From c27de8c289b6b403245e28dac871392cd3bc98d5 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Mon, 5 Aug 2024 13:07:51 +0200
Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set

Resolves: RHEL-50679
---
 ...ession-use-bin-sh-when-shell-not-set.patch | 29 +++++++++++++++++++
 tigervnc.spec                                 |  8 ++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch

diff --git a/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch b/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch
new file mode 100644
index 0000000..3f46c73
--- /dev/null
+++ b/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch
@@ -0,0 +1,29 @@
+From 4db34f73d461b973867ddaf18bf690219229cd7a Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@redhat.com>
+Date: Thu, 25 Jul 2024 18:39:59 -0300
+Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set
+
+An empty shell field in the password file is valid, although not common.
+Use /bin/sh in this case, as documented in the passwd(5) man page, since
+the vncserver script requires a non-empty SHELL environment variable.
+
+Fixes issue #1786.
+
+Signed-off-by: Carlos Santos <casantos@redhat.com>
+---
+ unix/vncserver/vncsession.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
+index 1ee096c7c..98a0432aa 100644
+--- a/unix/vncserver/vncsession.c
++++ b/unix/vncserver/vncsession.c
+@@ -545,7 +545,7 @@ run_script(const char *username, const char *display, char **envp)
+ 
+     // Set up some basic environment for the script
+     setenv("HOME", pwent->pw_dir, 1);
+-    setenv("SHELL", pwent->pw_shell, 1);
++    setenv("SHELL", *pwent->pw_shell != '\0' ? pwent->pw_shell : "/bin/sh", 1);
+     setenv("LOGNAME", pwent->pw_name, 1);
+     setenv("USER", pwent->pw_name, 1);
+     setenv("USERNAME", pwent->pw_name, 1);
diff --git a/tigervnc.spec b/tigervnc.spec
index 2499a4f..281849a 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -5,7 +5,7 @@
 
 Name:           tigervnc
 Version:        1.13.1
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -29,6 +29,7 @@ Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
 Patch50:        tigervnc-support-username-alias-in-plainusers.patch
 Patch51:        tigervnc-use-dup-to-get-available-fd-for-inetd.patch
 Patch52:        tigervnc-add-option-to-force-view-only-remote-connections.patch
+Patch53:        tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch
 
 # Upstreamable patches
 Patch80:        tigervnc-dont-get-pointer-position-for-floating-device.patch
@@ -200,6 +201,7 @@ popd
 %patch50 -p1 -b .support-username-alias-in-plainusers
 %patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd
 %patch52 -p1 -b .add-option-to-force-view-only-remote-connections
+%patch53 -p1 -b .tigervnc-vncsession-use-bin-sh-when-shell-not-set
 
 # Upstreamable patches
 %patch80 -p1 -b .dont-get-pointer-position-for-floating-device
@@ -385,6 +387,10 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
+* Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
+- vncsession: use /bin/sh if the user shell is not set
+  Resolves: RHEL-50679
+
 * Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
 - vncconfig: add option to force view-only remote client connections
   Resolves: RHEL-12144