rpms/tigervnc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Add option "ApproveLoggedUserOnly" allowing to connect only the user

Browse Source 
owning the running session

Resolves: RHEL-91104
This commit is contained in:
Jan Grulich 2025-05-15 09:09:02 +02:00
parent a362a30835
commit e0ab3bd641
2 changed files with 255 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

238
tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch Normal file
View File

@ -0,0 +1,238 @@
From 8ac9bf0c061666d89d345a3d7149e1ef9c771655 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Mon, 29 Jul 2024 14:31:14 +0200
Subject: [PATCH] Add option allowing to connect only the user owning the
running session
Checks, whether the user who is trying to authenticate is already logged
into the running session in order to allow or reject the connection.
This is expected to be used with 'plain' security type in combination
with 'PlainUsers=*' option allowing everyone to connect to the session.
---
common/rfb/VNCServerST.cxx | 7 --
unix/xserver/hw/vnc/XserverDesktop.cc | 120 +++++++++++++++++++++++++-
unix/xserver/hw/vnc/XserverDesktop.h | 7 ++
3 files changed, 126 insertions(+), 8 deletions(-)
diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx
index b99d33b..aa8d53e 100644
--- a/common/rfb/VNCServerST.cxx
+++ b/common/rfb/VNCServerST.cxx
@@ -682,13 +682,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client,
return;
}
- // - Are we configured to do queries?
- if (!rfb::Server::queryConnect &&
- !client->getSock()->requiresQuery()) {
- approveConnection(client->getSock(), true, nullptr);
- return;
- }
-
// - Does the client have the right to bypass the query?
if (client->accessCheck(AccessNoQuery))
{
diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc
index 260ed3a..4f252c8 100644
--- a/unix/xserver/hw/vnc/XserverDesktop.cc
+++ b/unix/xserver/hw/vnc/XserverDesktop.cc
@@ -51,6 +51,11 @@
#include "XorgGlue.h"
#include "vncInput.h"
+#if HAVE_SYSTEMD_DAEMON
+# include <pwd.h>
+# include <systemd/sd-login.h>
+#endif
+
extern "C" {
void vncSetGlueContext(int screenIndex);
void vncPresentMscEvent(uint64_t id, uint64_t msc);
@@ -70,7 +75,15 @@ IntParameter queryConnectTimeout("QueryConnectTimeout",
"Accept connection dialog before "
"rejecting the connection",
10);
-
+#ifdef HAVE_SYSTEMD_DAEMON
+BoolParameter approveLoggedUserOnly
+("ApproveLoggedUserOnly",
+ "Approve only the user who is currently logged into the session."
+ "This is expected to be combined with 'plain' security type and with "
+ "'PlainUsers=*' option allowing everyone to connect to the session."
+ "Default is off.",
+ false);
+#endif
XserverDesktop::XserverDesktop(int screenIndex_,
std::list<network::SocketListener*> listeners_,
@@ -164,11 +177,134 @@ void XserverDesktop::init(rfb::VNCServer* vs)
// ready state
}
+#ifdef HAVE_SYSTEMD_DAEMON
+bool XserverDesktop::checkUserLogged(const char* userName)
+{
+ bool ret = false;
+ bool noUserSession = true;
+ int res;
+ char **sessions;
+
+ res = sd_get_sessions(&sessions);
+ if (res < 0) {
+ vlog.debug("logind: failed to get sessions");
+ return false;
+ }
+
+ if (sessions != nullptr && sessions[0] != nullptr) {
+ for (int i = 0; sessions[i]; i++) {
+ uid_t uid;
+ char *clazz;
+ char *display;
+ char *type;
+ char *state;
+
+ res = sd_session_get_type(sessions[i], &type);
+ if (res < 0) {
+ vlog.debug("logind: failed to determine session type");
+ break;
+ }
+
+ if (strcmp(type, "x11") != 0) {
+ free(type);
+ continue;
+ }
+ free(type);
+
+ res = sd_session_get_display(sessions[i], &display);
+ if (res < 0) {
+ vlog.debug("logind: failed to determine display of session");
+ break;
+ }
+
+ std::string serverDisplay = ":" + std::to_string(screenIndex);
+ std::string serverDisplayIPv4 = "127.0.0.1:" + std::to_string(screenIndex);
+ std::string serverDisplayIPv6 = "::1:" + std::to_string(screenIndex);
+ if ((strcmp(display, serverDisplay.c_str()) != 0) &&
+ (strcmp(display, serverDisplayIPv4.c_str()) != 0) &&
+ (strcmp(display, serverDisplayIPv6.c_str()) != 0)) {
+ free(display);
+ continue;
+ }
+ free(display);
+
+ res = sd_session_get_class(sessions[i], &clazz);
+ if (res < 0) {
+ vlog.debug("logind: failed to determine session class");
+ break;
+ }
+
+ res = sd_session_get_state(sessions[i], &state);
+ if (res < 0) {
+ vlog.debug("logind: failed to determine session state");
+ break;
+ }
+
+ if (strcmp(state, "closing") == 0) {
+ free(state);
+ continue;
+ }
+ free(state);
+
+ res = sd_session_get_uid(sessions[i], &uid);
+ if (res < 0) {
+ vlog.debug("logind: failed to determine user id of session");
+ break;
+ }
+
+ if (uid != 0 && strcmp(clazz, "user") == 0) {
+ noUserSession = false;
+ }
+ free(clazz);
+
+ struct passwd *pw = getpwnam(userName);
+ if (!pw) {
+ vlog.debug("logind: user not found");
+ break;
+ }
+
+ if (uid == pw->pw_uid) {
+ ret = true;
+ break;
+ }
+ }
+ }
+
+ if (sessions) {
+ for (int i = 0; sessions[i]; i ++) {
+ free(sessions[i]);
+ }
+
+ free (sessions);
+ }
+
+ // If we didn't find a matching user, we can still allow the user
+ // to log in if there is no user session yet.
+ return !ret ? noUserSession : ret;
+}
+#endif
+
void XserverDesktop::queryConnection(network::Socket* sock,
const char* userName)
{
int count;
+#ifdef HAVE_SYSTEMD_DAEMON
+ // - Only owner of the session can be approved
+ if (approveLoggedUserOnly && !checkUserLogged(userName)) {
+ server->approveConnection(sock, false,
+ "The user is not owner of the running session");
+ return;
+ }
+#endif
+
+ // - Are we configured to do queries?
+ if (!rfb::Server::queryConnect &&
+ !sock->requiresQuery()) {
+ server->approveConnection(sock, true, nullptr);
+ return;
+ }
+
if (queryConnectTimer.isStarted()) {
server->approveConnection(sock, false, "Another connection is currently being queried.");
return;
diff --git a/unix/xserver/hw/vnc/XserverDesktop.h b/unix/xserver/hw/vnc/XserverDesktop.h
index 8c543db..8d6bde4 100644
--- a/unix/xserver/hw/vnc/XserverDesktop.h
+++ b/unix/xserver/hw/vnc/XserverDesktop.h
@@ -108,6 +108,13 @@ public:
void grabRegion(const rfb::Region& r) override;
protected:
+#ifdef HAVE_SYSTEMD_DAEMON
+ // - Check whether user is logged into a session
+ // Returns true if user is already logged or there is no
+ // user session at all.
+ bool checkUserLogged(const char* userName);
+#endif
+
bool handleListenerEvent(int fd,
std::list<network::SocketListener*>* sockets,
rfb::VNCServer* sockserv);
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
index d6b1664..07b74bb 100644
--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
@@ -200,6 +200,13 @@ Never treat incoming connections as shared, regardless of the client-specified
setting. Default is off.
.
.TP
+.B \-ApproveLoggedUserOnly
+Approve only the user who is currently logged into the session.
+This is expected to be combined with "Plain" security type and with
+"PlainUsers=*" option allowing everyone to connect to the session.
+Default is off.
+.
+.TP
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
PAM service name to use when authentication users using any of the "Plain"
security types. Default is \fBvnc\fP.

19
tigervnc.spec
View File

@ -5,7 +5,7 @@
Name: tigervnc
Version: 1.15.0
Release: 3%{?dist}
Release: 4%{?dist}
Summary: A TigerVNC remote display system
%global _hardened_build 1
@ -28,6 +28,8 @@ Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
Patch3: tigervnc-dont-install-appstream-metadata-file.patch
# Only warn about passwords longer than 8 characters, but allow them to be used as in the past
Patch4: tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch
# https://github.com/TigerVNC/tigervnc/pull/1792
Patch5: tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch
# Upstream patches
Patch50: tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
@ -105,6 +107,11 @@ BuildRequires: xorg-x11-xtrans-devel
BuildRequires: libselinux-devel
BuildRequires: selinux-policy-devel
# For RHEL-91104
BuildRequires: pkgconfig(dbus-1) >= 1.0
BuildRequires: pkgconfig(libsystemd) >= 209
BuildRequires: pkgconfig(libudev) >= 143
Requires(post): coreutils
Requires(postun):coreutils
@ -229,6 +236,7 @@ popd
%patch -P2 -p1 -b .vncsession-restore-script-systemd-service
%patch -P3 -p1 -b .dont-install-appstream-metadata-file.patch
%patch -P4 -p1 -b .allow-use-of-passwords-longer-than-eight-characters
%patch -P5 -p1 -b .add-option-allowing-to-connect-only-user-owning-session
# Upstream patches
%patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir
@ -262,7 +270,9 @@ autoreconf -fiv
--disable-config-udev \
--without-dtrace \
--disable-devel-docs \
--disable-selective-werror
--disable-selective-werror \
--enable-systemd-logind \
--enable-config-udev
make %{?_smp_mflags}
popd
@ -387,6 +397,11 @@ fi
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog
* Thu May 15 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-4
- Add option "ApproveLoggedUserOnly" allowing to connect only the user
owning the running session
Resolves: RHEL-91104
* Wed Apr 30 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-3
- Only warn about 8 characters limit, but let it proceed
Resolves: RHEL-89430