x11vnc: more -unixpw mode. -gone popup mode. Change filexfer via -R. Tune SMALL_FOOTPRINT.

1 files changed, 72 insertions, 27 deletions

diff --git a/x11vnc/help.c b/x11vnc/help.c
index 113e0ac..d31a038 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -402,9 +402,10 @@ void print_help(int mode) {
 "                       full-access passwords)\n"
 "\n"
 "-unixpw [list]         Experimental option: use Unix username and password\n"
-"                       authentication.  x11vnc uses the su(1) program to\n"
-"                       verify the user's password.  [list] is an optional\n"
-"                       comma separated list of allowed Unix usernames.\n"
+"                       authentication.  x11vnc uses the su(1) program to verify\n"
+"                       the user's password.  [list] is an optional comma\n"
+"                       separated list of allowed Unix usernames.  See below\n"
+"                       for per-user options that can be applied.\n"
 "\n"
 "                       A familiar \"login:\" and \"Password:\" dialog is\n"
 "                       presented to the user on a black screen inside the\n"
@@ -413,6 +414,22 @@ void print_help(int mode) {
 "                       send one before a 20 second timeout.  Existing clients\n"
 "                       are view-only during this period.\n"
 "\n"
+"                       Since the detailed behavior of su(1) can vary from\n"
+"                       OS to OS and for local configurations, please test\n"
+"                       the mode carefully on your systems before using it.\n"
+"                       Try different combinations of valid/invalid usernames\n"
+"                       and passwords.\n"
+"                       \n"
+"                       For example, on FreeBSD and the other BSD's and Tru64\n"
+"                       it does not appear to be possible for the user running\n"
+"                       x11vnc to validate his *own* password via su(1).\n"
+"                       The x11vnc login will always fail in this case.\n"
+"                       A possible workaround would be to start x11vnc as\n"
+"                       root with the \"-users +nobody\" option to immediately\n"
+"                       switch to user nobody.  Another source of problems are\n"
+"                       PAM modules that prompt for extra info, e.g. password\n"
+"                       aging modules.  These logins will always fail as well.\n"
+"\n"
 "                       *IMPORTANT*: to prevent the Unix password being sent in\n"
 "                       *clear text* over the network, two x11vnc options are\n"
 "                       enforced: 1) -localhost and 2) -stunnel.  The former\n"
@@ -432,6 +449,13 @@ void print_help(int mode) {
 "                       user login (since Unix password or the user's public\n"
 "                       key authentication is used by ssh)\n"
 "\n"
+"                       As a convenience, if you ssh(1) in and start x11vnc\n"
+"                       it will look to see if the environment variable\n"
+"                       SSH_CONNECTION is set and appears reasonable.  If it\n"
+"                       does, then the stunnel requirement is dropped since\n"
+"                       it is assumed you are using ssh for the encrypted\n"
+"                       tunnelling.  Use -stunnel to force stunnel usage.\n"
+"\n"
 "                       Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
 "                       requirement.  One should never do this (i.e. allow the\n"
 "                       Unix passwords to be sniffed on the network).\n"
@@ -440,23 +464,40 @@ void print_help(int mode) {
 "                       since x11vnc does not make network connections in\n"
 "                       that case.  Be sure to use encryption from the viewer\n"
 "                       to inetd.  One can also have your own stunnel spawn\n"
-"                       x11vnc in -inetd mode.\n"
+"                       x11vnc in -inetd mode.  See the FAQ.\n"
+"\n"
+"                       The user names in the comma separated [list] can have\n"
+"                       per-user options after a \":\", e.g. \"fred:opts\"\n"
+"                       where \"opts\" is a \"+\" separated list of\n"
+"                       \"viewonly\", \"fullaccess\", \"input=XXXX\", or\n"
+"                       \"deny\", e.g. \"karl,fred:viewonly,boss:input=M\".\n"
+"                       For \"input=\" it is the K,M,B,C describe under -input.\n"
+"\n"
+"                       If a user in the list is \"*\" that means those options\n"
+"                       apply to all users.  It also means all users are allowed\n"
+"                       to log in.  Use \"deny\" to explicitly deny some users\n"
+"                       if you use \"*\" to set a global option.\n"
 "\n"
 "-stunnel [pem]         Use the stunnel(1) (www.stunnel.org) to provide an\n"
 "                       encrypted SSL tunnel between viewers and x11vnc.\n"
 "                       This requires stunnel be installed on the system and\n"
 "                       available via PATH (n.b. stunnel is often installed in\n"
-"                       sbin directories).  Version 4.x of stunnel is assumed.\n"
+"                       sbin directories).  Version 4.x of stunnel is assumed;\n"
+"                       see -stunnel3 below.\n"
 "\n"
 "                       [pem] is optional, use \"-stunnel /path/to/stunnel.pem\"\n"
 "                       to specify a PEM certificate file to pass to stunnel.\n"
+"                       Whether one is needed or not depends on your stunnel\n"
+"                       configuration.\n"
 "\n"
-"                       stunnel is started up as a child process and any SSL\n"
-"                       connections it receives are decrypted and sent to x11vnc\n"
-"                       over a local socket.  The strings \"The SSL VNC desktop\n"
-"                       is ...\" and SSLPORT=... are printed out at startup.\n"
+"                       stunnel is started up as a child process of x11vnc and\n"
+"                       any SSL connections stunnel receives are decrypted and\n"
+"                       sent to x11vnc over a local socket.  The strings \"The\n"
+"                       SSL VNC desktop is ...\" and SSLPORT=... are printed\n"
+"                       out at startup.\n"
 "\n"
-"                       The -localhost option is enforced by default.  Set\n"
+"                       The -localhost option is enforced by default to\n"
+"                       avoid people routing around the SSL channel.  Set\n"
 "                       STUNNEL_DISABLE_LOCALHOST=1 to disable the requirement.\n"
 "\n"
 "                       Your VNC viewer will need to be able to connect via SSL.\n"
@@ -470,7 +511,8 @@ void print_help(int mode) {
 "                         %% vncviewer localhost:1\n"
 "\n"
 "                       For Windows, stunnel has been ported to it and there\n"
-"                       are probably other such tools available.\n"
+"                       are probably other such tools available.  See the FAQ\n"
+"                       for more examples.\n"
 "\n"
 "-stunnel3  [pem]       Use version 3.x stunnel command line syntax instead of\n"
 "                       version 4.x\n"
@@ -558,8 +600,9 @@ void print_help(int mode) {
 "-gone string           As -accept, except to run a user supplied command when\n"
 "                       a client goes away (disconnects).  RFB_MODE will be\n"
 "                       set to \"gone\" and the other RFB_* variables are as\n"
-"                       in -accept.  Unlike -accept, the command return code\n"
-"                       is not interpreted by x11vnc.  Example: -gone 'xlock &'\n"
+"                       in -accept.  The \"popup\" actions apply as well.\n"
+"                       Unlike -accept, the command return code is not\n"
+"                       interpreted by x11vnc.  Example: -gone 'xlock &'\n"
 "\n"
 "-users list            If x11vnc is started as root (say from inetd(1) or from\n"
 "                       display managers xdm(1), gdm(1), etc), then as soon\n"
@@ -1766,6 +1809,8 @@ void print_help(int mode) {
 "                       timeout:n       reset -timeout to n, if there are\n"
 "                                       currently no clients, exit unless one\n"
 "                                       connects in the next n secs.\n"
+"                       filexfer        enable  filetransfer for new clients.\n"
+"                       nofilexfer      disable filetransfer for new clients.\n"
 /* access */
 "                       http            enable  http client connections.\n"
 "                       nohttp          disable http client connections.\n"
@@ -2013,11 +2058,11 @@ void print_help(int mode) {
 "                       truecolor notruecolor overlay nooverlay overlay_cursor\n"
 "                       overlay_yescursor nooverlay_nocursor nooverlay_cursor\n"
 "                       nooverlay_yescursor overlay_nocursor 8to24 no8to24\n"
-"                       8to24_opts visual scale scale_cursor viewonly\n"
-"                       noviewonly shared noshared forever noforever once\n"
-"                       timeout filexfer deny lock nodeny unlock connect\n"
-"                       allowonce allow localhost nolocalhost listen lookup\n"
-"                       nolookup accept afteraccept gone shm noshm flipbyteorder\n"
+"                       8to24_opts visual scale scale_cursor viewonly noviewonly\n"
+"                       shared noshared forever noforever once timeout filexfer\n"
+"                       nofilexfer deny lock nodeny unlock connect allowonce\n"
+"                       allow localhost nolocalhost listen lookup nolookup\n"
+"                       accept afteraccept gone shm noshm flipbyteorder\n"
 "                       noflipbyteorder onetile noonetile solid_color solid\n"
 "                       nosolid blackout xinerama noxinerama xtrap noxtrap\n"
 "                       xrandr noxrandr xrandr_mode padgeom quiet q noquiet\n"
@@ -2056,15 +2101,15 @@ void print_help(int mode) {
 "                       scale_str scaled_x scaled_y scale_numer scale_denom\n"
 "                       scale_fac scaling_blend scaling_nomult4 scaling_pad\n"
 "                       scaling_interpolate inetd privremote unsafe safer nocmds\n"
-"                       passwdfile using_shm logfile o flag rc norc h help V\n"
-"                       version lastmod bg sigpipe threads readrate netrate\n"
-"                       netlatency pipeinput clients client_count pid ext_xtest\n"
-"                       ext_xtrap ext_xrecord ext_xkb ext_xshm ext_xinerama\n"
-"                       ext_overlay ext_xfixes ext_xdamage ext_xrandr rootwin\n"
-"                       num_buttons button_mask mouse_x mouse_y bpp depth\n"
-"                       indexed_color dpy_x dpy_y wdpy_x wdpy_y off_x off_y\n"
-"                       cdpy_x cdpy_y coff_x coff_y rfbauth passwd viewpasswd\n"
-"\n"
+"                       passwdfile unixpw unixpw_list stunnel stunnel_pem\n"
+"                       using_shm logfile o flag rc norc h help V version\n"
+"                       lastmod bg sigpipe threads readrate netrate netlatency\n"
+"                       pipeinput clients client_count pid ext_xtest ext_xtrap\n"
+"                       ext_xrecord ext_xkb ext_xshm ext_xinerama ext_overlay\n"
+"                       ext_xfixes ext_xdamage ext_xrandr rootwin num_buttons\n"
+"                       button_mask mouse_x mouse_y bpp depth indexed_color\n"
+"                       dpy_x dpy_y wdpy_x wdpy_y off_x off_y cdpy_x cdpy_y\n"
+"                       coff_x coff_y rfbauth passwd viewpasswd\n"
 "-QD variable           Just like -query variable, but returns the default\n"
 "                       value for that parameter (no running x11vnc server\n"
 "                       is consulted)\n"