diff options
author | runge <runge@karlrunge.com> | 2009-08-10 17:56:10 -0400 |
---|---|---|
committer | runge <runge@karlrunge.com> | 2009-08-10 17:56:10 -0400 |
commit | fd084b5d28189727f1dff6022d2b421d772bcc1a (patch) | |
tree | b06223e1b18a4988e9c97ae6f759f7151570c1af /x11vnc/help.c | |
parent | 2c6bf9234edc30fd564a693a3bb954fd1ea50455 (diff) | |
download | libtdevnc-fd084b5d28189727f1dff6022d2b421d772bcc1a.tar.gz libtdevnc-fd084b5d28189727f1dff6022d2b421d772bcc1a.zip |
Improvements to -unixpw_cmd and -unixpw_nis.
Experimental X11VNC_WATCH_DX_DY=1 for buggy theme menus,
see: http://ubuntuforums.org/showthread.php?t=1223490
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r-- | x11vnc/help.c | 150 |
1 files changed, 107 insertions, 43 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c index 248887e..ff697af 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -335,8 +335,8 @@ void print_help(int mode) { " is needed for the latter, feel free to ask).\n" "\n" "-scale fraction Scale the framebuffer by factor \"fraction\". Values\n" -" less than 1 shrink the fb, larger ones expand it. Note:\n" -" image may not be sharp and response may be slower.\n" +" less than 1 shrink the fb, larger ones expand it. Note:\n" +" the image may not be sharp and response may be slower.\n" " If \"fraction\" contains a decimal point \".\" it\n" " is taken as a floating point number, alternatively\n" " the notation \"m/n\" may be used to denote fractions\n" @@ -507,7 +507,7 @@ void print_help(int mode) { " Repeater mode: Some services provide an intermediate\n" " \"vnc repeater\": http://www.uvnc.com/addons/repeater.html\n" " (and also http://koti.mbnet.fi/jtko/ for linux port)\n" -" that acts as a proxy / gateway. Modes like these require\n" +" that acts as a proxy/gateway. Modes like these require\n" " an initial string to be sent for the reverse connection\n" " before the VNC protocol is started. Here are the ways\n" " to do this:\n" @@ -782,12 +782,12 @@ void print_help(int mode) { " full-access passwords)\n" "\n" "-unixpw [list] Use Unix username and password authentication. x11vnc\n" -" uses the su(1) program to verify the user's password.\n" -" [list] is an optional comma separated list of allowed\n" -" Unix usernames. If the [list] string begins with the\n" -" character \"!\" then the entire list is taken as an\n" -" exclude list. See below for per-user options that can\n" -" be applied.\n" +" will use the su(1) program to verify the user's\n" +" password. [list] is an optional comma separated list\n" +" of allowed Unix usernames. If the [list] string begins\n" +" with the character \"!\" then the entire list is taken\n" +" as an exclude list. See below for per-user options\n" +" that can be applied.\n" "\n" " A familiar \"login:\" and \"Password:\" dialog is\n" " presented to the user on a black screen inside the\n" @@ -803,8 +803,9 @@ void print_help(int mode) { "\n" " Since the detailed behavior of su(1) can vary from\n" " OS to OS and for local configurations, test the mode\n" -" carefully. x11vnc will attempt to be conservative and\n" -" reject a login if anything abnormal occurs.\n" +" before deployment to make sure it is working properly.\n" +" x11vnc will attempt to be conservative and reject a\n" +" login if anything abnormal occurs.\n" "\n" " One case to note: FreeBSD and the other BSD's by\n" " default it is impossible for the user running x11vnc to\n" @@ -837,7 +838,7 @@ void print_help(int mode) { " to come from the same machine x11vnc is running on\n" " (e.g. from a ssh -L port redirection). And that the\n" " -stunnel SSL mode be used for encryption over the\n" -" network.(see the description of -stunnel below).\n" +" network. (see the description of -stunnel below).\n" "\n" " Note: as a convenience, if you ssh(1) in and start\n" " x11vnc it will check if the environment variable\n" @@ -865,7 +866,7 @@ void print_help(int mode) { " Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n" " requirement in Method 2). One should never do this\n" " (i.e. allow the Unix passwords to be sniffed on the\n" -" network).\n" +" network.)\n" "\n" " Regarding reverse connections (e.g. -R connect:host\n" " and -connect host), when the -localhost constraint is\n" @@ -883,7 +884,7 @@ void print_help(int mode) { " in -inetd mode (thereby bypassing inetd). See the FAQ\n" " for details.\n" "\n" -" The user names in the comma separated [list] can have\n" +" The user names in the comma separated [list] may have\n" " per-user options after a \":\", e.g. \"fred:opts\"\n" " where \"opts\" is a \"+\" separated list of\n" " \"viewonly\", \"fullaccess\", \"input=XXXX\", or\n" @@ -891,13 +892,13 @@ void print_help(int mode) { " For \"input=\" it is the K,M,B,C described under -input.\n" "\n" " If an item in the list is \"*\" that means those\n" -" options apply to all users. It also means all users\n" +" options apply to all users. It ALSO implies all users\n" " are allowed to log in after supplying a valid password.\n" " Use \"deny\" to explicitly deny some users if you use\n" -" \"*\" to set a global option. If [list] begins with\n" -" the \"!\" character then \"*\" is ignored for checking\n" -" if the user is allowed, but the any value of options\n" -" associated with it does apply as normal.\n" +" \"*\" to set a global option. If [list] begins with the\n" +" \"!\" character then \"*\" is ignored for checking if\n" +" the user is allowed, but the option values associated\n" +" with it do apply as normal.\n" "\n" " There are also some utilities for testing password\n" " if [list] starts with the \"%%\" character. See the\n" @@ -922,32 +923,89 @@ void print_help(int mode) { "\n" " NIS is not required for this mode to work (only that\n" " getpwnam(3) return the encrypted password is required),\n" -" but it is unlikely it will work for any most modern\n" -" environments unless x11vnc is run as root to be able\n" -" to access /etc/shadow (note running as root is often\n" -" done when running x11vnc from inetd and xdm/gdm/kdm).\n" +" but it is unlikely it will work (as an ordinary user)\n" +" for most modern environments unless NIS is available.\n" +" On the other hand, when x11vnc is run as root it will\n" +" be able to to access /etc/shadow even if NIS is not\n" +" available (note running as root is often done when\n" +" running x11vnc from inetd and xdm/gdm/kdm).\n" "\n" " Looked at another way, if you do not want to use the\n" -" su(1) method provided by -unixpw, you can run x11vnc\n" -" as root and use -unixpw_nis. Any users with passwords\n" -" in /etc/shadow can then be authenticated. You may want\n" -" to use -users unixpw= to switch the process user after\n" -" the user logs in.\n" +" su(1) method provided by -unixpw (i.e. su_verify()), you\n" +" can run x11vnc as root and use -unixpw_nis. Any users\n" +" with passwords in /etc/shadow can then be authenticated.\n" +"\n" +" In -unixpw_nis mode, under no circumstances is x11vnc's\n" +" user password verifying function based on su called\n" +" (i.e. the function su_verify() that runs /bin/su\n" +" in a pseudoterminal to verify passwords.) However,\n" +" if -unixpw_nis is used in conjunction with the -find\n" +" and -create -display WAIT:... modes then, if x11vnc is\n" +" running as root, /bin/su may be called externally to\n" +" run the find or create commands.\n" "\n" "-unixpw_cmd cmd As -unixpw above, however do not use su(1) but rather\n" " run the externally supplied command \"cmd\". The first\n" -" line of its stdin will the username and the second line\n" -" the received password. If the command exits with status\n" -" 0 (success) the VNC client will be accepted. It will be\n" -" rejected for any other return status.\n" -"\n" -" Dynamic passwords and non-unix passwords can be\n" -" implemented this way by providing your own custom helper\n" -" program. Note that under unixpw mode the remote viewer\n" -" is given 3 tries to enter the correct password.\n" -"\n" -" If a list of allowed users is needed use -unixpw [list]\n" -" in addition to this option.\n" +" line of its stdin will be the username and the second\n" +" line the received password. If the command exits\n" +" with status 0 (success) the VNC user will be accepted.\n" +" It will be rejected for any other return status.\n" +"\n" +" Dynamic passwords and non-unix passwords, e.g. LDAP,\n" +" can be implemented this way by providing your own custom\n" +" helper program. Note that the remote viewer is given 3\n" +" tries to enter the correct password, and so the program\n" +" may be called in a row that many (or more) times.\n" +"\n" +" If a list of allowed users is needed to limit who can\n" +" log in, use -unixpw [list] in addition to this option.\n" +"\n" +" In FINDDISPLAY and FINDCREATEDISPLAY modes the \"cmd\"\n" +" will also be run with the RFB_UNIXPW_CMD_RUN env. var.\n" +" non-empty and set to the corresponding display\n" +" find/create command. The first two lines of input are\n" +" the username and passwd as in the normal case described\n" +" above. To support FINDDISPLAY and FINDCREATEDISPLAY,\n" +" \"cmd\" should run the requested command as the user\n" +" (and most likely refusing to run it if the password is\n" +" not correct.) Here is an example script (note it has\n" +" a hardwired bogus password \"abc\"!)\n" +"\n" +" #!/bin/sh\n" +" # Example x11vnc -unixpw_cmd script.\n" +" # Read the first two lines of stdin (user and passwd)\n" +" read user\n" +" read pass\n" +" \n" +" debug=0\n" +" if [ $debug = 1 ]; then\n" +" echo \"user: $user\" 1>&2\n" +" echo \"pass: $pass\" 1>&2\n" +" env | egrep -i 'rfb|vnc' 1>&2\n" +" fi\n" +" \n" +" # Check if the password is valid.\n" +" # (A real example would use ldap lookup, etc!)\n" +" if [ \"X$pass\" != \"Xabc\" ]; then\n" +" exit 1 # incorrect password\n" +" fi\n" +" \n" +" if [ \"X$RFB_UNIXPW_CMD_RUN\" = \"X\" ]; then\n" +" exit 0 # correct password\n" +" else\n" +" # Run the requested command (finddisplay)\n" +" if [ $debug = 1 ]; then\n" +" echo \"run: $RFB_UNIXPW_CMD_RUN\" 1>&2\n" +" fi\n" +" exec /bin/su - \"$user\" -c \"$RFB_UNIXPW_CMD_RUN\"\n" +" fi\n" +"\n" +" In -unixpw_cmd mode, under no circumstances is x11vnc's\n" +" user password verifying function based on su called\n" +" (i.e. the function su_verify() that runs /bin/su in a\n" +" pseudoterminal to verify passwords.) It is up to the\n" +" supplied unixpw_cmd to do user switching if desired\n" +" and if it has the permissions to do so.\n" "\n" "-find Find the user's display using FINDDISPLAY. This is an\n" " alias for \"-display WAIT:cmd=FINDDISPLAY\".\n" @@ -1064,9 +1122,15 @@ void print_help(int mode) { "\n" " xauth extract - $DISPLAY\"\n" "\n" -" In the case of -unixpw (but not -unixpw_nis), then the\n" -" cmd= command is run as the user who just authenticated\n" -" via the login and password prompt.\n" +" In the case of -unixpw (and -unixpw_nis only if x11vnc\n" +" is running as root), then the cmd= command is run\n" +" as the user who just authenticated via the login and\n" +" password prompt.\n" +"\n" +" In the case of -unixpw_cmd, the commands will also be\n" +" run as the logged-in user, as long as the user-supplied\n" +" helper program supports RFB_UNIXPW_CMD_RUN (see the\n" +" -unixpw_cmd option.)\n" "\n" " Also in the case of -unixpw, the user logging in can\n" " place a colon at the end of her username and supply\n" |