Skip to content

Commit

Permalink
Support the "%u" username alias in PlainUsers
Browse files Browse the repository at this point in the history
This permits to enable PAM for the effective user of the Xvnc process by
adding this to ~/.vnc/config or /etc/tigervnc/vncserver-config-defaults:

   SecurityTypes=TLSPlain
   PlainUsers=%u

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2233204
Signed-off-by: Carlos Santos <[email protected]>
  • Loading branch information
casantos committed Sep 10, 2023
1 parent 963f11e commit dda8e45
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 4 deletions.
9 changes: 9 additions & 0 deletions common/rfb/SSecurityPlain.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
#include <rdr/InStream.h>
#if !defined(WIN32) && !defined(__APPLE__)
#include <rfb/UnixPasswordValidator.h>
#include <unistd.h>
#include <pwd.h>
#endif
#ifdef WIN32
#include <rfb/WinPasswdValidator.h>
Expand All @@ -53,6 +55,13 @@ bool PasswordValidator::validUser(const char* username)
for (size_t i = 0; i < users.size(); i++) {
if (users[i] == "*")
return true;
#if !defined(WIN32) && !defined(__APPLE__)
if (users[i] == "%u") {
struct passwd *pw = getpwuid(geteuid());
if (pw && !strcmp(pw->pw_name, username))
return true;
}
#endif
if (users[i] == username)
return true;
}
Expand Down
5 changes: 3 additions & 2 deletions unix/x0vncserver/x0vncserver.man
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,9 @@ parameter instead.
.B \-PlainUsers \fIuser-list\fP
A comma separated list of user names that are allowed to authenticate via
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
to allow any user to authenticate using this security type. Default is to
deny all users.
to allow any user to authenticate using this security type. Specify \fB%u\fP
to allow the effective user of the server process. Default is to deny all
users.
.
.TP
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
Expand Down
5 changes: 3 additions & 2 deletions unix/xserver/hw/vnc/Xvnc.man
Original file line number Diff line number Diff line change
Expand Up @@ -200,8 +200,9 @@ parameter instead.
.B \-PlainUsers \fIuser-list\fP
A comma separated list of user names that are allowed to authenticate via
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
to allow any user to authenticate using this security type. Default is to
deny all users.
to allow any user to authenticate using this security type. Specify \fB%u\fP
to allow the effective user of the server process. Default is to deny all
users.
.
.TP
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
Expand Down

0 comments on commit dda8e45

Please sign in to comment.