The configured VNC security method should apply only to VNC clients. …

…The web interface, going through WebSocket, should not be affected.
jlesage · Nov 22, 2024 · 06bb023 · 06bb023
1 parent 21a63eb
commit 06bb023
Show file tree

Hide file tree

Showing 3 changed files with 137 additions and 0 deletions.
diff --git a/rootfs/etc/services.d/xvnc/params b/rootfs/etc/services.d/xvnc/params
@@ -73,6 +73,7 @@ if [ -n "$PASSWORD_FILE" ]; then
     else
         echo "-SecurityTypes=X509Vnc,TLSVnc"
     fi
+    echo "-InternalConnectionSecurityTypes=VncAuth"
     echo "-rfbauth=$PASSWORD_FILE"
 else
     # Without password.
@@ -81,6 +82,7 @@ else
     else
         echo "-SecurityTypes=X509None,TLSNone"
     fi
+    echo "-InternalConnectionSecurityTypes=None"
 fi
 
 if is-bool-val-true "${SECURE_CONNECTION:-0}" && [ "${SECURE_CONNECTION_VNC_METHOD:-SSL}" != "SSL" ]; then

diff --git a/src/tigervnc/build.sh b/src/tigervnc/build.sh
@@ -364,6 +364,8 @@ patch -p1 -d /tmp/tigervnc < "$SCRIPT_DIR"/vncpasswd-static.patch
 patch -p1 -d /tmp/tigervnc < "$SCRIPT_DIR"/disable-pam.patch
 # Fix static build.
 patch -p1 -d /tmp/tigervnc < "$SCRIPT_DIR"/static-build.patch
+# Support for internal connection security types.
+patch -p1 -d /tmp/tigervnc < "$SCRIPT_DIR"/internal-conn-sec-types.patch
 
 log "Configuring TigerVNC..."
 (

diff --git a/src/tigervnc/internal-conn-sec-types.patch b/src/tigervnc/internal-conn-sec-types.patch
@@ -0,0 +1,133 @@
+#
+# This patch adds the ability to configure a different of security types for
+# internal connection (e.g. Unix domain socket).
+#
+--- a/common/rfb/SConnection.cxx
++++ b/common/rfb/SConnection.cxx
+@@ -45,6 +45,7 @@ static LogWriter vlog("SConnection");
+
+ SConnection::SConnection(AccessRights accessRights)
+   : readyForSetColourMapEntries(false),
++    isInternal(false),
+     is(0), os(0), reader_(0), writer_(0), ssecurity(0),
+     authFailureTimer(this, &SConnection::handleAuthFailureTimeout),
+     state_(RFBSTATE_UNINITIALISED), preferredEncoding(encodingRaw),
+@@ -71,6 +76,17 @@ void SConnection::setStreams(rdr::InStream* is_, rdr::OutStream* os_)
+   os = os_;
+ }
+
++void SConnection::setInternal(bool internal)
++{
++  isInternal = internal;
++  security.UpdateSecTypes(this);
++}
++
++bool SConnection::getInternal()
++{
++  return isInternal;
++}
++
+ void SConnection::initialiseProtocol()
+ {
+   char str[13];
+--- a/common/rfb/SConnection.h
++++ b/common/rfb/SConnection.h
+@@ -56,6 +56,11 @@ namespace rfb {
+     // (i.e. SConnection will not delete them).
+     void setStreams(rdr::InStream* is, rdr::OutStream* os);
+
++    // setInternal() is used to indicate if this is an internal connection, like
++    // from a Unix Domain Socket.
++    void setInternal(bool internal);
++    bool getInternal();
++
+     // initialiseProtocol() should be called once the streams and security
+     // types are set.  Subsequently, processMsg() should be called whenever
+     // there is data to read on the InStream.
+@@ -242,6 +248,8 @@ namespace rfb {
+
+     int defaultMajorVersion, defaultMinorVersion;
+
++    bool isInternal;
++
+     rdr::InStream* is;
+     rdr::OutStream* os;
+
+--- a/common/rfb/SecurityServer.cxx
++++ b/common/rfb/SecurityServer.cxx
+@@ -54,6 +54,19 @@ StringParameter SecurityServer::secTypes
+  "VncAuth",
+ ConfServer);
+
++StringParameter SecurityServer::internalConnectionSecTypes
++("InternalConnectionSecurityTypes",
++ "Specify which security scheme to use for internal connections (None, VncAuth, Plain"
++#ifdef HAVE_GNUTLS
++ ", TLSNone, TLSVnc, TLSPlain, X509None, X509Vnc, X509Plain"
++#endif
++#ifdef HAVE_NETTLE
++ ", RA2, RA2ne, RA2_256, RA2ne_256"
++#endif
++ ")",
++ "",
++ConfServer);
++
+ SSecurity* SecurityServer::GetSSecurity(SConnection* sc, uint32_t secType)
+ {
+   if (!IsSupported(secType))
+@@ -94,3 +107,13 @@ bail:
+   throw Exception("Security type not supported");
+ }
+
++void SecurityServer::UpdateSecTypes(SConnection *sc)
++{
++  std::list<uint32_t> newSecTypes;
++  if (sc->getInternal())
++    newSecTypes = parseSecTypes(internalConnectionSecTypes);
++  if (newSecTypes.size() == 0)
++    newSecTypes = parseSecTypes(secTypes);
++  SetSecTypes(newSecTypes);
++}
++
+--- a/common/rfb/SecurityServer.h
++++ b/common/rfb/SecurityServer.h
+@@ -35,7 +35,10 @@ namespace rfb {
+     /* Create server side SSecurity class instance */
+     SSecurity* GetSSecurity(SConnection* sc, uint32_t secType);
+
++    void UpdateSecTypes(SConnection* sc);
++
+     static StringParameter secTypes;
++    static StringParameter internalConnectionSecTypes;
+   };
+
+ }
+--- a/common/rfb/VNCSConnectionST.cxx
++++ b/common/rfb/VNCSConnectionST.cxx
+@@ -22,6 +22,8 @@
+ #include <config.h>
+ #endif
+
++#include <sys/socket.h>
++
+ #include <network/TcpSocket.h>
+
+ #include <rfb/ComparingUpdateTracker.h>
+@@ -73,6 +75,17 @@ VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
+     else
+       idleTimer.start(secsToMillis(rfb::Server::idleTimeout));
+   }
++
++  // Determine is this is an internal connection
++  {
++    struct sockaddr addr;
++    socklen_t salen = sizeof(addr);
++    if (getsockname(sock->getFd(), &addr, &salen) == 0) {
++      if (addr.sa_family == AF_UNIX) {
++        setInternal(true);
++      }
++    }
++  }
+ }
+
+