From ebd2a0d7a1b0729b4c76f5f481c108301e109bcb Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Mon, 9 Oct 2023 09:03:02 +0200 Subject: [PATCH] Support username alias in PlainUsers Resolves: RHEL-8430 --- ...support-username-alias-in-plainusers.patch | 135 ++++++++++++++++++ tigervnc.spec | 8 +- 2 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 tigervnc-support-username-alias-in-plainusers.patch diff --git a/tigervnc-support-username-alias-in-plainusers.patch b/tigervnc-support-username-alias-in-plainusers.patch new file mode 100644 index 0000000..abf4eda --- /dev/null +++ b/tigervnc-support-username-alias-in-plainusers.patch @@ -0,0 +1,135 @@ +diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx +index 6f65e87..3142ba3 100644 +--- a/common/rfb/SSecurityPlain.cxx ++++ b/common/rfb/SSecurityPlain.cxx +@@ -27,6 +27,8 @@ + #include + #if !defined(WIN32) && !defined(__APPLE__) + #include ++#include ++#include + #endif + #ifdef WIN32 + #include +@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers + + bool PasswordValidator::validUser(const char* username) + { +- CharArray users(plainUsers.getValueStr()), user; ++ std::vector users; + +- while (users.buf) { +- strSplit(users.buf, ',', &user.buf, &users.buf); +-#ifdef WIN32 +- if (0 == stricmp(user.buf, "*")) +- return true; +- if (0 == stricmp(user.buf, username)) +- return true; +-#else +- if (!strcmp(user.buf, "*")) +- return true; +- if (!strcmp(user.buf, username)) +- return true; ++ users = split(plainUsers, ','); ++ ++ for (size_t i = 0; i < users.size(); i++) { ++ if (users[i] == "*") ++ return true; ++#if !defined(WIN32) && !defined(__APPLE__) ++ if (users[i] == "%u") { ++ struct passwd *pw = getpwnam(username); ++ if (pw && pw->pw_uid == getuid()) ++ return true; ++ } + #endif ++ if (users[i] == username) ++ return true; + } + return false; + } +diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx +index 649eb0b..cce73a0 100644 +--- a/common/rfb/util.cxx ++++ b/common/rfb/util.cxx +@@ -99,6 +99,26 @@ namespace rfb { + return false; + } + ++ std::vector split(const char* src, ++ const char delimiter) ++ { ++ std::vector out; ++ const char *start, *stop; ++ ++ start = src; ++ do { ++ stop = strchr(start, delimiter); ++ if (stop == NULL) { ++ out.push_back(start); ++ } else { ++ out.push_back(std::string(start, stop-start)); ++ start = stop + 1; ++ } ++ } while (stop != NULL); ++ ++ return out; ++ } ++ + bool strContains(const char* src, char c) { + int l=strlen(src); + for (int i=0; i + #include + ++#include ++#include ++ + struct timeval; + + #ifdef __GNUC__ +@@ -76,6 +79,10 @@ namespace rfb { + // that part of the string. Obviously, setting both to 0 is not useful... + bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false); + ++ // Splits a string with the specified delimiter ++ std::vector split(const char* src, ++ const char delimiter); ++ + // Returns true if src contains c + bool strContains(const char* src, char c); + +diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man +index c36ae34..78db730 100644 +--- a/unix/x0vncserver/x0vncserver.man ++++ b/unix/x0vncserver/x0vncserver.man +@@ -125,8 +125,8 @@ parameter instead. + .B \-PlainUsers \fIuser-list\fP + A comma separated list of user names that are allowed to authenticate via + any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP +-to allow any user to authenticate using this security type. Default is to +-deny all users. ++to allow any user to authenticate using this security type. Specify \fB%u\fP ++to allow the user of the server process. Default is to deny all users. + . + .TP + .B \-pam_service \fIname\fP, \-PAMService \fIname\fP +diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man +index ea87dea..e9fb654 100644 +--- a/unix/xserver/hw/vnc/Xvnc.man ++++ b/unix/xserver/hw/vnc/Xvnc.man +@@ -200,8 +200,8 @@ parameter instead. + .B \-PlainUsers \fIuser-list\fP + A comma separated list of user names that are allowed to authenticate via + any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP +-to allow any user to authenticate using this security type. Default is to +-deny all users. ++to allow any user to authenticate using this security type. Specify \fB%u\fP ++to allow the user of the server process. Default is to deny all users. + . + .TP + .B \-pam_service \fIname\fP, \-PAMService \fIname\fP diff --git a/tigervnc.spec b/tigervnc.spec index 9ab1289..8d3b871 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: 1.13.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -26,6 +26,7 @@ Patch1: tigervnc-use-gnome-as-default-session.patch Patch2: tigervnc-vncsession-restore-script-systemd-service.patch # Upstream patches +Patch50: tigervnc-support-username-alias-in-plainusers.patch # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch @@ -186,6 +187,7 @@ popd %patch2 -p1 -b .vncsession-restore-script-systemd-service # Upstream patches +%patch50 -p1 -b .support-username-alias-in-plainusers %build %ifarch sparcv9 sparc64 s390 s390x @@ -368,6 +370,10 @@ fi %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Mon Oct 09 2023 Jan Grulich - 1.13.1-3 +- Support username alias in PlainUsers + Resolves: RHEL-8430 + * Tue Apr 11 2023 Jan Grulich - 1.13.1-2 - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability