summaryrefslogtreecommitdiffstats
path: root/x11vnc/help.c
diff options
context:
space:
mode:
authorrunge <runge@karlrunge.com>2009-08-10 17:56:10 -0400
committerrunge <runge@karlrunge.com>2009-08-10 17:56:10 -0400
commitfd084b5d28189727f1dff6022d2b421d772bcc1a (patch)
treeb06223e1b18a4988e9c97ae6f759f7151570c1af /x11vnc/help.c
parent2c6bf9234edc30fd564a693a3bb954fd1ea50455 (diff)
downloadlibtdevnc-fd084b5d28189727f1dff6022d2b421d772bcc1a.tar.gz
libtdevnc-fd084b5d28189727f1dff6022d2b421d772bcc1a.zip
Improvements to -unixpw_cmd and -unixpw_nis.
Experimental X11VNC_WATCH_DX_DY=1 for buggy theme menus, see: http://ubuntuforums.org/showthread.php?t=1223490
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r--x11vnc/help.c150
1 files changed, 107 insertions, 43 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c
index 248887e..ff697af 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -335,8 +335,8 @@ void print_help(int mode) {
" is needed for the latter, feel free to ask).\n"
"\n"
"-scale fraction Scale the framebuffer by factor \"fraction\". Values\n"
-" less than 1 shrink the fb, larger ones expand it. Note:\n"
-" image may not be sharp and response may be slower.\n"
+" less than 1 shrink the fb, larger ones expand it. Note:\n"
+" the image may not be sharp and response may be slower.\n"
" If \"fraction\" contains a decimal point \".\" it\n"
" is taken as a floating point number, alternatively\n"
" the notation \"m/n\" may be used to denote fractions\n"
@@ -507,7 +507,7 @@ void print_help(int mode) {
" Repeater mode: Some services provide an intermediate\n"
" \"vnc repeater\": http://www.uvnc.com/addons/repeater.html\n"
" (and also http://koti.mbnet.fi/jtko/ for linux port)\n"
-" that acts as a proxy / gateway. Modes like these require\n"
+" that acts as a proxy/gateway. Modes like these require\n"
" an initial string to be sent for the reverse connection\n"
" before the VNC protocol is started. Here are the ways\n"
" to do this:\n"
@@ -782,12 +782,12 @@ void print_help(int mode) {
" full-access passwords)\n"
"\n"
"-unixpw [list] Use Unix username and password authentication. x11vnc\n"
-" uses the su(1) program to verify the user's password.\n"
-" [list] is an optional comma separated list of allowed\n"
-" Unix usernames. If the [list] string begins with the\n"
-" character \"!\" then the entire list is taken as an\n"
-" exclude list. See below for per-user options that can\n"
-" be applied.\n"
+" will use the su(1) program to verify the user's\n"
+" password. [list] is an optional comma separated list\n"
+" of allowed Unix usernames. If the [list] string begins\n"
+" with the character \"!\" then the entire list is taken\n"
+" as an exclude list. See below for per-user options\n"
+" that can be applied.\n"
"\n"
" A familiar \"login:\" and \"Password:\" dialog is\n"
" presented to the user on a black screen inside the\n"
@@ -803,8 +803,9 @@ void print_help(int mode) {
"\n"
" Since the detailed behavior of su(1) can vary from\n"
" OS to OS and for local configurations, test the mode\n"
-" carefully. x11vnc will attempt to be conservative and\n"
-" reject a login if anything abnormal occurs.\n"
+" before deployment to make sure it is working properly.\n"
+" x11vnc will attempt to be conservative and reject a\n"
+" login if anything abnormal occurs.\n"
"\n"
" One case to note: FreeBSD and the other BSD's by\n"
" default it is impossible for the user running x11vnc to\n"
@@ -837,7 +838,7 @@ void print_help(int mode) {
" to come from the same machine x11vnc is running on\n"
" (e.g. from a ssh -L port redirection). And that the\n"
" -stunnel SSL mode be used for encryption over the\n"
-" network.(see the description of -stunnel below).\n"
+" network. (see the description of -stunnel below).\n"
"\n"
" Note: as a convenience, if you ssh(1) in and start\n"
" x11vnc it will check if the environment variable\n"
@@ -865,7 +866,7 @@ void print_help(int mode) {
" Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
" requirement in Method 2). One should never do this\n"
" (i.e. allow the Unix passwords to be sniffed on the\n"
-" network).\n"
+" network.)\n"
"\n"
" Regarding reverse connections (e.g. -R connect:host\n"
" and -connect host), when the -localhost constraint is\n"
@@ -883,7 +884,7 @@ void print_help(int mode) {
" in -inetd mode (thereby bypassing inetd). See the FAQ\n"
" for details.\n"
"\n"
-" The user names in the comma separated [list] can have\n"
+" The user names in the comma separated [list] may have\n"
" per-user options after a \":\", e.g. \"fred:opts\"\n"
" where \"opts\" is a \"+\" separated list of\n"
" \"viewonly\", \"fullaccess\", \"input=XXXX\", or\n"
@@ -891,13 +892,13 @@ void print_help(int mode) {
" For \"input=\" it is the K,M,B,C described under -input.\n"
"\n"
" If an item in the list is \"*\" that means those\n"
-" options apply to all users. It also means all users\n"
+" options apply to all users. It ALSO implies all users\n"
" are allowed to log in after supplying a valid password.\n"
" Use \"deny\" to explicitly deny some users if you use\n"
-" \"*\" to set a global option. If [list] begins with\n"
-" the \"!\" character then \"*\" is ignored for checking\n"
-" if the user is allowed, but the any value of options\n"
-" associated with it does apply as normal.\n"
+" \"*\" to set a global option. If [list] begins with the\n"
+" \"!\" character then \"*\" is ignored for checking if\n"
+" the user is allowed, but the option values associated\n"
+" with it do apply as normal.\n"
"\n"
" There are also some utilities for testing password\n"
" if [list] starts with the \"%%\" character. See the\n"
@@ -922,32 +923,89 @@ void print_help(int mode) {
"\n"
" NIS is not required for this mode to work (only that\n"
" getpwnam(3) return the encrypted password is required),\n"
-" but it is unlikely it will work for any most modern\n"
-" environments unless x11vnc is run as root to be able\n"
-" to access /etc/shadow (note running as root is often\n"
-" done when running x11vnc from inetd and xdm/gdm/kdm).\n"
+" but it is unlikely it will work (as an ordinary user)\n"
+" for most modern environments unless NIS is available.\n"
+" On the other hand, when x11vnc is run as root it will\n"
+" be able to to access /etc/shadow even if NIS is not\n"
+" available (note running as root is often done when\n"
+" running x11vnc from inetd and xdm/gdm/kdm).\n"
"\n"
" Looked at another way, if you do not want to use the\n"
-" su(1) method provided by -unixpw, you can run x11vnc\n"
-" as root and use -unixpw_nis. Any users with passwords\n"
-" in /etc/shadow can then be authenticated. You may want\n"
-" to use -users unixpw= to switch the process user after\n"
-" the user logs in.\n"
+" su(1) method provided by -unixpw (i.e. su_verify()), you\n"
+" can run x11vnc as root and use -unixpw_nis. Any users\n"
+" with passwords in /etc/shadow can then be authenticated.\n"
+"\n"
+" In -unixpw_nis mode, under no circumstances is x11vnc's\n"
+" user password verifying function based on su called\n"
+" (i.e. the function su_verify() that runs /bin/su\n"
+" in a pseudoterminal to verify passwords.) However,\n"
+" if -unixpw_nis is used in conjunction with the -find\n"
+" and -create -display WAIT:... modes then, if x11vnc is\n"
+" running as root, /bin/su may be called externally to\n"
+" run the find or create commands.\n"
"\n"
"-unixpw_cmd cmd As -unixpw above, however do not use su(1) but rather\n"
" run the externally supplied command \"cmd\". The first\n"
-" line of its stdin will the username and the second line\n"
-" the received password. If the command exits with status\n"
-" 0 (success) the VNC client will be accepted. It will be\n"
-" rejected for any other return status.\n"
-"\n"
-" Dynamic passwords and non-unix passwords can be\n"
-" implemented this way by providing your own custom helper\n"
-" program. Note that under unixpw mode the remote viewer\n"
-" is given 3 tries to enter the correct password.\n"
-"\n"
-" If a list of allowed users is needed use -unixpw [list]\n"
-" in addition to this option.\n"
+" line of its stdin will be the username and the second\n"
+" line the received password. If the command exits\n"
+" with status 0 (success) the VNC user will be accepted.\n"
+" It will be rejected for any other return status.\n"
+"\n"
+" Dynamic passwords and non-unix passwords, e.g. LDAP,\n"
+" can be implemented this way by providing your own custom\n"
+" helper program. Note that the remote viewer is given 3\n"
+" tries to enter the correct password, and so the program\n"
+" may be called in a row that many (or more) times.\n"
+"\n"
+" If a list of allowed users is needed to limit who can\n"
+" log in, use -unixpw [list] in addition to this option.\n"
+"\n"
+" In FINDDISPLAY and FINDCREATEDISPLAY modes the \"cmd\"\n"
+" will also be run with the RFB_UNIXPW_CMD_RUN env. var.\n"
+" non-empty and set to the corresponding display\n"
+" find/create command. The first two lines of input are\n"
+" the username and passwd as in the normal case described\n"
+" above. To support FINDDISPLAY and FINDCREATEDISPLAY,\n"
+" \"cmd\" should run the requested command as the user\n"
+" (and most likely refusing to run it if the password is\n"
+" not correct.) Here is an example script (note it has\n"
+" a hardwired bogus password \"abc\"!)\n"
+"\n"
+" #!/bin/sh\n"
+" # Example x11vnc -unixpw_cmd script.\n"
+" # Read the first two lines of stdin (user and passwd)\n"
+" read user\n"
+" read pass\n"
+" \n"
+" debug=0\n"
+" if [ $debug = 1 ]; then\n"
+" echo \"user: $user\" 1>&2\n"
+" echo \"pass: $pass\" 1>&2\n"
+" env | egrep -i 'rfb|vnc' 1>&2\n"
+" fi\n"
+" \n"
+" # Check if the password is valid.\n"
+" # (A real example would use ldap lookup, etc!)\n"
+" if [ \"X$pass\" != \"Xabc\" ]; then\n"
+" exit 1 # incorrect password\n"
+" fi\n"
+" \n"
+" if [ \"X$RFB_UNIXPW_CMD_RUN\" = \"X\" ]; then\n"
+" exit 0 # correct password\n"
+" else\n"
+" # Run the requested command (finddisplay)\n"
+" if [ $debug = 1 ]; then\n"
+" echo \"run: $RFB_UNIXPW_CMD_RUN\" 1>&2\n"
+" fi\n"
+" exec /bin/su - \"$user\" -c \"$RFB_UNIXPW_CMD_RUN\"\n"
+" fi\n"
+"\n"
+" In -unixpw_cmd mode, under no circumstances is x11vnc's\n"
+" user password verifying function based on su called\n"
+" (i.e. the function su_verify() that runs /bin/su in a\n"
+" pseudoterminal to verify passwords.) It is up to the\n"
+" supplied unixpw_cmd to do user switching if desired\n"
+" and if it has the permissions to do so.\n"
"\n"
"-find Find the user's display using FINDDISPLAY. This is an\n"
" alias for \"-display WAIT:cmd=FINDDISPLAY\".\n"
@@ -1064,9 +1122,15 @@ void print_help(int mode) {
"\n"
" xauth extract - $DISPLAY\"\n"
"\n"
-" In the case of -unixpw (but not -unixpw_nis), then the\n"
-" cmd= command is run as the user who just authenticated\n"
-" via the login and password prompt.\n"
+" In the case of -unixpw (and -unixpw_nis only if x11vnc\n"
+" is running as root), then the cmd= command is run\n"
+" as the user who just authenticated via the login and\n"
+" password prompt.\n"
+"\n"
+" In the case of -unixpw_cmd, the commands will also be\n"
+" run as the logged-in user, as long as the user-supplied\n"
+" helper program supports RFB_UNIXPW_CMD_RUN (see the\n"
+" -unixpw_cmd option.)\n"
"\n"
" Also in the case of -unixpw, the user logging in can\n"
" place a colon at the end of her username and supply\n"