::GnuTLSPriority) + ++ strlen(kx_anon_priority) + 1); ++ if (prio == NULL) ++ throw AuthFailureException("Not enough memory for GnuTLS priority string"); ++ ++ strcpy(prio, Security::GnuTLSPriority); ++ if (anon) ++ strcat(prio, kx_anon_priority); ++ ++ ret = gnutls_priority_set_direct(session, prio, &err); ++ ++ free(prio); ++ ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } ++ } else if (anon) { ++ const char *err; ++ ++#if GNUTLS_VERSION_NUMBER >= 0x030603 ++ // gnutls_set_default_priority_appends() expects a normal priority string that ++ // doesn't start with ":". ++ ret = gnutls_set_default_priority_append(session, kx_anon_priority + 1, &err, 0); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_default_priority_append failed"); ++ } ++#else ++ // We don't know what the system default priority is, so we guess ++ // it's what upstream GnuTLS has ++ static const char gnutls_default_priority[] = "NORMAL"; ++ char *prio; ++ ++ prio = (char*)malloc(strlen(gnutls_default_priority) + ++ strlen(kx_anon_priority) + 1); ++ if (prio == NULL) ++ throw AuthFailureException("Not enough memory for GnuTLS priority string"); ++ ++ strcpy(prio, gnutls_default_priority); + strcat(prio, kx_anon_priority); + +- ret = gnutls_priority_set_direct(session, prio, &err); ++ ret = gnutls_priority_set_direct(session, prio, &err); + +- free(prio); ++ free(prio); + +- if (ret != GNUTLS_E_SUCCESS) { +- if (ret == GNUTLS_E_INVALID_REQUEST) +- vlog.error("GnuTLS priority syntax error at: %s", err); +- throw AuthFailureException("gnutls_set_priority_direct failed"); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } ++#endif + } + + #if defined (SSECURITYTLS__USE_DEPRECATED_DH) +diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx +index 0666041..59deb78 100644 +--- a/common/rfb/Security.cxx ++++ b/common/rfb/Security.cxx +@@ -52,7 +52,7 @@ static LogWriter vlog("Security"); + #ifdef HAVE_GNUTLS + StringParameter Security::GnuTLSPriority("GnuTLSPriority", + "GnuTLS priority string that controls the TLS session’s handshake algorithms", +- "NORMAL"); ++ ""); + #endif + + Security::Security() +diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man +index 83621c0..4a0d20c 100644 +--- a/unix/xserver/hw/vnc/Xvnc.man ++++ b/unix/xserver/hw/vnc/Xvnc.man +@@ -226,7 +226,9 @@ also be in PEM format. + .TP + .B \-GnuTLSPriority \fIpriority\fP + GnuTLS priority string that controls the TLS session’s handshake algorithms. +-See the GnuTLS manual for possible values. Default is \fBNORMAL\fP. ++See the GnuTLS manual for possible values. For GnuTLS < 3.6.3 the default ++value will be \fBNORMAL\fP to use upstream default. For newer versions ++of GnuTLS system-wide crypto policy will be used. + . + .TP + .B \-UseBlacklist diff --git a/SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch b/SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch new file mode 100644 index 0000000..e503576 --- /dev/null +++ b/SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch @@ -0,0 +1,113 @@ +From 1919a8ab86c99b47ba86dc697abcdf3343b0aafa Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Tue, 1 Feb 2022 14:31:05 +0100 +Subject: Add vncsession-restore script to restore SELinux context + +The vncsession-restore script is used in the ExecStartPre option +for systemd service file in order to properly start the session +in case the policy is updated (e.g. after Tigervnc update). + +diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt +index bce1c3e..44c4e2a 100644 +--- a/unix/vncserver/CMakeLists.txt ++++ b/unix/vncserver/CMakeLists.txt +@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c) + target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS}) + + configure_file(vncserver@.service.in vncserver@.service @ONLY) ++configure_file(vncsession-restore.in vncsession-restore @ONLY) + configure_file(vncsession-start.in vncsession-start @ONLY) + configure_file(vncserver.in vncserver @ONLY) + +@@ -17,4 +18,5 @@ install(FILES vncserver.users DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/tiger + if(INSTALL_SYSTEMD_UNITS) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR}) + install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) ++ install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) + endif() +diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in +index 5624dff..be62c85 100644 +--- a/unix/vncserver/vncserver@.service.in ++++ b/unix/vncserver/vncserver@.service.in +@@ -35,6 +35,7 @@ After=syslog.target network.target + + [Service] + Type=forking ++ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i + ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i + PIDFile=/run/vncsession-%i.pid + SELinuxContext=system_u:system_r:vnc_session_t:s0 +diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in +new file mode 100644 +index 00000000..d3abc57d +--- /dev/null ++++ b/unix/vncserver/vncsession-restore.in +@@ -0,0 +1,68 @@ ++#!/bin/bash ++# ++# Copyright 2022 Jan Grulich ++# ++# This is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This software is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this software; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++# ++ ++USERSFILE="@CMAKE_INSTALL_FULL_SYSCONFDIR@/tigervnc/vncserver.users" ++ ++if [ $# -ne 1 ]; then ++ echo "Syntax:" >&2 ++ echo " $0 " >&2 ++ exit 1 ++fi ++ ++if [ ! -f "${USERSFILE}" ]; then ++ echo "Users file ${USERSFILE} missing" >&2 ++ exit 1 ++fi ++ ++DISPLAY="$1" ++ ++USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'` ++ ++if [ -z "${USER}" ]; then ++ echo "No user configured for display ${DISPLAY}" >&2 ++ exit 1 ++fi ++ ++USER_HOMEDIR=`getent passwd ${USER} | cut -f6 -d:` ++ ++if [ -z "${USER_HOMEDIR}" ]; then ++ echo "Failed to get home directory for ${USER}" >&2 ++ exit 1 ++fi ++ ++if [ ! -d "${USER_HOMEDIR}/.vnc" ]; then ++ exit 0 ++fi ++ ++MATCHPATHCON=`which matchpathcon` ++ ++if [ $? -eq 0 ]; then ++ ${MATCHPATHCON} -V "${USER_HOMEDIR}/.vnc" &>/dev/null ++ if [ $? -eq 0 ]; then ++ exit 0 ++ fi ++fi ++ ++RESTORECON=`which restorecon` ++ ++if [ $? -eq 0 ]; then ++ exec "${RESTORECON}" -R "${USER_HOMEDIR}/.vnc" >&2 ++ return $? ++fi diff --git a/SOURCES/tigervnc-working-tls-on-fips-systems.patch b/SOURCES/tigervnc-working-tls-on-fips-systems.patch new file mode 100644 index 0000000..5337ac6 --- /dev/null +++ b/SOURCES/tigervnc-working-tls-on-fips-systems.patch @@ -0,0 +1,120 @@ +diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx +index d5ef47e..ef5d8c9 100644 +--- a/common/rfb/SSecurityTLS.cxx ++++ b/common/rfb/SSecurityTLS.cxx +@@ -37,7 +37,23 @@ + #include + #include + +-#define DH_BITS 1024 /* XXX This should be configurable! */ ++#if defined (SSECURITYTLS__USE_DEPRECATED_DH) ++/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */ ++static unsigned char ffdhe2048[] = ++ "-----BEGIN DH PARAMETERS-----\n" ++ "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" ++ "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" ++ "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" ++ "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" ++ "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" ++ "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n" ++ "-----END DH PARAMETERS-----\n"; ++ ++static const gnutls_datum_t ffdhe_pkcs3_param = { ++ ffdhe2048, ++ sizeof(ffdhe2048) ++}; ++#endif + + using namespace rfb; + +@@ -50,10 +66,14 @@ StringParameter SSecurityTLS::X509_KeyFile + static LogWriter vlog("TLS"); + + SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon) +- : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL), ++ : SSecurity(sc), session(NULL), anon_cred(NULL), + cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL), + rawis(NULL), rawos(NULL) + { ++#if defined (SSECURITYTLS__USE_DEPRECATED_DH) ++ dh_params = NULL; ++#endif ++ + certfile = X509_CertFile.getData(); + keyfile = X509_KeyFile.getData(); + +@@ -70,10 +90,12 @@ void SSecurityTLS::shutdown() + } + } + ++#if defined (SSECURITYTLS__USE_DEPRECATED_DH) + if (dh_params) { + gnutls_dh_params_deinit(dh_params); + dh_params = 0; + } ++#endif + + if (anon_cred) { + gnutls_anon_free_server_credentials(anon_cred); +@@ -198,17 +220,21 @@ void SSecurityTLS::setParams(gnutls_session_t session) + throw AuthFailureException("gnutls_set_priority_direct failed"); + } + ++#if defined (SSECURITYTLS__USE_DEPRECATED_DH) + if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_dh_params_init failed"); + +- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS) +- throw AuthFailureException("gnutls_dh_params_generate2 failed"); ++ if (gnutls_dh_params_import_pkcs3(dh_params, &ffdhe_pkcs3_param, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS) ++ throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed"); ++#endif + + if (anon) { + if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_anon_allocate_server_credentials failed"); + ++#if defined (SSECURITYTLS__USE_DEPRECATED_DH) + gnutls_anon_set_server_dh_params(anon_cred, dh_params); ++#endif + + if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) + != GNUTLS_E_SUCCESS) +@@ -220,7 +246,9 @@ void SSecurityTLS::setParams(gnutls_session_t session) + if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); + ++#if defined (SSECURITYTLS__USE_DEPRECATED_DH) + gnutls_certificate_set_dh_params(cert_cred, dh_params); ++#endif + + switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) { + case GNUTLS_E_SUCCESS: +diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h +index dd89bb4..0cb463d 100644 +--- a/common/rfb/SSecurityTLS.h ++++ b/common/rfb/SSecurityTLS.h +@@ -36,6 +36,13 @@ + #include + #include + ++/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used instead. ++ * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import it. ++ */ ++#if GNUTLS_VERSION_NUMBER < 0x030600 ++#define SSECURITYTLS__USE_DEPRECATED_DH ++#endif ++ + namespace rfb { + + class SSecurityTLS : public SSecurity { +@@ -55,7 +62,9 @@ namespace rfb { + + private: + gnutls_session_t session; ++#if defined (SSECURITYTLS__USE_DEPRECATED_DH) + gnutls_dh_params_t dh_params; ++#endif + gnutls_anon_server_credentials_t anon_cred; + gnutls_certificate_credentials_t cert_cred; + char *keyfile, *certfile; diff --git a/SOURCES/tigervnc-xserver120.patch b/SOURCES/tigervnc-xserver120.patch new file mode 100644 index 0000000..e7eae3c --- /dev/null +++ b/SOURCES/tigervnc-xserver120.patch @@ -0,0 +1,91 @@ +diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac +--- xserver/configure.ac.xserver116-rebased 2016-09-29 13:14:45.595441590 +0200 ++++ xserver/configure.ac 2016-09-29 13:14:45.631442006 +0200 +@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x + AC_CONFIG_HEADERS(include/version-config.h) + + AM_PROG_AS ++AC_PROG_CXX + AC_PROG_LN_S + LT_PREREQ([2.2]) + LT_INIT([disable-static win32-dll]) +@@ -1863,6 +1864,10 @@ if test "x$XVFB" = xyes; then + AC_SUBST([XVFB_SYS_LIBS]) + fi + ++dnl Xvnc DDX ++AC_SUBST([XVNC_CPPFLAGS], ["-DHAVE_DIX_CONFIG_H $XSERVER_CFLAGS"]) ++AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"]) ++AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"]) + + dnl Xnest DDX + +@@ -1898,6 +1903,8 @@ if test "x$XORG" = xauto; then + fi + AC_MSG_RESULT([$XORG]) + ++AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version]) ++ + if test "x$XORG" = xyes; then + XORG_DDXINCS='-I$(top_srcdir)/hw/xfree86 -I$(top_srcdir)/hw/xfree86/include -I$(top_srcdir)/hw/xfree86/common' + XORG_OSINCS='-I$(top_srcdir)/hw/xfree86/os-support -I$(top_srcdir)/hw/xfree86/os-support/bus -I$(top_srcdir)/os' +@@ -2116,7 +2123,6 @@ if test "x$XORG" = xyes; then + AC_DEFINE(XORG_SERVER, 1, [Building Xorg server]) + AC_DEFINE(XORGSERVER, 1, [Building Xorg server]) + AC_DEFINE(XFree86Server, 1, [Building XFree86 server]) +- AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version]) + AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs]) + AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions]) + AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server]) +@@ -2691,6 +2697,7 @@ hw/dmx/Makefile + hw/dmx/man/Makefile + hw/vfb/Makefile + hw/vfb/man/Makefile ++hw/vnc/Makefile + hw/xnest/Makefile + hw/xnest/man/Makefile + hw/xwin/Makefile +diff -up xserver/hw/Makefile.am.xserver116-rebased xserver/hw/Makefile.am +--- xserver/hw/Makefile.am.xserver116-rebased 2016-09-29 13:14:45.601441659 +0200 ++++ xserver/hw/Makefile.am 2016-09-29 13:14:45.631442006 +0200 +@@ -38,7 +38,8 @@ SUBDIRS = \ + $(DMX_SUBDIRS) \ + $(KDRIVE_SUBDIRS) \ + $(XQUARTZ_SUBDIRS) \ +- $(XWAYLAND_SUBDIRS) ++ $(XWAYLAND_SUBDIRS) \ ++ vnc + + DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland + +diff --git xserver/mi/miinitext.c xserver/mi/miinitext.c +index 5596e21..003fc3c 100644 +--- xserver/mi/miinitext.c ++++ xserver/mi/miinitext.c +@@ -107,8 +107,15 @@ SOFTWARE. + #include "os.h" + #include "globals.h" + ++#ifdef TIGERVNC ++extern void vncExtensionInit(INITARGS); ++#endif ++ + /* List of built-in (statically linked) extensions */ + static const ExtensionModule staticExtensions[] = { ++#ifdef TIGERVNC ++ {vncExtensionInit, "VNC-EXTENSION", NULL}, ++#endif + {GEExtensionInit, "Generic Event Extension", &noGEExtension}, + {ShapeExtensionInit, "SHAPE", NULL}, + #ifdef MITSHM +--- xserver/include/os.h~ 2016-10-03 09:07:29.000000000 +0200 ++++ xserver/include/os.h 2016-10-03 14:13:00.013654506 +0200 +@@ -621,7 +621,7 @@ + extern _X_EXPORT void + LogClose(enum ExitCode error); + extern _X_EXPORT Bool +-LogSetParameter(LogParameter param, int value); ++LogSetParameter(enum _LogParameter param, int value); + extern _X_EXPORT void + LogVWrite(int verb, const char *f, va_list args) + _X_ATTRIBUTE_PRINTF(2, 0); diff --git a/SOURCES/vncserver b/SOURCES/vncserver new file mode 100644 index 0000000..ae7c3a3 --- /dev/null +++ b/SOURCES/vncserver @@ -0,0 +1,897 @@ +#!/usr/bin/perl +# +# Copyright (C) 2009-2010 D. R. Commander. All Rights Reserved. +# Copyright (C) 2005-2006 Sun Microsystems, Inc. All Rights Reserved. +# Copyright (C) 2002-2003 Constantin Kaplinsky. All Rights Reserved. +# Copyright (C) 2002-2005 RealVNC Ltd. +# Copyright (C) 1999 AT&T Laboratories Cambridge. All Rights Reserved. +# +# This is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. +# + +# +# vncserver - wrapper script to start an X VNC server. +# + +# First make sure we're operating in a sane environment. +$exedir = ""; +$slashndx = rindex($0, "/"); +if($slashndx>=0) { + $exedir = substr($0, 0, $slashndx+1); +} + +&SanityCheck(); + +&NotifyAboutDeprecation(); + +# +# Global variables. You may want to configure some of these for +# your site +# + +$geometry = "1024x768"; +#$depth = 16; + +$vncUserDir = "$ENV{HOME}/.vnc"; +$vncUserConfig = "$vncUserDir/config"; + +$vncSystemConfigDir = "/etc/tigervnc"; +$vncSystemConfigDefaultsFile = "$vncSystemConfigDir/vncserver-config-defaults"; +$vncSystemConfigMandatoryFile = "$vncSystemConfigDir/vncserver-config-mandatory"; + +$skipxstartup = 0; +$xauthorityFile = "$ENV{XAUTHORITY}" || "$ENV{HOME}/.Xauthority"; + +$xstartupFile = $vncUserDir . "/xstartup"; +$defaultXStartup + = ("#!/bin/sh\n\n". + "unset SESSION_MANAGER\n". + "unset DBUS_SESSION_BUS_ADDRESS\n". + "/etc/X11/xinit/xinitrc\n". + "# Assume either Gnome will be started by default when installed\n". + "# We want to kill the session automatically in this case when user logs out. In case you modify\n". + "# /etc/X11/xinit/Xclients or ~/.Xclients yourself to achieve a different result, then you should\n". + "# be responsible to modify below code to avoid that your session will be automatically killed\n". + "if [ -e /usr/bin/gnome-session ]; then\n". + " vncserver -kill \$DISPLAY\n". + "fi\n"); + +$defaultConfig + = ("## Supported server options to pass to vncserver upon invocation can be listed\n". + "## in this file. See the following manpages for more: vncserver(1) Xvnc(1).\n". + "## Several common ones are shown below. Uncomment and modify to your liking.\n". + "##\n". + "# securitytypes=vncauth,tlsvnc\n". + "# desktop=sandbox\n". + "# geometry=2000x1200\n". + "# localhost\n". + "# alwaysshared\n"); + +chop($host = `uname -n`); + +if (-d "/etc/X11/fontpath.d") { + $fontPath = "catalogue:/etc/X11/fontpath.d"; +} + +@fontpaths = ('/usr/share/X11/fonts', '/usr/share/fonts', '/usr/share/fonts/X11/'); +if (! -l "/usr/lib/X11") {push(@fontpaths, '/usr/lib/X11/fonts');} +if (! -l "/usr/X11") {push(@fontpaths, '/usr/X11/lib/X11/fonts');} +if (! -l "/usr/X11R6") {push(@fontpaths, '/usr/X11R6/lib/X11/fonts');} +push(@fontpaths, '/usr/share/fonts/default'); + +@fonttypes = ('misc', + '75dpi', + '100dpi', + 'Speedo', + 'Type1'); + +foreach $_fpath (@fontpaths) { + foreach $_ftype (@fonttypes) { + if (-f "$_fpath/$_ftype/fonts.dir") { + if (! -l "$_fpath/$_ftype") { + $defFontPath .= "$_fpath/$_ftype,"; + } + } + } +} + +if ($defFontPath) { + if (substr($defFontPath, -1, 1) == ',') { + chop $defFontPath; + } +} + +if ($fontPath eq "") { + $fontPath = $defFontPath; +} + +# Check command line options + +&ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1, + "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1); + +&Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'}); + +&Kill() if ($opt{'-kill'}); + +&List() if ($opt{'-list'}); + +# Uncomment this line if you want default geometry, depth and pixelformat +# to match the current X display: +# &GetXDisplayDefaults(); + +if ($opt{'-geometry'}) { + $geometry = $opt{'-geometry'}; +} +if ($opt{'-depth'}) { + $depth = $opt{'-depth'}; + $pixelformat = ""; +} +if ($opt{'-pixelformat'}) { + $pixelformat = $opt{'-pixelformat'}; +} +if ($opt{'-noxstartup'}) { + $skipxstartup = 1; +} +if ($opt{'-xstartup'}) { + $xstartupFile = $opt{'-xstartup'}; +} +if ($opt{'-fp'}) { + $fontPath = $opt{'-fp'}; + $fpArgSpecified = 1; +} + +&CheckGeometryAndDepth(); + +# Create the user's vnc directory if necessary. +if (!(-e $vncUserDir)) { + if (!mkdir($vncUserDir,0755)) { + die "$prog: Could not create $vncUserDir.\n"; + } +} + +# Find display number. +if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) { + $displayNumber = $1; + shift(@ARGV); + if (!&CheckDisplayNumber($displayNumber)) { + die "A VNC server is already running as :$displayNumber\n"; + } +} elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) { + &Usage(); +} else { + $displayNumber = &GetDisplayNumber(); +} + +$vncPort = 5900 + $displayNumber; + +if ($opt{'-name'}) { + $desktopName = $opt{'-name'}; +} else { + $desktopName = "$host:$displayNumber ($ENV{USER})"; +} + +my %default_opts; +my %config; + +# We set some reasonable defaults. Config file settings +# override these where present. +$default_opts{desktop} = "edString($desktopName); +$default_opts{auth} = "edString($xauthorityFile); +$default_opts{geometry} = $geometry if ($geometry); +$default_opts{depth} = $depth if ($depth); +$default_opts{pixelformat} = $pixelformat if ($pixelformat); +$default_opts{rfbwait} = 30000; +$default_opts{rfbauth} = "$vncUserDir/passwd"; +$default_opts{rfbport} = $vncPort; +$default_opts{fp} = $fontPath if ($fontPath); +$default_opts{pn} = ""; + +# Load user-overrideable system defaults +LoadConfig($vncSystemConfigDefaultsFile); + +# Then the user's settings +LoadConfig($vncUserConfig); + +# And then override anything set above if mandatory settings exist. +# WARNING: "Mandatory" is used loosely here! As the man page says, +# there is nothing stopping someone from EASILY subverting the +# settings in $vncSystemConfigMandatoryFile by simply passing +# CLI args to vncserver, which trump config files! To properly +# hard force policy in a non-subvertible way would require major +# development work that touches Xvnc itself. +LoadConfig($vncSystemConfigMandatoryFile, 1); + +# +# Check whether VNC authentication is enabled, and if so, prompt the user to +# create a VNC password if they don't already have one. +# + +$securityTypeArgSpecified = 0; +$vncAuthEnabled = 0; +$passwordArgSpecified = 0; +@vncAuthStrings = ("vncauth", "tlsvnc", "x509vnc"); + +# ...first we check our configuration files' settings +if ($config{'securitytypes'}) { + $securityTypeArgSpecified = 1; + foreach $arg2 (split(',', $config{'securitytypes'})) { + if (grep {$_ eq lc($arg2)} @vncAuthStrings) { + $vncAuthEnabled = 1; + } + } +} + +# ...and finally we check CLI args, which in the case of the topic at +# hand (VNC auth or not), override anything found in configuration files +# (even so-called "mandatory" settings). +for ($i = 0; $i < @ARGV; ++$i) { + # -SecurityTypes can be followed by a space or "=" + my @splitargs = split('=', $ARGV[$i]); + if (@splitargs <= 1 && $i < @ARGV - 1) { + push(@splitargs, $ARGV[$i + 1]); + } + if (lc(@splitargs[0]) eq "-securitytypes") { + if (@splitargs > 1) { + $securityTypeArgSpecified = 1; + } + foreach $arg2 (split(',', @splitargs[1])) { + if (grep {$_ eq lc($arg2)} @vncAuthStrings) { + $vncAuthEnabled = 1; + } + } + } + if ((lc(@splitargs[0]) eq "-password") + || (lc(@splitargs[0]) eq "-passwordfile" + || (lc(@splitargs[0]) eq "-rfbauth"))) { + $passwordArgSpecified = 1; + } +} + +if ((!$securityTypeArgSpecified || $vncAuthEnabled) && !$passwordArgSpecified) { + ($z,$z,$mode) = stat("$vncUserDir/passwd"); + if (!(-e "$vncUserDir/passwd") || ($mode & 077)) { + warn "\nYou will require a password to access your desktops.\n\n"; + system($exedir."vncpasswd -q $vncUserDir/passwd"); + if (($? >> 8) != 0) { + exit 1; + } + } +} + +$desktopLog = "$vncUserDir/$host:$displayNumber.log"; +unlink($desktopLog); + +# Make an X server cookie and set up the Xauthority file +# mcookie is a part of util-linux, usually only GNU/Linux systems have it. +$cookie = `mcookie`; +# Fallback for non GNU/Linux OS - use /dev/urandom on systems that have it, +# otherwise use perl's random number generator, seeded with the sum +# of the current time, our PID and part of the encrypted form of the password. +if ($cookie eq "" && open(URANDOM, '<', '/dev/urandom')) { + my $randata; + if (sysread(URANDOM, $randata, 16) == 16) { + $cookie = unpack 'h*', $randata; + } + close(URANDOM); +} +if ($cookie eq "") { + srand(time+$$+unpack("L",`cat $vncUserDir/passwd`)); + for (1..16) { + $cookie .= sprintf("%02x", int(rand(256)) % 256); + } +} + +open(XAUTH, "|xauth -f $xauthorityFile source -"); +print XAUTH "add $host:$displayNumber . $cookie\n"; +print XAUTH "add $host/unix:$displayNumber . $cookie\n"; +close(XAUTH); + +# Now start the X VNC Server + +# We build up our Xvnc command with options +$cmd = $exedir."Xvnc :$displayNumber"; + +foreach my $k (sort keys %config) { + $cmd .= " -$k $config{$k}"; + delete $default_opts{$k}; # file options take precedence +} + +foreach my $k (sort keys %default_opts) { + $cmd .= " -$k $default_opts{$k}"; +} + +# Add color database stuff here, e.g.: +# $cmd .= " -co /usr/lib/X11/rgb"; + +foreach $arg (@ARGV) { + $cmd .= " " . "edString($arg); +} +$cmd .= " >> " . "edString($desktopLog) . " 2>&1"; + +# Run $cmd and record the process ID. +$pidFile = "$vncUserDir/$host:$displayNumber.pid"; +system("$cmd & echo \$! >$pidFile"); + +# Give Xvnc a chance to start up + +sleep(3); +if ($fontPath ne $defFontPath) { + unless (kill 0, `cat $pidFile`) { + if ($fpArgSpecified) { + warn "\nWARNING: The first attempt to start Xvnc failed, probably because the font\n"; + warn "path you specified using the -fp argument is incorrect. Attempting to\n"; + warn "determine an appropriate font path for this system and restart Xvnc using\n"; + warn "that font path ...\n"; + } else { + warn "\nWARNING: The first attempt to start Xvnc failed, possibly because the font\n"; + warn "catalog is not properly configured. Attempting to determine an appropriate\n"; + warn "font path for this system and restart Xvnc using that font path ...\n"; + } + $cmd =~ s@-fp [^ ]+@@; + $cmd .= " -fp $defFontPath" if ($defFontPath); + system("$cmd & echo \$! >$pidFile"); + sleep(3); + } +} +unless (kill 0, `cat $pidFile`) { + warn "Could not start Xvnc.\n\n"; + unlink $pidFile; + open(LOG, "<$desktopLog"); + while () { print; } + close(LOG); + die "\n"; +} + +warn "\nNew '$desktopName' desktop is $host:$displayNumber\n\n"; + +# Create the user's xstartup script if necessary. +if (! $skipxstartup) { + if (!(-e "$xstartupFile")) { + warn "Creating default startup script $xstartupFile\n"; + open(XSTARTUP, ">$xstartupFile"); + print XSTARTUP $defaultXStartup; + close(XSTARTUP); + chmod 0755, "$xstartupFile"; + } +} + +# Create the user's config file if necessary. +if (!(-e "$vncUserDir/config")) { + warn "Creating default config $vncUserDir/config\n"; + open(VNCUSERCONFIG, ">$vncUserDir/config"); + print VNCUSERCONFIG $defaultConfig; + close(VNCUSERCONFIG); + chmod 0644, "$vncUserDir/config"; +} + +# Run the X startup script. +if (! $skipxstartup) { + warn "Starting applications specified in $xstartupFile\n"; +} +warn "Log file is $desktopLog\n\n"; + +# If the unix domain socket exists then use that (DISPLAY=:n) otherwise use +# TCP (DISPLAY=host:n) + +if (-e "/tmp/.X11-unix/X$displayNumber" || + -e "/usr/spool/sockets/X11/$displayNumber") +{ + $ENV{DISPLAY}= ":$displayNumber"; +} else { + $ENV{DISPLAY}= "$host:$displayNumber"; +} +$ENV{VNCDESKTOP}= $desktopName; + +if ($opt{'-fg'}) { + if (! $skipxstartup) { + system("$xstartupFile >> " . "edString($desktopLog) . " 2>&1"); + } + if (kill 0, `cat $pidFile`) { + $opt{'-kill'} = ':'.$displayNumber; + &Kill(); + } +} else { + if ($opt{'-autokill'}) { + if (! $skipxstartup) { + system("($xstartupFile; $0 -kill :$displayNumber) >> " + . "edString($desktopLog) . " 2>&1 &"); + } + } else { + if (! $skipxstartup) { + system("$xstartupFile >> " . "edString($desktopLog) + . " 2>&1 &"); + } + } +} + +exit; + +############################################################################### +# Functions +############################################################################### + +# +# Populate the global %config hash with settings from a specified +# vncserver configuration file if it exists +# +# Args: 1. file path +# 2. optional boolean flag to enable warning when a previously +# set configuration setting is being overridden +# +sub LoadConfig { + local ($configFile, $warnoverride) = @_; + local ($toggle) = undef; + + if (stat($configFile)) { + if (open(IN, $configFile)) { + while () { + next if /^#/; + if (my ($k, $v) = /^\s*(\w+)\s*=\s*(.+)$/) { + $k = lc($k); # must normalize key case + if ($k eq "session") { + next; + } + if ($warnoverride && $config{$k}) { + print("Warning: $configFile is overriding previously defined '$k' to be '$v'\n"); + } + $config{$k} = $v; + } elsif ($_ =~ m/^\s*(\S+)/) { + # We can't reasonably warn on override of toggles (e.g. AlwaysShared) + # because it would get crazy to do so. We'd have to check if the + # current config file being loaded defined the logical opposite setting + # (NeverShared vs. AlwaysShared, etc etc). + $toggle = lc($1); # must normalize key case + $config{$toggle} = $k; + } + } + close(IN); + } + } +} + +# +# CheckGeometryAndDepth simply makes sure that the geometry and depth values +# are sensible. +# + +sub CheckGeometryAndDepth +{ + if ($geometry =~ /^(\d+)x(\d+)$/) { + $width = $1; $height = $2; + + if (($width<1) || ($height<1)) { + die "$prog: geometry $geometry is invalid\n"; + } + + $geometry = "${width}x$height"; + } else { + die "$prog: geometry $geometry is invalid\n"; + } + + if ($depth && (($depth < 8) || ($depth > 32))) { + die "Depth must be between 8 and 32\n"; + } +} + + +# +# GetDisplayNumber gets the lowest available display number. A display number +# n is taken if something is listening on the VNC server port (5900+n) or the +# X server port (6000+n). +# + +sub GetDisplayNumber +{ + foreach $n (1..99) { + if (&CheckDisplayNumber($n)) { + return $n+0; # Bruce Mah's workaround for bug in perl 5.005_02 + } + } + + die "$prog: no free display number on $host.\n"; +} + + +# +# CheckDisplayNumber checks if the given display number is available. A +# display number n is taken if something is listening on the VNC server port +# (5900+n) or the X server port (6000+n). +# + +sub CheckDisplayNumber +{ + local ($n) = @_; + + socket(S, $AF_INET, $SOCK_STREAM, 0) || die "$prog: socket failed: $!\n"; + eval 'setsockopt(S, &SOL_SOCKET, &SO_REUSEADDR, pack("l", 1))'; + if (!bind(S, pack('S n x12', $AF_INET, 6000 + $n))) { + close(S); + return 0; + } + close(S); + + socket(S, $AF_INET, $SOCK_STREAM, 0) || die "$prog: socket failed: $!\n"; + eval 'setsockopt(S, &SOL_SOCKET, &SO_REUSEADDR, pack("l", 1))'; + if (!bind(S, pack('S n x12', $AF_INET, 5900 + $n))) { + close(S); + return 0; + } + close(S); + + if (-e "/tmp/.X$n-lock") { + warn "\nWarning: $host:$n is taken because of /tmp/.X$n-lock\n"; + warn "Remove this file if there is no X server $host:$n\n"; + return 0; + } + + if (-e "/tmp/.X11-unix/X$n") { + warn "\nWarning: $host:$n is taken because of /tmp/.X11-unix/X$n\n"; + warn "Remove this file if there is no X server $host:$n\n"; + return 0; + } + + if (-e "/usr/spool/sockets/X11/$n") { + warn("\nWarning: $host:$n is taken because of ". + "/usr/spool/sockets/X11/$n\n"); + warn "Remove this file if there is no X server $host:$n\n"; + return 0; + } + + return 1; +} + + +# +# GetXDisplayDefaults uses xdpyinfo to find out the geometry, depth and pixel +# format of the current X display being used. If successful, it sets the +# options as appropriate so that the X VNC server will use the same settings +# (minus an allowance for window manager decorations on the geometry). Using +# the same depth and pixel format means that the VNC server won't have to +# translate pixels when the desktop is being viewed on this X display (for +# TrueColor displays anyway). +# + +sub GetXDisplayDefaults +{ + local (@lines, @matchlines, $width, $height, $defaultVisualId, $i, + $red, $green, $blue); + + $wmDecorationWidth = 4; # a guess at typical size for window manager + $wmDecorationHeight = 24; # decoration size + + return if (!defined($ENV{DISPLAY})); + + @lines = `xdpyinfo 2>/dev/null`; + + return if ($? != 0); + + @matchlines = grep(/dimensions/, @lines); + if (@matchlines) { + ($width, $height) = ($matchlines[0] =~ /(\d+)x(\d+) pixels/); + + $width -= $wmDecorationWidth; + $height -= $wmDecorationHeight; + + $geometry = "${width}x$height"; + } + + @matchlines = grep(/default visual id/, @lines); + if (@matchlines) { + ($defaultVisualId) = ($matchlines[0] =~ /id:\s+(\S+)/); + + for ($i = 0; $i < @lines; $i++) { + if ($lines[$i] =~ /^\s*visual id:\s+$defaultVisualId$/) { + if (($lines[$i+1] !~ /TrueColor/) || + ($lines[$i+2] !~ /depth/) || + ($lines[$i+4] !~ /red, green, blue masks/)) + { + return; + } + last; + } + } + + return if ($i >= @lines); + + ($depth) = ($lines[$i+2] =~ /depth:\s+(\d+)/); + ($red,$green,$blue) + = ($lines[$i+4] + =~ /masks:\s+0x([0-9a-f]+), 0x([0-9a-f]+), 0x([0-9a-f]+)/); + + $red = hex($red); + $green = hex($green); + $blue = hex($blue); + + if ($red > $blue) { + $red = int(log($red) / log(2)) - int(log($green) / log(2)); + $green = int(log($green) / log(2)) - int(log($blue) / log(2)); + $blue = int(log($blue) / log(2)) + 1; + $pixelformat = "rgb$red$green$blue"; + } else { + $blue = int(log($blue) / log(2)) - int(log($green) / log(2)); + $green = int(log($green) / log(2)) - int(log($red) / log(2)); + $red = int(log($red) / log(2)) + 1; + $pixelformat = "bgr$blue$green$red"; + } + } +} + + +# +# quotedString returns a string which yields the original string when parsed +# by a shell. +# + +sub quotedString +{ + local ($in) = @_; + + $in =~ s/\'/\'\"\'\"\'/g; + + return "'$in'"; +} + + +# +# removeSlashes turns slashes into underscores for use as a file name. +# + +sub removeSlashes +{ + local ($in) = @_; + + $in =~ s|/|_|g; + + return "$in"; +} + + +# +# Usage +# + +sub Usage +{ + die("\nusage: $prog [:] [-name ] [-depth ]\n". + " [-geometry x]\n". + " [-pixelformat rgbNNN|bgrNNN]\n". + " [-fp ]\n". + " [-cc ]\n". + " [-fg]\n". + " [-autokill]\n". + " [-noxstartup]\n". + " [-xstartup ]\n". + " ...\n\n". + " $prog -kill \n\n". + " $prog -list\n\n"); +} + + +# +# List +# + +sub List +{ + opendir(dir, $vncUserDir); + my @filelist = readdir(dir); + closedir(dir); + print "\nTigerVNC server sessions:\n\n"; + print "X DISPLAY #\tPROCESS ID\n"; + foreach my $file (@filelist) { + if ($file =~ /$host:(\d+)$\.pid/) { + chop($tmp_pid = `cat $vncUserDir/$file`); + if (kill 0, $tmp_pid) { + print ":".$1."\t\t".`cat $vncUserDir/$file`; + } else { + unlink ($vncUserDir . "/" . $file); + } + } + } + exit; +} + + +# +# Kill +# + +sub Kill +{ + $opt{'-kill'} =~ s/(:\d+)\.\d+$/$1/; # e.g. turn :1.0 into :1 + + if ($opt{'-kill'} =~ /^:\d+$/) { + $pidFile = "$vncUserDir/$host$opt{'-kill'}.pid"; + } else { + if ($opt{'-kill'} !~ /^$host:/) { + die "\nCan't tell if $opt{'-kill'} is on $host\n". + "Use -kill : instead\n\n"; + } + $pidFile = "$vncUserDir/$opt{'-kill'}.pid"; + } + + if (! -r $pidFile) { + die "\nCan't find file $pidFile\n". + "You'll have to kill the Xvnc process manually\n\n"; + } + + $SIG{'HUP'} = 'IGNORE'; + chop($pid = `cat $pidFile`); + warn "Killing Xvnc process ID $pid\n"; + + if (kill 0, $pid) { + system("kill $pid"); + sleep(1); + if (kill 0, $pid) { + print "Xvnc seems to be deadlocked. Kill the process manually and then re-run\n"; + print " ".$0." -kill ".$opt{'-kill'}."\n"; + print "to clean up the socket files.\n"; + exit + } + + } else { + warn "Xvnc process ID $pid already killed\n"; + $opt{'-kill'} =~ s/://; + + if (-e "/tmp/.X11-unix/X$opt{'-kill'}") { + print "Xvnc did not appear to shut down cleanly."; + print " Removing /tmp/.X11-unix/X$opt{'-kill'}\n"; + unlink "/tmp/.X11-unix/X$opt{'-kill'}"; + } + if (-e "/tmp/.X$opt{'-kill'}-lock") { + print "Xvnc did not appear to shut down cleanly."; + print " Removing /tmp/.X$opt{'-kill'}-lock\n"; + unlink "/tmp/.X$opt{'-kill'}-lock"; + } + } + + unlink $pidFile; + exit; +} + + +# +# ParseOptions takes a list of possible options and a boolean indicating +# whether the option has a value following, and sets up an associative array +# %opt of the values of the options given on the command line. It removes all +# the arguments it uses from @ARGV and returns them in @optArgs. +# + +sub ParseOptions +{ + local (@optval) = @_; + local ($opt, @opts, %valFollows, @newargs); + + while (@optval) { + $opt = shift(@optval); + push(@opts,$opt); + $valFollows{$opt} = shift(@optval); + } + + @optArgs = (); + %opt = (); + + arg: while (defined($arg = shift(@ARGV))) { + foreach $opt (@opts) { + if ($arg eq $opt) { + push(@optArgs, $arg); + if ($valFollows{$opt}) { + if (@ARGV == 0) { + &Usage(); + } + $opt{$opt} = shift(@ARGV); + push(@optArgs, $opt{$opt}); + } else { + $opt{$opt} = 1; + } + next arg; + } + } + push(@newargs,$arg); + } + + @ARGV = @newargs; +} + + +# Routine to make sure we're operating in a sane environment. +sub SanityCheck +{ + local ($cmd); + + # Get the program name + ($prog) = ($0 =~ m|([^/]+)$|); + + # + # Check we have all the commands we'll need on the path. + # + + cmd: + foreach $cmd ("uname","xauth") { + for (split(/:/,$ENV{PATH})) { + if (-x "$_/$cmd") { + next cmd; + } + } + die "$prog: couldn't find \"$cmd\" on your PATH.\n"; + } + + if($exedir eq "") { + cmd2: + foreach $cmd ("Xvnc","vncpasswd") { + for (split(/:/,$ENV{PATH})) { + if (-x "$_/$cmd") { + next cmd2; + } + } + die "$prog: couldn't find \"$cmd\" on your PATH.\n"; + } + } + else { + cmd3: + foreach $cmd ($exedir."Xvnc",$exedir."vncpasswd") { + for (split(/:/,$ENV{PATH})) { + if (-x "$cmd") { + next cmd3; + } + } + die "$prog: couldn't find \"$cmd\".\n"; + } + } + + if (!defined($ENV{HOME})) { + die "$prog: The HOME environment variable is not set.\n"; + } + + # + # Find socket constants. 'use Socket' is a perl5-ism, so we wrap it in an + # eval, and if it fails we try 'require "sys/socket.ph"'. If this fails, + # we just guess at the values. If you find perl moaning here, just + # hard-code the values of AF_INET and SOCK_STREAM. You can find these out + # for your platform by looking in /usr/include/sys/socket.h and related + # files. + # + + chop($os = `uname`); + chop($osrev = `uname -r`); + + eval 'use Socket'; + if ($@) { + eval 'require "sys/socket.ph"'; + if ($@) { + if (($os eq "SunOS") && ($osrev !~ /^4/)) { + $AF_INET = 2; + $SOCK_STREAM = 2; + } else { + $AF_INET = 2; + $SOCK_STREAM = 1; + } + } else { + $AF_INET = &AF_INET; + $SOCK_STREAM = &SOCK_STREAM; + } + } else { + $AF_INET = &AF_INET; + $SOCK_STREAM = &SOCK_STREAM; + } +} + +sub NotifyAboutDeprecation +{ + warn "\nWARNING: vncserver has been replaced by a systemd unit and is now considered deprecated and removed in upstream.\n"; + warn "Please read /usr/share/doc/tigervnc/HOWTO.md for more information.\n"; +} diff --git a/SOURCES/vncserver.man b/SOURCES/vncserver.man new file mode 100644 index 0000000..2641ed1 --- /dev/null +++ b/SOURCES/vncserver.man @@ -0,0 +1,204 @@ +.TH vncserver 1 "" "TigerVNC" "Virtual Network Computing" +.SH NAME +vncserver \- start or stop a VNC server +.SH SYNOPSIS +.B vncserver +.RI [: display# ] +.RB [ \-name +.IR desktop-name ] +.RB [ \-geometry +.IR width x height ] +.RB [ \-depth +.IR depth ] +.RB [ \-pixelformat +.IR format ] +.RB [ \-fp +.IR font-path ] +.RB [ \-fg ] +.RB [ \-autokill ] +.RB [ \-noxstartup ] +.RB [ \-xstartup +.IR script ] +.RI [ Xvnc-options... ] +.br +.BI "vncserver \-kill :" display# +.br +.BI "vncserver \-list" +.SH DESCRIPTION +.B vncserver +is used to start a VNC (Virtual Network Computing) desktop. +.B vncserver +is a Perl script which simplifies the process of starting an Xvnc server. It +runs Xvnc with appropriate options and starts a window manager on the VNC +desktop. + +.B vncserver +can be run with no options at all. In this case it will choose the first +available display number (usually :1), start Xvnc with that display number, +and start the default window manager in the Xvnc session. You can also +specify the display number, in which case vncserver will attempt to start +Xvnc with that display number and exit if the display number is not +available. For example: + +.RS +vncserver :13 +.RE + +Editing the file $HOME/.vnc/xstartup allows you to change the applications run +at startup (but note that this will not affect an existing VNC session.) + +.SH OPTIONS +You can get a list of options by passing \fB\-h\fP as an option to vncserver. +In addition to the options listed below, any unrecognised options will be +passed to Xvnc - see the Xvnc man page, or "Xvnc \-help", for details. + +.TP +.B \-name \fIdesktop-name\fP +Each VNC desktop has a name which may be displayed by the viewer. The desktop +name defaults to "\fIhost\fP:\fIdisplay#\fP (\fIusername\fP)", but you can +change it with this option. The desktop name option is passed to the xstartup +script via the $VNCDESKTOP environment variable, which allows you to run a +different set of applications depending on the name of the desktop. +. +.TP +.B \-geometry \fIwidth\fPx\fIheight\fP +Specify the size of the VNC desktop to be created. Default is 1024x768. +. +.TP +.B \-depth \fIdepth\fP +Specify the pixel depth (in bits) of the VNC desktop to be created. Default is +24. Other possible values are 8, 15 and 16 - anything else is likely to cause +strange behaviour by applications. +. +.TP +.B \-pixelformat \fIformat\fP +Specify pixel format for Xvnc to use (BGRnnn or RGBnnn). The default for +depth 8 is BGR233 (meaning the most significant two bits represent blue, the +next three green, and the least significant three represent red), the default +for depth 16 is RGB565, and the default for depth 24 is RGB888. +. +.TP +.B \-cc 3 +As an alternative to the default TrueColor visual, this allows you to run an +Xvnc server with a PseudoColor visual (i.e. one which uses a color map or +palette), which can be useful for running some old X applications which only +work on such a display. Values other than 3 (PseudoColor) and 4 (TrueColor) +for the \-cc option may result in strange behaviour, and PseudoColor desktops +must have an 8-bit depth. +. +.TP +.B \-kill :\fIdisplay#\fP +This kills a VNC desktop previously started with vncserver. It does this by +killing the Xvnc process, whose process ID is stored in the file +"$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid". The +.B \-kill +option ignores anything preceding the first colon (":") in the display +argument. Thus, you can invoke "vncserver \-kill $DISPLAY", for example at the +end of your xstartup file after a particular application exits. +. +.TP +.B \-fp \fIfont-path\fP +If the vncserver script detects that the X Font Server (XFS) is running, it +will attempt to start Xvnc and configure Xvnc to use XFS for font handling. +Otherwise, if XFS is not running, the vncserver script will attempt to start +Xvnc and allow Xvnc to use its own preferred method of font handling (which may +be a hard-coded font path or, on more recent systems, a font catalog.) In +any case, if Xvnc fails to start, the vncserver script will then attempt to +determine an appropriate X font path for this system and start Xvnc using +that font path. + +The +.B \-fp +argument allows you to override the above fallback logic and specify a font +path for Xvnc to use. +. +.TP +.B \-fg +Runs Xvnc as a foreground process. This has two effects: (1) The VNC server +can be aborted with CTRL-C, and (2) the VNC server will exit as soon as the +user logs out of the window manager in the VNC session. This may be necessary +when launching TigerVNC from within certain grid computing environments. +. +.TP +.B \-autokill +Automatically kill Xvnc whenever the xstartup script exits. In most cases, +this has the effect of terminating Xvnc when the user logs out of the window +manager. +. +.TP +.B \-noxstartup +Do not run the %HOME/.vnc/xstartup script after launching Xvnc. This +option allows you to manually start a window manager in your TigerVNC session. +. +.TP +.B \-xstartup \fIscript\fP +Run a custom startup script, instead of %HOME/.vnc/xstartup, after launching +Xvnc. This is useful to run full-screen applications. +. +.TP +.B \-list +Lists all VNC desktops started by vncserver. + +.SH FILES +Several VNC-related files are found in the directory $HOME/.vnc: +.TP +$HOME/.vnc/xstartup +A shell script specifying X applications to be run when a VNC desktop is +started. If this file does not exist, then vncserver will create a default +xstartup script which attempts to launch your chosen window manager. +.TP +/etc/tigervnc/vncserver-config-defaults +The optional system-wide equivalent of $HOME/.vnc/config. If this file exists +and defines options to be passed to Xvnc, they will be used as defaults for +users. The user's $HOME/.vnc/config overrides settings configured in this file. +The overall configuration file load order is: this file, $HOME/.vnc/config, +and then /etc/tigervnc/vncserver-config-mandatory. None are required to exist. +.TP +/etc/tigervnc/vncserver-config-mandatory +The optional system-wide equivalent of $HOME/.vnc/config. If this file exists +and defines options to be passed to Xvnc, they will override any of the same +options defined in a user's $HOME/.vnc/config. This file offers a mechanism +to establish some basic form of system-wide policy. WARNING! There is +nothing stopping users from constructing their own vncserver-like script +that calls Xvnc directly to bypass any options defined in +/etc/tigervnc/vncserver-config-mandatory. Likewise, any CLI arguments passed +to vncserver will override ANY config file setting of the same name. The +overall configuration file load order is: +/etc/tigervnc/vncserver-config-defaults, $HOME/.vnc/config, and then this file. +None are required to exist. +.TP +$HOME/.vnc/config +An optional server config file wherein options to be passed to Xvnc are listed +to avoid hard-coding them to the physical invocation. List options in this file +one per line. For those requiring an argument, simply separate the option from +the argument with an equal sign, for example: "geometry=2000x1200" or +"securitytypes=vncauth,tlsvnc". Options without an argument are simply listed +as a single word, for example: "localhost" or "alwaysshared". +.TP +$HOME/.vnc/passwd +The VNC password file. +.TP +$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.log +The log file for Xvnc and applications started in xstartup. +.TP +$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid +Identifies the Xvnc process ID, used by the +.B \-kill +option. + +.SH SEE ALSO +.BR vncviewer (1), +.BR vncpasswd (1), +.BR vncconfig (1), +.BR Xvnc (1) +.br +https://www.tigervnc.org + +.SH AUTHOR +Tristan Richardson, RealVNC Ltd., D. R. Commander and others. + +VNC was originally developed by the RealVNC team while at Olivetti +Research Ltd / AT&T Laboratories Cambridge. TightVNC additions were +implemented by Constantin Kaplinsky. Many other people have since +participated in development, testing and support. This manual is part +of the TigerVNC software suite. diff --git a/SOURCES/xvnc.service b/SOURCES/xvnc.service new file mode 100644 index 0000000..3471e1f --- /dev/null +++ b/SOURCES/xvnc.service @@ -0,0 +1,38 @@ +# The vncserver service unit file +# +# Quick HowTo: +# 1. Copy this file to /etc/systemd/system/xvnc@.service +# 2. Copy xvnc.socket to /etc/systemd/system/xvnc.socket +# 3. Run `systemctl daemon-reload` +# 4. Run `systemctl enable xvnc.socket` +# +# DO NOT RUN THIS SERVICE if your local area network is +# untrusted! For a secure way of using VNC, you should +# limit connections to the local host and then tunnel from +# the machine you want to view VNC on (host A) to the machine +# whose VNC output you want to view (host B) +# +# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB +# +# this will open a connection on port 590N of your hostA to hostB's port 590M +# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB). +# See the ssh man page for details on port forwarding) +# +# You can then point a VNC client on hostA at vncdisplay N of localhost and with +# the help of ssh, you end up seeing what hostB makes available on port 590M +# +# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP. +# +# Use "-localhost" to prevent remote VNC clients connecting except when +# doing so through a secure tunnel. See the "-via" option in the +# `man vncviewer' manual page. + + +[Unit] +Description=XVNC Per-Connection Daemon + +[Service] +ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None +User=nobody +StandardInput=socket +StandardError=syslog diff --git a/SOURCES/xvnc.socket b/SOURCES/xvnc.socket new file mode 100644 index 0000000..9b3f92d --- /dev/null +++ b/SOURCES/xvnc.socket @@ -0,0 +1,9 @@ +[Unit] +Description=XVNC Server + +[Socket] +ListenStream=5900 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec new file mode 100644 index 0000000..f878f7d --- /dev/null +++ b/SPECS/tigervnc.spec @@ -0,0 +1,1133 @@ + +#defining macros needed by SELinux +%global selinuxtype targeted +%global modulename vncsession + +Name: tigervnc +Version: 1.11.0 +Release: 21%{?dist} +Summary: A TigerVNC remote display system + +%global _hardened_build 1 + +License: GPLv2+ +URL: http://www.tigervnc.com + +Source0: %{name}-%{version}.tar.gz +Source1: xvnc.service +Source2: xvnc.socket +Source3: 10-libvnc.conf +Source4: HOWTO.md + +# Backwards compatibility +Source5: vncserver +Source6: vncserver.man + +Patch1: tigervnc-use-gnome-as-default-session.patch + +# Upstream patches (can be dropped with next Tigervnc release) +Patch51: tigervnc-let-user-know-about-not-using-view-only-password.patch +Patch52: tigervnc-working-tls-on-fips-systems.patch +Patch53: tigervnc-utilize-system-crypto-policies.patch +Patch54: tigervnc-passwd-crash-with-malloc-checks.patch +Patch55: tigervnc-tolerate-specifying-boolparam.patch +Patch56: tigervnc-systemd-service.patch +Patch57: tigervnc-correctly-start-vncsession-as-daemon.patch +Patch58: tigervnc-selinux-missing-compression-and-correct-location.patch +Patch59: tigervnc-selinux-policy-improvements.patch +Patch60: tigervnc-argb-runtime-ximage-byteorder-selection.patch +Patch61: tigervnc-selinux-restore-context-in-case-of-different-policies.patch +Patch62: tigervnc-root-user-selinux-context.patch +Patch63: tigervnc-vncsession-restore-script-systemd-service.patch + +# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg +Patch100: tigervnc-xserver120.patch +# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start +Patch101: 0001-rpath-hack.patch + +BuildRequires: make +BuildRequires: gcc-c++ +BuildRequires: libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint +BuildRequires: libXext-devel, xorg-x11-server-source, libXi-devel +BuildRequires: xorg-x11-xtrans-devel, xorg-x11-util-macros, libXtst-devel +BuildRequires: libxkbfile-devel, openssl-devel, libpciaccess-devel +BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils +BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel +BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel +BuildRequires: libdrm-devel, libXt-devel, pixman-devel, +BuildRequires: systemd, cmake, desktop-file-utils, selinux-policy-devel +%if 0%{?fedora} > 24 || 0%{?rhel} >= 7 +BuildRequires: libXfont2-devel +%else +BuildRequires: libXfont-devel +%endif + +# TigerVNC 1.4.x requires fltk 1.3.3 for keyboard handling support +# See https://github.com/TigerVNC/tigervnc/issues/8, also bug #1208814 +BuildRequires: fltk-devel >= 1.3.3 +BuildRequires: xorg-x11-server-devel + +Requires(post): coreutils +Requires(postun):coreutils + +Requires: hicolor-icon-theme +Requires: tigervnc-license +Requires: tigervnc-icons + +%description +Virtual Network Computing (VNC) is a remote display system which +allows you to view a computing 'desktop' environment not only on the +machine where it is running, but from anywhere on the Internet and +from a wide variety of machine architectures. This package contains a +client which will allow you to connect to other desktops running a VNC +server. + +%package server +Summary: A TigerVNC server +Requires: perl-interpreter +Requires: tigervnc-server-minimal = %{version}-%{release} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +Requires: xorg-x11-xauth +Requires: xorg-x11-xinit +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): systemd + +%description server +The VNC system allows you to access the same desktop from a wide +variety of platforms. This package includes set of utilities +which make usage of TigerVNC server more user friendly. It also +contains x0vncserver program which can export your active +X session. + +%package server-minimal +Summary: A minimal installation of TigerVNC server +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): systemd + +Requires: mesa-dri-drivers, xkeyboard-config, xkbcomp +Requires: tigervnc-license, dbus-x11 + +%description server-minimal +The VNC system allows you to access the same desktop from a wide +variety of platforms. This package contains minimal installation +of TigerVNC server, allowing others to access the desktop on your +machine. + +%package server-module +Summary: TigerVNC module to Xorg +Requires: xorg-x11-server-Xorg %(xserver-sdk-abi-requires ansic) %(xserver-sdk-abi-requires videodrv) +Requires: tigervnc-license + +%description server-module +This package contains libvnc.so module to X server, allowing others +to access the desktop on your machine. + +%package license +Summary: License of TigerVNC suite +BuildArch: noarch + +%description license +This package contains license of the TigerVNC suite + +%package icons +Summary: Icons for TigerVNC viewer +BuildArch: noarch + +%description icons +This package contains icons for TigerVNC viewer + +%package selinux +Summary: SELinux module for TigerVNC +BuildArch: noarch +BuildRequires: selinux-policy-devel +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +This package provides the SELinux policy module to ensure TigerVNC +runs properly under an environment with SELinux enabled. + +%prep +%setup -q + +cp -r /usr/share/xorg-x11-server-source/* unix/xserver +pushd unix/xserver +for all in `find . -type f -perm -001`; do + chmod -x "$all" +done +%patch100 -p1 -b .xserver120-rebased +%patch101 -p1 -b .rpath +popd + +%patch1 -p1 -b .use-gnome-as-default-session + +# Upstream patches +%patch51 -p1 -b .let-user-know-about-not-using-view-only-password +%patch52 -p1 -b .working-tls-on-fips-systems +%patch53 -p1 -b .utilize-system-crypto-policies +%patch54 -p1 -b .passwd-crash-with-malloc-checks +%patch55 -p1 -b .tolerate-specifying-boolparam +%patch56 -p1 -b .systemd-service +%patch57 -p1 -b .correctly-start-vncsession-as-daemon +%patch58 -p1 -b .selinux-missing-compression-and-correct-location +%patch59 -p1 -b .selinux-policy-improvements +%patch60 -p1 -b .argb-runtime-ximage-byteorder-selection +%patch61 -p1 -b .selinux-restore-context-in-case-of-different-policies +%patch62 -p1 -b .root-user-selinux-context +%patch63 -p1 -b .vncsession-restore-script-systemd-service + +%build +%ifarch sparcv9 sparc64 s390 s390x +export CFLAGS="$RPM_OPT_FLAGS -fPIC" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpic" +%endif +export CXXFLAGS="$CFLAGS -std=c++11" + +%define __cmake_builddir %{_target_platform} + +mkdir -p %{%__cmake_builddir} + +%cmake + +%cmake_build + +pushd unix/xserver + +%if 0%{?fedora} > 32 || 0%{?rhel} >= 9 +sed -i 's@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am +%endif + +autoreconf -fiv +%configure \ + --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \ + --disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \ + --with-pic --disable-static \ + --with-default-font-path="catalogue:%{_sysconfdir}/X11/fontpath.d,built-ins" \ + --with-fontdir=%{_datadir}/X11/fonts \ + --with-xkb-output=%{_localstatedir}/lib/xkb \ + --enable-install-libxf86config \ + --enable-glx --disable-dri --enable-dri2 --disable-dri3 \ + --disable-unit-tests \ + --disable-config-hal \ + --disable-config-udev \ + --with-dri-driver-path=%{_libdir}/dri \ + --without-dtrace \ + --disable-devel-docs \ + --disable-selective-werror + +make %{?_smp_mflags} +popd + +# Build icons +%if 0%{?fedora} > 32 || 0%{?rhel} >= 9 +pushd %{_target_platform}/media +%else +pushd media +%endif +make +popd + +# SELinux +pushd unix/vncserver/selinux +make +popd + +%install +%cmake_install +rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT} + +pushd unix/xserver/hw/vnc +%make_install +popd + +# Install systemd unit file +pushd unix/vncserver/selinux +make install DESTDIR=%{buildroot} +popd + +# Install systemd unit file +install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service +install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket + +# Install desktop stuff +mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps + +pushd media/icons +for s in 16 24 48; do +install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps/tigervnc.png +done +popd + +%if 0%{?rhel} > 9 +# Install a replacement for /usr/bin/vncserver which will tell the user to read the +# HOWTO.md file +cat < %{buildroot}/%{_bindir}/vncserver +#!/bin/bash +echo "vncserver has been replaced by a systemd unit." +echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information." +EOF +chmod +x %{buildroot}/%{_bindir}/vncserver +%else +rm -f %{buildroot}/%{_mandir}/man8/vncserver.8 + +install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver +install -m 644 %{SOURCE6} %{buildroot}/%{_mandir}/man8/vncserver.8 +%endif + +%find_lang %{name} %{name}.lang + +# remove unwanted files +rm -f %{buildroot}%{_libdir}/xorg/modules/extensions/libvnc.la + +mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/ +install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf + +install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md + +%post server +%systemd_post xvnc@.service +%systemd_post xvnc.socket + +%preun server +%systemd_preun xvnc@.service +%systemd_preun xvnc.socket + +%postun server +%systemd_postun xvnc@.service +%systemd_postun xvnc.socket + +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} + %selinux_relabel_post -s %{selinuxtype} +fi + + +%files -f %{name}.lang +%doc README.rst +%{_bindir}/vncviewer +%{_datadir}/applications/* +%{_mandir}/man1/vncviewer.1* + +%files server +%config(noreplace) %{_sysconfdir}/pam.d/tigervnc +%config(noreplace) %{_sysconfdir}/tigervnc/vncserver-config-defaults +%config(noreplace) %{_sysconfdir}/tigervnc/vncserver-config-mandatory +%config(noreplace) %{_sysconfdir}/tigervnc/vncserver.users +%{_unitdir}/vncserver@.service +%{_unitdir}/xvnc@.service +%{_unitdir}/xvnc.socket +%{_bindir}/vncserver +%{_bindir}/x0vncserver +%{_sbindir}/vncsession +%{_libexecdir}/vncserver +%{_libexecdir}/vncsession-start +%{_libexecdir}/vncsession-restore +%{_mandir}/man1/x0vncserver.1* +%{_mandir}/man8/vncserver.8* +%{_mandir}/man8/vncsession.8* +%{_docdir}/tigervnc/HOWTO.md + +%files server-minimal +%{_bindir}/vncconfig +%{_bindir}/vncpasswd +%{_bindir}/Xvnc +%{_mandir}/man1/Xvnc.1* +%{_mandir}/man1/vncpasswd.1* +%{_mandir}/man1/vncconfig.1* + +%files server-module +%{_libdir}/xorg/modules/extensions/libvnc.so +%config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf + +%files license +%{_docdir}/tigervnc/LICENCE.TXT + +%files icons +%{_datadir}/icons/hicolor/*/apps/* + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} + +%changelog +* Mon Feb 07 2022 Jan Grulich - 1.11.0-21 +- Added vncsession-restore script for SELinux policy migration + Fix SELinux context for root user + Resolves: bz#2049506 + +* Fri Nov 26 2021 Jan Grulich - 1.11.0-20 +- Rebuild for absence in RHEL 9.0 + Resolves: bz#1985858 + +* Mon Aug 16 2021 Jan Grulich - 1.11.0-19 +- Sync upstream patches + drop unused patches + Resolves: bz#1985858 + +* Tue Aug 10 2021 Mohan Boddu - 1.11.0-18 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Mon Jul 19 2021 Jan Grulich - 1.11.0-17 +- Fix logout from VNC session using vncserver + Resolves: bz#1983704 + +* Tue Jun 01 2021 Jan Grulich - 1.11.0-16 +- Bump version for rebuild (binutils) + Resolves: bz#1961488 + +* Mon May 17 2021 Jan Grulich - 1.11.0-14 +- SELinux improvements + Resolves: bz#1961488 + +- Fix endianness issue on s390x + Resolves: bz#1963029 + +* Fri Apr 16 2021 Mohan Boddu - 1.11.0-13 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Mon Mar 08 2021 Jan Grulich - 1.11.0-12 +- Include RHEL8 patches + +* Fri Mar 05 2021 Jan Grulich - 1.11.0-11 +- Enable old vncserver script for RHEL 9 + +* Wed Jan 27 2021 Fedora Release Engineering - 1.11.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 07:45:46 CET 2020 Jan Grulich - 1.11.0-9 +- vncserver: ignore new session parameter from the new systemd support + +* Fri Nov 13 14:08:29 CET 2020 Jan Grulich - 1.11.0-8 +- Use /run instead of /var/run which is just a symlink + +* Thu Nov 05 2020 Peter Hutterer 1.11.0-7 +- Require xkbcomp directly, not xorg-x11-xkb-utils. The latter has had + Provides xkbcomp for years. + +* Tue Sep 29 13:12:22 CEST 2020 Jan Grulich - 1.11.0-6 +- Backport upstream fix allowing Tigervnc to specify boolean valus in configuration +- Revert removal of vncserver for F32 and F33 + +* Thu Sep 24 07:14:06 CEST 2020 Jan Grulich - 1.11.0-5 +- Actually install the HOWTO.md file + +* Wed Sep 23 2020 Jan Grulich - 1.11.0-4 +- Call systemd macros on correct service file + +* Tue Sep 22 2020 Jan Grulich - 1.11.0-3 +- Do not overwrite libvnc.conf config file + +* Thu Sep 17 2020 Jan Grulich - 1.11.0-2 +- Add /usr/bin/vncserver file informing users to read the HOWTO.md file + +* Wed Sep 09 2020 Jan Grulich - 1.11.0-1 +- 1.11.0 + +* Mon Aug 24 2020 Jan Grulich - 1.10.1-9 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1.10.1-7 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Sat Jul 11 2020 Jiri Vanek - 1.10.1-6 +- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11 + +* Sun Apr 19 2020 Jan Grulich - 1.10.1-5 +- Requires: dbus-x11 + Resolves: bz#1825331 + +* Fri Mar 13 2020 Olivier Fourdan - 1.10.1-4 +- Fix build with xserver 1.20.7 + +* Fri Jan 31 2020 Fedora Release Engineering - 1.10.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 13 2020 Jan Grulich - 1.10.1-2 +- Build with -std=c++11 + +* Fri Dec 20 2019 Jan Grulich - 1.10.1-1 +- Update to 1.10.1 + +* Tue Dec 10 2019 Jan Grulich - 1.10.0-2 +- Properly install systemd files + +* Mon Nov 18 2019 Jan Grulich - 1.10.0-1 +- Update to 1.10.0 + +* Fri Oct 18 2019 Jan Grulich - 1.9.90-1 +- Update to 1.9.90 (1.10 beta) +- Add systemd user service file +- Use a wrapper for systemd system service file to workaround systemd limitations + +* Sat Jul 27 2019 Fedora Release Engineering - 1.9.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jul 19 2019 Dan Horák - 1.9.0-6 +- drop the s390x special handling (related #1727029) + +* Wed Jun 12 2019 Jan Grulich - 1.9.0-5 +- Add missing arguments to systemd_postun scriptlets + Resolves: bz#1716411 + +* Sun Feb 03 2019 Fedora Release Engineering - 1.9.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Sep 25 2018 Jan Grulich - 1.9.0-3 +- Do not crash passwd when using malloc perturb checks + Resolves: bz#1631483 + +* Wed Aug 01 2018 Jan Grulich - 1.9.0-2 +- Ignore buttons in mouse leave events + Resolves: bz#1609516 + +* Tue Jul 17 2018 Jan Grulich - 1.9.0-1 +- Update to 1.9.0 + +* Sat Jul 14 2018 Fedora Release Engineering - 1.8.90-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 4 2018 Peter Robinson 1.8.90-2 +- Clean up spec: use macros consistenly, drop old sys-v migrations +- Drop ancient obsolete/provides + +* Thu Jun 14 2018 Jan Grulich - 1.8.90-1 +- Update to 1.8.90 + +* Wed Jun 13 2018 Jan Grulich - 1.8.0-10 +- Fix tigervnc systemd unit file + Resolves: bz#1583159 + +* Wed Jun 06 2018 Adam Jackson - 1.8.0-9 +- Fix GLX initialization with 1.20 + +* Wed Apr 04 2018 Adam Jackson - 1.8.0-8 +- Rebuild for xserver 1.20 + +* Fri Feb 09 2018 Fedora Release Engineering - 1.8.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 18 2018 Igor Gnatenko - 1.8.0-6 +- Remove obsolete scriptlets + +* Fri Dec 15 2017 Jan Grulich - 1.8.0-5 +- Properly initialize tigervnc when started as systemd service + +* Thu Aug 03 2017 Fedora Release Engineering - 1.8.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 13 2017 Petr Pisar - 1.8.0-2 +- perl dependency renamed to perl-interpreter + + +* Wed May 17 2017 Jan Grulich - 1.8.0-1 +- Update to 1.8.0 + +* Thu Apr 20 2017 Jan Grulich - 1.7.90-1 +- Update to 1.7.90 (beta) + +* Thu Apr 06 2017 Jan Grulich - 1.7.1-4 +- Added systemd unit file for xvnc + Resolves: bz#891802 + +* Tue Apr 04 2017 Jan Grulich - 1.7.1-3 +- Bug 1438704 - CVE-2017-7392 CVE-2017-7393 CVE-2017-7394 + CVE-2017-7395 CVE-2017-7396 tigervnc: various flaws + + other upstream related fixes + +* Sat Feb 11 2017 Fedora Release Engineering - 1.7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 19 2017 Jan Grulich - 1.7.1-1 +- Update to 1.7.1 + +* Mon Jan 9 2017 Hans de Goede - 1.7.0-6 +- Fix -inetd no longer working (rhbz#1408724) + +* Wed Nov 30 2016 Jan Grulich - 1.7.0-5 +- Fix broken vncserver.service file + +* Wed Nov 23 2016 Jan Grulich - 1.7.0-4 +- Improve instructions in vncserver.service + Resolves: bz#1397207 + +* Tue Oct 4 2016 Hans de Goede - 1.7.0-3 +- Update tigervnc-1.7.0-xserver119-support.patch to also request write + notfication when necessary + +* Mon Oct 3 2016 Hans de Goede - 1.7.0-2 +- Add patches for use with xserver-1.19 +- Rebuild against xserver-1.19 +- Cleanup specfile a bit + +* Mon Sep 12 2016 Jan Grulich - 1.7.0-1 +- Update to 1.7.0 + +* Mon Jul 18 2016 Jan Grulich - 1.6.90-1 +- Update to 1.6.90 (1.7.0 beta) + +* Wed Jun 01 2016 Jan Grulich - 1.6.0-6 +- Try to pickup upstream fix for compatibility with gtk vnc clients + +* Wed Jun 01 2016 Jan Grulich - 1.6.0-5 +- Re-enable patch4 again, will need to find a way to make this work on both sides + +* Mon May 23 2016 Jan Grulich - 1.6.0-4 +- Utilize system-wide crypto policies + Resolves: bz#1179345 +- Try to disable patch4 as it was previously written to support an + older version of a different client and breaks some other usage + Resolves: bz#1280440 + +* Fri Feb 05 2016 Fedora Release Engineering - 1.6.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 13 2016 Jan Grulich - 1.6.0-2 +- Update systemd service file + Resolves: bz#1211789 + +* Mon Jan 04 2016 Jan Grulich - 1.6.0-1 +- Update to 1.6.0 + +* Tue Dec 01 2015 Jan Grulich - 1.5.90-1 +- Update to 1.5.90 (1.6.0 beta) + +* Thu Nov 19 2015 Jan Grulich - 1.5.0-4 +- rebuild against final xorg server 1.18 release (bug #1279146) + +* Tue Sep 22 2015 Kalev Lember - 1.5.0-3 +- xorg server 1.18 ABI rebuild + +* Fri Aug 21 2015 Jan Grulich - 1.5.0-2 +- Do not fail with -inetd option + +* Wed Aug 19 2015 Jan Grulich - 1.5.0-1 +- 1.5.0 + +* Tue Aug 04 2015 Kevin Fenzi - 1.4.3-12 +- Rebuild to fix broken deps and build against xorg 1.18 prerelease + +* Thu Jun 25 2015 Tim Waugh - 1.4.3-11 +- Rebuilt (bug #1235603). + +* Fri Jun 19 2015 Fedora Release Engineering - 1.4.3-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon May 04 2015 Kalev Lember - 1.4.3-8 +- Rebuilt for nettle soname bump + +* Wed Apr 22 2015 Tim Waugh - 1.4.3-7 +- Removed incorrect parameters from vncviewer manpage (bug #1213199). + +* Tue Apr 21 2015 Tim Waugh - 1.4.3-6 +- Use full git hash for GitHub tarball release. + +* Fri Apr 10 2015 Tim Waugh - 1.4.3-5 +- Explicit version build dependency for fltk (bug #1208814). + +* Thu Apr 9 2015 Tim Waugh - 1.4.3-4 +- Drop upstream xorg-x11-server patch as it is now built (bug #1210407). + +* Thu Apr 9 2015 Tim Waugh - 1.4.3-3 +- Apply upstream patch to fix byte order (bug #1206060). + +* Fri Mar 6 2015 Tim Waugh - 1.4.3-2 +- Don't disable Xinerama extension (upstream #147). + +* Mon Mar 2 2015 Tim Waugh - 1.4.3-1 +- 1.4.3. + +* Tue Feb 24 2015 Tim Waugh - 1.4.2-3 +- Use calloc instead of xmalloc. +- Removed unnecessary configure flags. + +* Wed Feb 18 2015 Rex Dieter 1.4.2-2 +- rebuild (fltk) + +* Fri Feb 13 2015 Tim Waugh - 1.4.2-1 +- Rebased xserver116.patch against xorg-x11-server-1.17.1. +- Allow build against xorg-x11-server-1.17. +- 1.4.2. + +* Tue Sep 9 2014 Tim Waugh - 1.3.1-11 +- Added missing part of xserver114.patch (bug #1137023). + +* Wed Sep 3 2014 Tim Waugh - 1.3.1-10 +- Fix build against xorg-x11-server-1.16.0 (bug #1136532). + +* Mon Aug 18 2014 Fedora Release Engineering - 1.3.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jul 15 2014 Tim Waugh - 1.3.1-8 +- Input reset fixes from upstream (bug #1116956). +- No longer need ppc64le patch as it's now in xorg-x11-server. +- Rebased xserver114.patch again. + +* Fri Jun 20 2014 Hans de Goede - 1.3.1-7 +- xserver 1.15.99.903 ABI rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.3.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 22 2014 Tim Waugh 1.3.1-5 +- Keep pointer in sync when using module (upstream bug #152). + +* Mon Apr 28 2014 Adam Jackson 1.3.1-4 +- Add version interlocks for -server-module + +* Mon Apr 28 2014 Hans de Goede - 1.3.1-3 +- xserver 1.15.99-20140428 git snapshot ABI rebuild + +* Mon Apr 7 2014 Tim Waugh 1.3.1-2 +- Allow build with dri3 and present extensions (bug #1063392). + +* Thu Mar 27 2014 Tim Waugh 1.3.1-1 +- 1.3.1 (bug #1078806). +- Add ppc64le support (bug #1078495). + +* Wed Mar 19 2014 Tim Waugh 1.3.0-15 +- Disable dri3 to enable building (bug #1063392). +- Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). + +* Fri Feb 21 2014 Tim Waugh 1.3.0-14 +- Enabled hardened build (bug #955206). + +* Mon Feb 10 2014 Tim Waugh 1.3.0-13 +- Clearer xstartup file (bug #923655). + +* Tue Jan 14 2014 Tim Waugh 1.3.0-12 +- Fixed instructions in systemd unit file. + +* Fri Jan 10 2014 Tim Waugh 1.3.0-11 +- Fixed viewer crash when cursor has not been set (bug #1038701). + +* Thu Dec 12 2013 Tim Waugh 1.3.0-10 +- Avoid invalid read when ZRLE connection closed (upstream bug #133). + +* Tue Dec 3 2013 Tim Waugh 1.3.0-9 +- Fixed build failure with -Werror=format-security (bug #1037358). + +* Thu Nov 07 2013 Adam Jackson 1.3.0-8 +- Rebuild against xserver 1.15RC1 + +* Tue Sep 24 2013 Tim Waugh 1.3.0-7 +- Removed incorrect patch (for unexpected key_is_down). Fixes stuck + keys bug (bug #989502). + +* Thu Sep 19 2013 Tim Waugh 1.3.0-6 +- Fixed typo in 10-libvnc.conf (bug #1009111). + +* Wed Sep 18 2013 Tim Waugh 1.3.0-5 +- Better fix for PIDFile problem (bug #983232). + +* Mon Aug 5 2013 Tim Waugh 1.3.0-4 +- Fixed doc-related build failure (bug #992790). + +* Wed Jul 24 2013 Tim Waugh 1.3.0-3 +- Avoid PIDFile problems in systemd unit file (bug #983232). +- libvnc.so: don't use unexported key_is_down function. +- Don't use shebang in vncserver script. + +* Fri Jul 12 2013 Tim Waugh 1.3.0-2 +- Renumbered patches. +- libvnc.so: don't use unexported GetMaster function (bug #744881 again). + +* Mon Jul 8 2013 Tim Waugh 1.3.0-1 +- 1.3.0. + +* Wed Jul 3 2013 Tim Waugh 1.2.80-0.18.20130314svn5065 +- Removed systemd_requires macro in order to fix the build. + +* Wed Jul 3 2013 Tim Waugh 1.2.80-0.17.20130314svn5065 +- Synchronise manpages and --help output (bug #980870). + +* Mon Jun 17 2013 Adam Jackson 1.2.80-0.16.20130314svn5065 +- tigervnc-setcursor-crash.patch: Attempt to paper over a crash in Xvnc when + setting the cursor. + +* Sat Jun 08 2013 Dennis Gilmore 1.2.80-0.15.20130314svn5065 +- bump to rebuild and pick up bugfix causing X to crash on ppc and arm + +* Thu May 23 2013 Tim Waugh 1.2.80-0.14.20130314svn5065 +- Use systemd rpm macros (bug #850340). Moved systemd requirements + from main package to server sub-package. +- Applied Debian patch to fix busy loop when run from inetd in nowait + mode (bug #920373). +- Added dependency on xorg-x11-xinit to server sub-package so that + default window manager can be found (bug #896284, bug #923655). +- Fixed bogus changelog date. + +* Thu Mar 14 2013 Adam Jackson 1.2.80-0.13.20130314svn5065 +- Less RHEL customization + +* Thu Mar 14 2013 Adam Tkac - 1.2.80-0.12.20130314svn5065 +- include /etc/X11/xorg.conf.d/10-libvnc.conf sample configuration (#712482) +- vncserver now honors specified -geometry parameter (#755947) + +* Tue Mar 12 2013 Adam Tkac - 1.2.80-0.11.20130307svn5060 +- update to r5060 +- split icons to separate package to avoid multilib issues + +* Tue Feb 19 2013 Adam Tkac - 1.2.80-0.10.20130219svn5047 +- update to r5047 (X.Org 1.14 support) + +* Fri Feb 15 2013 Fedora Release Engineering - 1.2.80-0.9.20121126svn5015 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Jan 21 2013 Adam Tkac - 1.2.80-0.8.20121126svn5015 +- rebuild due to "jpeg8-ABI" feature drop + +* Wed Jan 16 2013 Adam Tkac 1.2.80-0.7.20121126svn5015 +- rebuild + +* Tue Dec 04 2012 Adam Tkac 1.2.80-0.6.20121126svn5015 +- rebuild against new fltk + +* Mon Nov 26 2012 Adam Tkac 1.2.80-0.5.20121126svn5015 +- update to r5015 +- build with -fpic instead of -fPIC on all archs except s390/sparc + +* Wed Nov 7 2012 Peter Robinson 1.2.80-0.4.20120905svn4996 +- Build with -fPIC to fix FTBFS on ARM + +* Wed Oct 31 2012 Adam Jackson 1.2.80-0.3.20120905svn4996 +- tigervnc12-xorg113-glx.patch: Fix to only init glx on the first server + generation + +* Fri Sep 28 2012 Adam Jackson 1.2.80-0.2.20120905svn4996 +- tigervnc12-xorg113-glx.patch: Re-enable GLX against xserver 1.13 + +* Fri Aug 17 2012 Adam Tkac 1.2.80-0.1.20120905svn4996 +- update to 1.2.80 +- remove deprecated patches + - tigervnc-102434.patch + - tigervnc-viewer-reparent.patch + - tigervnc11-java7.patch +- patches merged + - tigervnc11-xorg111.patch + - tigervnc11-xorg112.patch + +* Fri Aug 10 2012 Dave Airlie 1.1.0-10 +- fix build against newer X server + +* Mon Jul 23 2012 Adam Jackson 1.1.0-9 +- Build with the Composite extension for feature parity with other X servers + +* Sat Jul 21 2012 Fedora Release Engineering - 1.1.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jul 19 2012 Dave Airlie 1.1.0-7 +- fix building against X.org 1.13 + +* Wed Apr 04 2012 Adam Jackson 1.1.0-6 +- RHEL exclusion for -server-module on ppc* too + +* Mon Mar 26 2012 Adam Tkac - 1.1.0-5 +- clean Xvnc's /tmp environment in service file before startup +- fix building against the latest JAVA 7 and X.Org 1.12 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Nov 22 2011 Adam Tkac - 1.1.0-3 +- don't build X.Org devel docs (#755782) +- applet: BR generic java-devel instead of java-gcj-devel (#755783) +- use runuser to start Xvnc in systemd service file (#754259) +- don't attepmt to restart Xvnc session during update/erase (#753216) + +* Fri Nov 11 2011 Adam Tkac - 1.1.0-2 +- libvnc.so: don't use unexported GetMaster function (#744881) +- remove nasm buildreq + +* Mon Sep 12 2011 Adam Tkac - 1.1.0-1 +- update to 1.1.0 +- update the xorg11 patch +- patches merged + - tigervnc11-glx.patch + - tigervnc11-CVE-2011-1775.patch + - 0001-Use-memmove-instead-of-memcpy-in-fbblt.c-when-memory.patch + +* Thu Jul 28 2011 Adam Tkac - 1.0.90-6 +- add systemd service file and remove legacy SysV initscript (#717227) + +* Thu May 12 2011 Adam Tkac - 1.0.90-5 +- make Xvnc buildable against X.Org 1.11 + +* Tue May 10 2011 Adam Tkac - 1.0.90-4 +- viewer can send password without proper validation of X.509 certs + (CVE-2011-1775) + +* Wed Apr 13 2011 Adam Tkac - 1.0.90-3 +- fix wrong usage of memcpy which caused screen artifacts (#652590) +- don't point to inaccessible link in sysconfig/vncservers (#644975) + +* Fri Apr 08 2011 Adam Tkac - 1.0.90-2 +- improve compatibility with vinagre client (#692048) + +* Tue Mar 22 2011 Adam Tkac - 1.0.90-1 +- update to 1.0.90 + +* Wed Feb 09 2011 Fedora Release Engineering - 1.0.90-0.32.20110117svn4237 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Adam Tkac 1.0.90-0.31.20110117svn4237 +- fix libvnc.so module loading + +* Mon Jan 17 2011 Adam Tkac 1.0.90-0.30.20110117svn4237 +- update to r4237 +- patches merged + - tigervnc11-optionsdialog.patch + - tigervnc11-rh607866.patch + +* Fri Jan 14 2011 Adam Tkac 1.0.90-0.29.20101208svn4225 +- improve patch for keyboard issues + +* Fri Jan 14 2011 Adam Tkac 1.0.90-0.28.20101208svn4225 +- attempt to fix various keyboard-related issues (key repeating etc) + +* Fri Jan 07 2011 Adam Tkac 1.0.90-0.27.20101208svn4225 +- render "Ok" and "Cancel" buttons in the options dialog correctly + +* Wed Dec 15 2010 Jan Görig 1.0.90-0.26.20101208svn4225 +- added vncserver lock file (#662784) + +* Fri Dec 10 2010 Adam Tkac 1.0.90-0.25.20101208svn4225 +- update to r4225 +- patches merged + - tigervnc11-rh611677.patch + - tigervnc11-rh633931.patch + - tigervnc11-xorg1.10.patch +- enable VeNCrypt and PAM support + +* Mon Dec 06 2010 Adam Tkac 1.0.90-0.24.20100813svn4123 +- rebuild against xserver 1.10.X +- 0001-Return-Success-from-generate_modkeymap-when-max_keys.patch merged + +* Wed Sep 29 2010 jkeating - 1.0.90-0.23.20100813svn4123 +- Rebuilt for gcc bug 634757 + +* Tue Sep 21 2010 Adam Tkac 1.0.90-0.22.20100420svn4030 +- drop xorg-x11-fonts-misc dependency (#636170) + +* Tue Sep 21 2010 Adam Tkac 1.0.90-0.21.20100420svn4030 +- improve patch for #633645 (fix tcsh incompatibilities) + +* Thu Sep 16 2010 Adam Tkac 1.0.90-0.20.20100813svn4123 +- press fake modifiers correctly (#633931) +- supress unneeded debug information emitted from initscript (#633645) + +* Wed Aug 25 2010 Adam Tkac 1.0.90-0.19.20100813svn4123 +- separate Xvnc, vncpasswd and vncconfig to -server-minimal subpkg (#626946) +- move license to separate subpkg and Requires it from main subpkgs +- Xvnc: handle situations when no modifiers exist well (#611677) + +* Fri Aug 13 2010 Adam Tkac 1.0.90-0.18.20100813svn4123 +- update to r4123 (#617973) +- add perl requires to -server subpkg (#619791) + +* Thu Jul 22 2010 Adam Tkac 1.0.90-0.17.20100721svn4113 +- update to r4113 +- patches merged + - tigervnc11-rh586406.patch + - tigervnc11-libvnc.patch + - tigervnc11-rh597172.patch + - tigervnc11-rh600070.patch + - tigervnc11-options.patch +- don't own %%{_datadir}/icons directory (#614301) +- minor improvements in the .desktop file (#616340) +- bundled libjpeg configure requires nasm; is executed even if system-wide + libjpeg is used + +* Fri Jul 02 2010 Adam Tkac 1.0.90-0.16.20100420svn4030 +- build against system-wide libjpeg-turbo (#494458) +- build no longer requires nasm + +* Mon Jun 28 2010 Adam Tkac 1.0.90-0.15.20100420svn4030 +- vncserver: accept <+optname> option when specified as the first one + +* Thu Jun 24 2010 Adam Tkac 1.0.90-0.14.20100420svn4030 +- fix memory leak in Xvnc input code (#597172) +- don't crash when receive negative encoding (#600070) +- explicitly disable udev configuration support +- add gettext-autopoint to BR + +* Mon Jun 14 2010 Adam Tkac 1.0.90-0.13.20100420svn4030 +- update URL about SSH tunneling in the sysconfig file (#601996) + +* Fri Jun 11 2010 Adam Tkac 1.0.90-0.12.20100420svn4030 +- use newer gettext +- autopoint now uses git instead of cvs, adjust BuildRequires appropriately + +* Thu May 13 2010 Adam Tkac 1.0.90-0.11.20100420svn4030 +- link libvnc.so "now" to catch "undefined symbol" errors during Xorg startup +- use always XkbConvertCase instead of XConvertCase (#580159, #586406) +- don't link libvnc.so against libXi.la, libdix.la and libxkb.la; use symbols + from Xorg instead + +* Thu May 13 2010 Adam Tkac 1.0.90-0.10.20100420svn4030 +- update to r4030 snapshot +- patches merged to upstream + - tigervnc11-rh522369.patch + - tigervnc11-rh551262.patch + - tigervnc11-r4002.patch + - tigervnc11-r4014.patch + +* Thu Apr 08 2010 Adam Tkac 1.0.90-0.9.20100219svn3993 +- add server-applet subpackage which contains Java vncviewer applet +- fix Java applet; it didn't work when run from web browser +- add xorg-x11-xkb-utils to server Requires + +* Fri Mar 12 2010 Adam Tkac 1.0.90-0.8.20100219svn3993 +- add French translation to vncviewer.desktop (thanks to Alain Portal) + +* Thu Mar 04 2010 Adam Tkac 1.0.90-0.7.20100219svn3993 +- don't crash during pixel format change (#522369, #551262) + +* Mon Mar 01 2010 Adam Tkac 1.0.90-0.6.20100219svn3993 +- add mesa-dri-drivers and xkeyboard-config to -server Requires +- update to r3993 1.0.90 snapshot + - tigervnc11-noexecstack.patch merged + - tigervnc11-xorg18.patch merged + - xserver18.patch is no longer needed + +* Wed Jan 27 2010 Jan Gorig 1.0.90-0.5.20091221svn3929 +- initscript LSB compliance fixes (#523974) + +* Fri Jan 22 2010 Adam Tkac 1.0.90-0.4.20091221svn3929 +- mark stack as non-executable in jpeg ASM code +- add xorg-x11-xauth to Requires +- add support for X.Org 1.8 +- drop shave sources, they are no longer needed + +* Thu Jan 21 2010 Adam Tkac 1.0.90-0.3.20091221svn3929 +- drop tigervnc-xorg25909.patch, it has been merged to X.Org upstream + +* Thu Jan 07 2010 Adam Tkac 1.0.90-0.2.20091221svn3929 +- add patch for upstream X.Org issue #25909 +- add libXdmcp-devel to build requires to build Xvnc with XDMCP support (#552322) + +* Mon Dec 21 2009 Adam Tkac 1.0.90-0.1.20091221svn3929 +- update to 1.0.90 snapshot +- patches merged + - tigervnc10-compat.patch + - tigervnc10-rh510185.patch + - tigervnc10-rh524340.patch + - tigervnc10-rh516274.patch + +* Mon Oct 26 2009 Adam Tkac 1.0.0-3 +- create Xvnc keyboard mapping before first keypress (#516274) + +* Thu Oct 08 2009 Adam Tkac 1.0.0-2 +- update underlying X source to 1.6.4-0.3.fc11 +- remove bogus '-nohttpd' parameter from /etc/sysconfig/vncservers (#525629) +- initscript LSB compliance fixes (#523974) +- improve -LowColorSwitch documentation and handling (#510185) +- honor dotWhenNoCursor option (and it's changes) every time (#524340) + +* Fri Aug 28 2009 Adam Tkac 1.0.0-1 +- update to 1.0.0 +- tigervnc10-rh495457.patch merged to upstream + +* Mon Aug 24 2009 Karsten Hopp 0.0.91-0.17 +- fix ifnarch s390x for server-module + +* Fri Aug 21 2009 Tomas Mraz - 0.0.91-0.16 +- rebuilt with new openssl + +* Tue Aug 04 2009 Adam Tkac 0.0.91-0.15 +- make Xvnc compilable + +* Sun Jul 26 2009 Fedora Release Engineering - 0.0.91-0.14.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 13 2009 Adam Tkac 0.0.91-0.13.1 +- don't write warning when initscript is called with condrestart param (#508367) + +* Tue Jun 23 2009 Adam Tkac 0.0.91-0.13 +- temporary use F11 Xserver base to make Xvnc compilable +- BuildRequires: libXi-devel +- don't ship tigervnc-server-module on s390/s390x + +* Mon Jun 22 2009 Adam Tkac 0.0.91-0.12 +- fix local rendering of cursor (#495457) + +* Thu Jun 18 2009 Adam Tkac 0.0.91-0.11 +- update to 0.0.91 (1.0.0 RC1) +- patches merged + - tigervnc10-rh499401.patch + - tigervnc10-rh497592.patch + - tigervnc10-rh501832.patch +- after discusion in upstream drop tigervnc-bounds.patch +- configure flags cleanup + +* Thu May 21 2009 Adam Tkac 0.0.90-0.10 +- rebuild against 1.6.1.901 X server (#497835) +- disable i18n, vncviewer is not UTF-8 compatible (#501832) + +* Mon May 18 2009 Adam Tkac 0.0.90-0.9 +- fix vncpasswd crash on long passwords (#499401) +- start session dbus daemon correctly (#497592) + +* Mon May 11 2009 Adam Tkac 0.0.90-0.8.1 +- remove merged tigervnc-manminor.patch + +* Tue May 05 2009 Adam Tkac 0.0.90-0.8 +- update to 0.0.90 + +* Thu Apr 30 2009 Adam Tkac 0.0.90-0.7.20090427svn3789 +- server package now requires xorg-x11-fonts-misc (#498184) + +* Mon Apr 27 2009 Adam Tkac 0.0.90-0.6.20090427svn3789 +- update to r3789 + - tigervnc-rh494801.patch merged +- tigervnc-newfbsize.patch is no longer needed +- fix problems when vncviewer and Xvnc run on different endianess (#496653) +- UltraVNC and TightVNC clients work fine again (#496786) + +* Wed Apr 08 2009 Adam Tkac 0.0.90-0.5.20090403svn3751 +- workaround broken fontpath handling in vncserver script (#494801) + +* Fri Apr 03 2009 Adam Tkac 0.0.90-0.4.20090403svn3751 +- update to r3751 +- patches merged + - tigervnc-xclients.patch + - tigervnc-clipboard.patch + - tigervnc-rh212985.patch +- basic RandR support in Xvnc (resize of the desktop) +- use built-in libjpeg (SSE2/MMX accelerated encoding on x86 platform) +- use Tight encoding by default +- use TigerVNC icons + +* Tue Mar 03 2009 Adam Tkac 0.0.90-0.3.20090303svn3631 +- update to r3631 + +* Tue Mar 03 2009 Adam Tkac 0.0.90-0.2.20090302svn3621 +- package review related fixes + +* Mon Mar 02 2009 Adam Tkac 0.0.90-0.1.20090302svn3621 +- initial package, r3621