summaryrefslogtreecommitdiffstats
path: root/x11vnc/help.c
diff options
context:
space:
mode:
Diffstat (limited to 'x11vnc/help.c')
-rw-r--r--x11vnc/help.c42
1 files changed, 30 insertions, 12 deletions
diff --git a/x11vnc/help.c b/x11vnc/help.c
index 548d81f..b465773 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -1619,9 +1619,10 @@ void print_help(int mode) {
" Since this option switches userid it also affects the\n"
" userid used to run the processes for the -accept and\n"
" -gone options. It also affects the ability to read\n"
-" files for options such as -connect, -allow, and -remap.\n"
-" Note that the -connect file is also sometimes written\n"
-" to.\n"
+" files for options such as -connect, -allow, and -remap\n"
+" and also the ultra and tight filetransfer feature if\n"
+" enabled. Note that the -connect file is also sometimes\n"
+" written to.\n"
"\n"
" So be careful with this option since in some situations\n"
" its use can decrease security.\n"
@@ -1630,9 +1631,10 @@ void print_help(int mode) {
" if the display can still be successfully opened as that\n"
" user (this is primarily to try to guess the actual owner\n"
" of the session). Example: \"-users fred,wilma,betty\".\n"
-" Note that a malicious user \"barney\" by quickly using\n"
-" \"xhost +\" when logging in may possibly get the x11vnc\n"
-" process to switch to user \"fred\". What happens next?\n"
+" Note that a malicious local user \"barney\" by\n"
+" quickly using \"xhost +\" when logging in may possibly\n"
+" get the x11vnc process to switch to user \"fred\".\n"
+" What happens next?\n"
"\n"
" Under display managers it may be a long time before\n"
" the switch succeeds (i.e. a user logs in). To instead\n"
@@ -1644,29 +1646,45 @@ void print_help(int mode) {
" \"nobody\") is probably the only use of this option\n"
" that increases security.\n"
"\n"
+" Use the following notation to associate a group with\n"
+" a user: user1.group1,user2.group2,... Note that\n"
+" initgroups(2) will still be called first to try to\n"
+" switch to ALL of a user's groups (primary and additional\n"
+" groups). Only if that fails or it is not available\n"
+" then the single group specified as above (or the user's\n"
+" primary group if not specified) is switched to with\n"
+" setgid(2). Use -env X11VNC_SINGLE_GROUP=1 to prevent\n"
+" trying initgroups(2) and only switch to the single\n"
+" group. This sort of setting is only really needed to\n"
+" make the ultra or tight filetransfer permissions work\n"
+" properly. This format applies to any comma separated list\n"
+" of users, even the special \"=\" modes described below.\n"
+"\n"
" In -unixpw mode, if \"-users unixpw=\" is supplied\n"
" then after a user authenticates himself via the\n"
" -unixpw mechanism, x11vnc will try to switch to that\n"
" user as though \"-users +username\" had been supplied.\n"
" If you want to limit which users this will be done for,\n"
" provide them as a comma separated list after \"unixpw=\"\n"
+" Groups can also be specified as described above.\n"
"\n"
" Similarly, in -ssl mode, if \"-users sslpeer=\" is\n"
" supplied then after an SSL client authenticates with his\n"
" cert (the -sslverify option is required for this) x11vnc\n"
" will extract a UNIX username from the \"emailAddress\"\n"
-" field (username@hostname.com) of the \"Subject\" in the\n"
+" field (username@hostname.com) of the \"Subject\" of the\n"
" x509 SSL cert and then try to switch to that user as\n"
" though \"-users +username\" had been supplied. If you\n"
" want to limit which users this will be done for, provide\n"
" them as a comma separated list after \"sslpeer=\".\n"
" Set the env. var X11VNC_SSLPEER_CN to use the Common\n"
" Name (normally a hostname) instead of the Email field.\n"
-" NOTE: the x11vnc administrator must take great care\n"
-" that any client certs he adds to -sslverify have the\n"
-" correct UNIX username in the \"emailAddress\" field\n"
-" of the cert. Otherwise a user may be able to log in\n"
-" as another. The following command can be of use in\n"
+"\n"
+" NOTE: for sslpeer= mode the x11vnc administrator must\n"
+" take care that any client certs he adds to -sslverify\n"
+" have the intended UNIX username in the \"emailAddress\"\n"
+" field of the cert. Otherwise a user may be able to\n"
+" log in as another. This command can be of use in\n"
" checking: \"openssl x509 -text -in file.crt\", see the\n"
" \"Subject:\" line. Also, along with the normal RFB_*\n"
" env. vars. (see -accept) passed to external cmd=\n"