Can one use Xvnc from xdm _and_ ensure only the user who logged in has access?

Waltner, Steve swaltner "at" lsil.com
Tue, 07 Nov 2000 20:31:03 +0000


I haven't done the coding, but this would do what you want to do.

- Edit the source code for Xvnc to use /tmp/vncpasswd-<displaynum> as the
password file
- Startup the Xvnc process as nobody
- In the xstartup file, replace /tmp/vncpasswd-<displaynum> with the user's
own ~/.vnc/passwd file to change the password for that session

Problems I see are getting around the sticky bit security on /tmp which
keeps one user from deleting another users file even though there is world
write permission on the directory. There is also the potential need to add
some information to each users startup files, which could cause security
problems if people didn't follow that directions precisely.

I do know that replacing the passwd file for Xvnc updates the password. No
signal is necessary to get it to reread the config file. I developed this
vncshadow script for Solaris that allows me to use root's password to shadow
a user's existing VNC session. It saves me the hassle of walking around the
building for support issues.

=================================
#!/bin/sh
#
# Shadow a VNC session
#

if [ $# -ne 1 ]; then
  echo "vncshadow <display>"
  echo "  <display> format --> :1"
  exit 1
fi

if [ "X`echo $1 | sed -e 's/^:[0-9]*//'`" != "X" ]; then
  echo "vncshadow <display>"
  echo "  <display> format --> :1"
  exit 1
fi

user=`/usr/ucb/ps -aux | grep "Xvnc $1 " | grep -v grep | awk '{print $1}'`

if [ "X$user" = "X" ]; then
  echo "Invalid VNC display number"
  exit 1
fi

mv /home/$user/.vnc/passwd /home/$user/.vnc/passwd.save
cp /home/sys-admin/data/passwd.vncshadow /home/$user/.vnc/passwd
chown $user /home/$user/.vnc/passwd
/usr/common/vnc-3.3.3r1/vncviewer -shared `hostname`$1
rm /home/$user/.vnc/passwd
mv /home/$user/.vnc/passwd.save /home/$user/.vnc/passwd
=================================

--
Steve Waltner
LSI Logic
Steve.Waltner "at" lsil.com

> ----------
> From: 	Denes Molnar
> Reply To: 	vnc-list "at" uk.research.att.com
> Sent: 	Wednesday, November 1, 2000 11:19 PM
> To: 	Tim Waugh
> Cc: 	vnc-list "at" uk.research.att.com
> Subject: 	Re: Can one use Xvnc from xdm _and_ ensure only the user who
> logged in has access?
> 
> Hi,
> 
> Thanks for the tip. Unfortunately, it is not really what I want to
> achieve. I think the problem is that what I want requires changing the vnc
> password of an already running session. I wonder whether one can "ask" vnc
> (e.g., by sending some signal) to reread the password file. Or else, I
> would have to let the users go past the login screen and create the vnc
> session only after that - I wish I knew how.
> 
> Thanks anyway,
> 
> Denes Molnar
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to majordomo "at" uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------