vncconnect DOES NOT ask for password!!

Theo Lengyel realvnc.com@elumen.net
Tue Jun 17 20:19:00 2003 

 >  You neglect to mention what user you are using.
 >  

I was running as a regular user. William is right that the program
runs as expected under normal use. I guess I was doing something a bit
strange when I was setting up a desktop for one of my users. I ran it
via `su'.  After looking closer I now see the exact steps which led
to this behavior ...

as root ... (or any user for that matter, as it turns out)

root: # su - joe -c vncserver

New 'X' desktop is foo.bar.net:6

Starting applications specified in /home/joe/.vnc/xstartup
Log file is /home/joe/.vnc/foo.bar.net:6.log

root: #

now, as user mary ...

mary: $ vncviewer -listen 99 &
vncviewer -listen: Listening on port 5599 (flash port 5499)
vncviewer -listen: Command line errors are not reported until a connection comes in.
mary: $ vncconnect -display :6  localhost:5599

# ! BANG! I now see joe's desktop

Strangely enough, it even works when root does an `su - root ...'
root: # su - root -c vncserver

New 'X' desktop is foo.bar.net:7

Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/foo.bar.net:7.log

root: #
mary: $ vncconnect -display :7  localhost:5599

# !! BANG!! I now see root's desktop

Hmmm what about mary:

mary: $ su - root -c vncserver

New 'X' desktop is foo.bar.net:8

Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/foo.bar.net:8.log

mary: $

Now let's be joe ... (since we did su from mary's login, using joe
makes it so we'reconnecting with a totally differend set of real and
effective userIDs)

joe: $ vncviewer -listen 88 &
vncviewer -listen: Listening on port 5588 (flash port 5488)
vncviewer -listen: Command line errors are not reported until a connection comes in.
joe: $ vncconnect -display :8 localhost:5588

# !! BANG!! BANG!! I now see root's desktop again!

So, is this a problem with `su'? I wonder how it would behave using
ssh in place of su?

Let's see ...

mary: $ ssh -l root localhost 'vncserver'
New 'X' desktop is foo.bar.net:9

Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/foo.bar.net:9.log


joe: $ vncconnect -display :9 localhost:5509
Xlib: connection to ":9.0" refused by server
Xlib: Client is not authorized to connect to Server
vncconnect: unable to open display ":9"


OK ... so with `ssh' it seems OK but when used in conjunction with
`su' there seems to be a real problem. Is there something about su
that would cause it to bypass xauth?

theo


 >  Date: Fri, 13 Jun 2003 19:21:03 -0400 (EDT)
 >  Subject: Re: vncconnect DOES NOT ask for password!!
 >  From: "William Hooper" <whooper@freeshell.org>
 >  To: vnc-list@realvnc.com
 >  
 >  Theo Lengyel said:
 >  [snip]
 >  >    I have noticed that by using the following combination, I can open
 >  > a session with ANY RUNNING VNCSERVER on that machine!!
 >  
 >  You neglect to mention what user you are using.
 >  
 >  > I am running on Linux Mandrake 9.1, tightvnc 1.2.7-2,
 >  >
 >  >     # first run the viewer in reverse mode:
 >  >     # (-listen 99 makes it listen on port 5599)
 >  >
 >  > $ vncviewer -listen 99 &
 >  
 >  [whooper@butters whooper]$ vncviewer -listen 99 &
 >  
 >  >     # let's see the running servers ...
 >  >
 >  > $ ps auxw | grep Xvnc
 >  > root  [snip] Xvnc :0 -desktop X -ht ... etc.
 >  > wanda [snip] Xvnc :1 -desktop X -http ... etc.
 >  > jack  [snip] Xvnc :2 -desktop X -httpd ... etc.
 >  > mark  [snip] Xvnc :3 -desktop X -httpd /u ... etc.
 >  
 >  [whooper@butters whooper]$ ps waux | grep Xvnc
 >  whoopertest [snip] Xvnc :1 -desktop X...
 >  whooper     [snip] Xvnc :2 -desktop X...
 >  whooper     [snip] grep Xvnc
 >  
 >  
 >  >     # take your pick of X display numbers and you can open a
 >  >     # connection with vncconnect ...
 >  >     # lets pick the display number root is using :0
 >  >
 >  > $ vncconnect -display :0  localhost:5599
 >  
 >  [whooper@butters whooper]$ vncconnect -display :1 localhost:5599
 >  Xlib: connection to ":1.0" refused by server
 >  Xlib: Client is not authorized to connect to Server
 >  vncconnect: unable to open display ":1"
 >  [whooper@butters whooper]$
 >  
 >  [whooper@butters whooper]$ vncconnect -display :2 localhost:5599
 >  
 >  Works as expected.
 >  
 >  [whooper@butters whooper]$ vncviewer :1
 >  VNC server supports protocol version 3.3 (viewer 3.3)
 >  Password:
 >  VNC authentication succeeded
 >  
 >  (inside VNC session)
 >  [whoopertest@butters whoopertest]$ xhost +
 >  access control disabled, clients can connect from any host
 >  [whoopertest@butters whoopertest]$
 >  
 >  (back outside VNC session)
 >  [whooper@butters whooper]$ vncconnect -display :1 localhost:5599
 >  
 >  Works.
 >  
 >  Looks like you have xhost (or xauth) issues.  What do your log files say?
 >  
 >  -- 
 >  William Hooper