From 06bb02310d46389c40d993e83eb0ae1df1bc5dd7 Mon Sep 17 00:00:00 2001 From: Jocelyn Le Sage Date: Tue, 19 Nov 2024 12:06:38 -0500 Subject: [PATCH] The configured VNC security method should apply only to VNC clients. The web interface, going through WebSocket, should not be affected. --- rootfs/etc/services.d/xvnc/params | 2 + src/tigervnc/build.sh | 2 + src/tigervnc/internal-conn-sec-types.patch | 133 +++++++++++++++++++++ 3 files changed, 137 insertions(+) create mode 100644 src/tigervnc/internal-conn-sec-types.patch diff --git a/rootfs/etc/services.d/xvnc/params b/rootfs/etc/services.d/xvnc/params index b4a52e1..393afb7 100755 --- a/rootfs/etc/services.d/xvnc/params +++ b/rootfs/etc/services.d/xvnc/params @@ -73,6 +73,7 @@ if [ -n "$PASSWORD_FILE" ]; then else echo "-SecurityTypes=X509Vnc,TLSVnc" fi + echo "-InternalConnectionSecurityTypes=VncAuth" echo "-rfbauth=$PASSWORD_FILE" else # Without password. @@ -81,6 +82,7 @@ else else echo "-SecurityTypes=X509None,TLSNone" fi + echo "-InternalConnectionSecurityTypes=None" fi if is-bool-val-true "${SECURE_CONNECTION:-0}" && [ "${SECURE_CONNECTION_VNC_METHOD:-SSL}" != "SSL" ]; then diff --git a/src/tigervnc/build.sh b/src/tigervnc/build.sh index a1c5822..1e51b4f 100755 --- a/src/tigervnc/build.sh +++ b/src/tigervnc/build.sh @@ -364,6 +364,8 @@ patch -p1 -d /tmp/tigervnc < "$SCRIPT_DIR"/vncpasswd-static.patch patch -p1 -d /tmp/tigervnc < "$SCRIPT_DIR"/disable-pam.patch # Fix static build. patch -p1 -d /tmp/tigervnc < "$SCRIPT_DIR"/static-build.patch +# Support for internal connection security types. +patch -p1 -d /tmp/tigervnc < "$SCRIPT_DIR"/internal-conn-sec-types.patch log "Configuring TigerVNC..." ( diff --git a/src/tigervnc/internal-conn-sec-types.patch b/src/tigervnc/internal-conn-sec-types.patch new file mode 100644 index 0000000..2300479 --- /dev/null +++ b/src/tigervnc/internal-conn-sec-types.patch @@ -0,0 +1,133 @@ +# +# This patch adds the ability to configure a different of security types for +# internal connection (e.g. Unix domain socket). +# +--- a/common/rfb/SConnection.cxx ++++ b/common/rfb/SConnection.cxx +@@ -45,6 +45,7 @@ static LogWriter vlog("SConnection"); + + SConnection::SConnection(AccessRights accessRights) + : readyForSetColourMapEntries(false), ++ isInternal(false), + is(0), os(0), reader_(0), writer_(0), ssecurity(0), + authFailureTimer(this, &SConnection::handleAuthFailureTimeout), + state_(RFBSTATE_UNINITIALISED), preferredEncoding(encodingRaw), +@@ -71,6 +76,17 @@ void SConnection::setStreams(rdr::InStream* is_, rdr::OutStream* os_) + os = os_; + } + ++void SConnection::setInternal(bool internal) ++{ ++ isInternal = internal; ++ security.UpdateSecTypes(this); ++} ++ ++bool SConnection::getInternal() ++{ ++ return isInternal; ++} ++ + void SConnection::initialiseProtocol() + { + char str[13]; +--- a/common/rfb/SConnection.h ++++ b/common/rfb/SConnection.h +@@ -56,6 +56,11 @@ namespace rfb { + // (i.e. SConnection will not delete them). + void setStreams(rdr::InStream* is, rdr::OutStream* os); + ++ // setInternal() is used to indicate if this is an internal connection, like ++ // from a Unix Domain Socket. ++ void setInternal(bool internal); ++ bool getInternal(); ++ + // initialiseProtocol() should be called once the streams and security + // types are set. Subsequently, processMsg() should be called whenever + // there is data to read on the InStream. +@@ -242,6 +248,8 @@ namespace rfb { + + int defaultMajorVersion, defaultMinorVersion; + ++ bool isInternal; ++ + rdr::InStream* is; + rdr::OutStream* os; + +--- a/common/rfb/SecurityServer.cxx ++++ b/common/rfb/SecurityServer.cxx +@@ -54,6 +54,19 @@ StringParameter SecurityServer::secTypes + "VncAuth", + ConfServer); + ++StringParameter SecurityServer::internalConnectionSecTypes ++("InternalConnectionSecurityTypes", ++ "Specify which security scheme to use for internal connections (None, VncAuth, Plain" ++#ifdef HAVE_GNUTLS ++ ", TLSNone, TLSVnc, TLSPlain, X509None, X509Vnc, X509Plain" ++#endif ++#ifdef HAVE_NETTLE ++ ", RA2, RA2ne, RA2_256, RA2ne_256" ++#endif ++ ")", ++ "", ++ConfServer); ++ + SSecurity* SecurityServer::GetSSecurity(SConnection* sc, uint32_t secType) + { + if (!IsSupported(secType)) +@@ -94,3 +107,13 @@ bail: + throw Exception("Security type not supported"); + } + ++void SecurityServer::UpdateSecTypes(SConnection *sc) ++{ ++ std::list newSecTypes; ++ if (sc->getInternal()) ++ newSecTypes = parseSecTypes(internalConnectionSecTypes); ++ if (newSecTypes.size() == 0) ++ newSecTypes = parseSecTypes(secTypes); ++ SetSecTypes(newSecTypes); ++} ++ +--- a/common/rfb/SecurityServer.h ++++ b/common/rfb/SecurityServer.h +@@ -35,7 +35,10 @@ namespace rfb { + /* Create server side SSecurity class instance */ + SSecurity* GetSSecurity(SConnection* sc, uint32_t secType); + ++ void UpdateSecTypes(SConnection* sc); ++ + static StringParameter secTypes; ++ static StringParameter internalConnectionSecTypes; + }; + + } +--- a/common/rfb/VNCSConnectionST.cxx ++++ b/common/rfb/VNCSConnectionST.cxx +@@ -22,6 +22,8 @@ + #include + #endif + ++#include ++ + #include + + #include +@@ -73,6 +75,17 @@ VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s, + else + idleTimer.start(secsToMillis(rfb::Server::idleTimeout)); + } ++ ++ // Determine is this is an internal connection ++ { ++ struct sockaddr addr; ++ socklen_t salen = sizeof(addr); ++ if (getsockname(sock->getFd(), &addr, &salen) == 0) { ++ if (addr.sa_family == AF_UNIX) { ++ setInternal(true); ++ } ++ } ++ } + } + +