x11vnc: fix keycode and other remote control actions under

DIRECT: with an extra XFlush and other safety measures. fflush(stderr) much in su_verify. Make the -unixpw env. vars UNIXPW_DISABLE_SSL and UNIXPW_DISABLE_LOCALHOST work correctly. Make -loopbg actually imply -bg.
15 years ago · 06987b1c02
parent d6c012e968
commit 06987b1c02
9 changed files with 1336 additions and 1271 deletions
--- a/x11vnc/ChangeLog
+++ b/x11vnc/ChangeLog
@ -1,3 +1,10 @@
 2009-12-18  Karl Runge <runge@karlrunge.com>
 	* x11vnc: fix keycode and other remote control actions under
 	  DIRECT: with an extra XFlush and other safety measures.
 	  fflush(stderr) much in su_verify.  Make the -unixpw env. vars
 	  UNIXPW_DISABLE_SSL and UNIXPW_DISABLE_LOCALHOST work correctly.
 	  Make -loopbg actually imply -bg.
 2009-12-15  Karl Runge <runge@karlrunge.com>
 	* x11vnc: X11VNC_REMOTE, X11VNC_TICKER, and VNC_CONNECT properties
 	  names can be changed via env. vars (e.g. for multiple
--- a/x11vnc/README
+++ b/x11vnc/README
--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@ -2783,6 +2783,7 @@ void reverse_connect(char *str) {
 void set_vnc_connect_prop(char *str) {
 	RAWFB_RET_VOID
 #if !NO_X11
 	if (vnc_connect_prop == None) return;
 	XChangeProperty(dpy, rootwin, vnc_connect_prop, XA_STRING, 8,
 	    PropModeReplace, (unsigned char *)str, strlen(str));
 #else
@ -2793,6 +2794,7 @@ void set_vnc_connect_prop(char *str) {
 void set_x11vnc_remote_prop(char *str) {
 	RAWFB_RET_VOID
 #if !NO_X11
 	if (x11vnc_remote_prop == None) return;
 	XChangeProperty(dpy, rootwin, x11vnc_remote_prop, XA_STRING, 8,
 	    PropModeReplace, (unsigned char *)str, strlen(str));
 #else
@ -3280,6 +3282,9 @@ int set_xprop(char *prop, Window win, char *value) {
 		win = rootwin;
 	}
 	aprop = XInternAtom(dpy, prop, False);
 	if (aprop == None) {
 		return rc;
 	}
 	rc = XChangeProperty(dpy, win, aprop, XA_STRING, 8,
 	    PropModeReplace, (unsigned char *)value, strlen(value));
 	return rc;
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@ -913,20 +913,24 @@ void print_help(int mode) {
 "                       environment variables before starting x11vnc:\n"
 "\n"
 "                       Set UNIXPW_DISABLE_SSL=1 to disable requiring either\n"
-"                       -ssl or -stunnel.  Evidently you will be using a\n"
+"                       -ssl or -stunnel (as under SSH_CONNECTION.)  Evidently\n"
-"                       different method to encrypt the data between the\n"
+"                       you will be using a different method to encrypt the\n"
-"                       vncviewer and x11vnc: perhaps ssh(1) or an IPSEC VPN.\n"
+"                       data between the vncviewer and x11vnc: perhaps ssh(1)\n"
-"\n"
+"                       or an IPSEC VPN. -localhost is still enforced (however,\n"
-"                       Note that use of -localhost with ssh(1) is roughly\n"
+"                       see the next paragraph.)\n"
 "                       the same as requiring a Unix user login (since a Unix\n"
 "                       password or the user's public key authentication is\n"
 "                       used by sshd on the machine where x11vnc runs and only\n"
 "                       local connections from that machine are accepted).\n"
 "\n"
 "                       Set UNIXPW_DISABLE_LOCALHOST=1 to disable the -localhost\n"
-"                       requirement in Method 2).  One should never do this\n"
+"                       requirement in -unixpw modes.  One should never do this\n"
 "                       (i.e. allow the Unix passwords to be sniffed on the\n"
-"                       network.)\n"
+"                       network.)  This also disables the localhost requirement\n"
 "                       for reverse connections (see below.)\n"
 "\n"
 "                       Note that use of -localhost with ssh(1) (and no -unixpw)\n"
 "                       is roughly the same as requiring a Unix user login\n"
 "                       (since a Unix password or the user's public key\n"
 "                       authentication is used by sshd on the machine where\n"
 "                       x11vnc runs and only local connections from that machine\n"
 "                       are accepted).\n"
 "\n"
 "                       Regarding reverse connections (e.g. -R connect:host\n"
 "                       and -connect host), when the -localhost constraint is\n"
--- a/x11vnc/remote.c
+++ b/x11vnc/remote.c
@ -4176,6 +4176,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
 			} else {
 				XTestFakeKeyEvent_wr(dpy, kc, down, CurrentTime);
 			}
 			XFlush_wr(dpy);
 			X_UNLOCK;
 		}
 		goto done;
@ -4243,6 +4244,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
 			X_LOCK;
 			rfbLog("remote_cmd: XTestFakeButtonEvent(mb=%d, down=%d)\n", mb, down);
 			XTestFakeButtonEvent_wr(dpy, mb, down ? True : False, CurrentTime);
 			XFlush_wr(dpy);
 			X_UNLOCK;
 		}
--- a/x11vnc/unixpw.c
+++ b/x11vnc/unixpw.c
@ -960,6 +960,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
 		first = 0;
 	}
 	rfbLog("su_verify: '%s' for %s.\n", user, cmd ? "command" : "login");
 	fflush(stderr);
 	if (! scheck(user, 100, "username")) {
 		return 0;
@ -992,6 +993,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
 	}
 	if (bin_su == NULL) {
 		rfbLogPerror("existence /bin/su");
 		fflush(stderr);
 		return 0;
 	}
@ -1006,6 +1008,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
 	}
 	if (bin_true == NULL) {
 		rfbLogPerror("existence /bin/true");
 		fflush(stderr);
 		return 0;
 	}
@ -1013,6 +1016,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
 	if (slave == NULL) {
 		rfbLogPerror("get_pty failed.");
 		fflush(stderr);
 		return 0;
 	}
@ -1021,6 +1025,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
 	if (fd < 0) {
 		rfbLogPerror("get_pty fd < 0");
 		fflush(stderr);
 		return 0;
 	}
@ -1029,6 +1034,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
 	pid = fork();
 	if (pid < 0) {
 		rfbLogPerror("fork");
 		fflush(stderr);
 		close(fd);
 		return 0;
 	}
@ -1248,6 +1254,7 @@ int su_verify(char *user, char *pass, char *cmd, char *rbuf, int *rbuf_size, int
 			}
 			if (j >= 32-1) {
 				rfbLog("su_verify: problem finding Password:\n");	
 				fflush(stderr);
 				return 0;
 			}
 			instr[j++] = tolower((unsigned char)cbuf[0]);
@ -1399,10 +1406,12 @@ int unixpw_verify(char *user, char *pass) {
 		if (cmd_verify(user, pass)) {
 			rfbLog("unixpw_verify: cmd_verify login for '%s'"
 			    " succeeded.\n", user);
 			fflush(stderr);
 			ok = 1;
 		} else {
 			rfbLog("unixpw_verify: cmd_verify login for '%s'"
 			    " failed.\n", user);
 			fflush(stderr);
 			usleep(3000*1000);
 			ok = 0;
 		}
@ -1410,10 +1419,12 @@ int unixpw_verify(char *user, char *pass) {
 		if (crypt_verify(user, pass)) {
 			rfbLog("unixpw_verify: crypt_verify login for '%s'"
 			    " succeeded.\n", user);
 			fflush(stderr);
 			ok = 1;
 		} else {
 			rfbLog("unixpw_verify: crypt_verify login for '%s'"
 			    " failed.\n", user);
 			fflush(stderr);
 			usleep(3000*1000);
 			ok = 0;
 		}
@ -1421,10 +1432,12 @@ int unixpw_verify(char *user, char *pass) {
 		if (su_verify(user, pass, NULL, NULL, NULL, 1)) {
 			rfbLog("unixpw_verify: su_verify login for '%s'"
 			    " succeeded.\n", user);
 			fflush(stderr);
 			ok = 1;
 		} else {
 			rfbLog("unixpw_verify: su_verify login for '%s'"
 			    " failed.\n", user);
 			fflush(stderr);
 			/* use su(1)'s sleep */
 			ok = 0;
 		}
@ -1451,6 +1464,7 @@ if (db) fprintf(stderr, "unixpw_verify: '%s' '%s'\n", user, db > 1 ? pass : "***
 		*colon = '\0';
 		rfbLog("unixpw_verify: colon: '%s'\n", user);
 	}
 	fflush(stderr);
 	if (unixpw_client) {
 		cd = (ClientData *) unixpw_client->clientData;
 		if (cd) {
--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@ -2,7 +2,7 @@
 .TH X11VNC "1" "December 2009" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.9.9, lastmod: 2009-12-14
+         version: 0.9.9, lastmod: 2009-12-17
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@ -1006,24 +1006,27 @@ To override the above restrictions you can set
 environment variables before starting x11vnc:
 .IP
 Set UNIXPW_DISABLE_SSL=1 to disable requiring either
-\fB-ssl\fR or \fB-stunnel.\fR  Evidently you will be using a
+\fB-ssl\fR or \fB-stunnel\fR (as under SSH_CONNECTION.)  Evidently
-different method to encrypt the data between the
+you will be using a different method to encrypt the
-vncviewer and x11vnc: perhaps 
+data between the vncviewer and x11vnc: perhaps 
 .IR ssh (1)
-or an IPSEC VPN.
+or an IPSEC VPN. \fB-localhost\fR is still enforced (however,
-.IP
+see the next paragraph.)
 Note that use of \fB-localhost\fR with 
 .IR ssh (1)
 is roughly
 the same as requiring a Unix user login (since a Unix
 password or the user's public key authentication is
 used by sshd on the machine where x11vnc runs and only
 local connections from that machine are accepted).
 .IP
 Set UNIXPW_DISABLE_LOCALHOST=1 to disable the \fB-localhost\fR
-requirement in Method 2).  One should never do this
+requirement in \fB-unixpw\fR modes.  One should never do this
 (i.e. allow the Unix passwords to be sniffed on the
-network.)
+network.)  This also disables the localhost requirement
 for reverse connections (see below.)
 .IP
 Note that use of \fB-localhost\fR with 
 .IR ssh (1)
 (and no \fB-unixpw)\fR
 is roughly the same as requiring a Unix user login
 (since a Unix password or the user's public key
 authentication is used by sshd on the machine where
 x11vnc runs and only local connections from that machine
 are accepted).
 .IP
 Regarding reverse connections (e.g. \fB-R\fR connect:host
 and \fB-connect\fR host), when the \fB-localhost\fR constraint is
--- a/x11vnc/x11vnc.c
+++ b/x11vnc/x11vnc.c
@ -4093,6 +4093,12 @@ int main(int argc, char* argv[]) {
 				    "mode\n");
 			}
 			bg = 0;
 		} else if (!bg && getenv("X11VNC_LOOP_MODE_BG")) {
 			if (! quiet) {
 				fprintf(stderr, "enabling -bg in -loopbg "
 				    "mode\n");
 			}
 			bg = 1;
 		}
 		if (inetd) {
 			if (! quiet) {
@ -4591,10 +4597,18 @@ int main(int argc, char* argv[]) {
 			use_stunnel = 0;
 		}
 		if (! use_stunnel && ! use_openssl) {
-			if (getenv("UNIXPW_DISABLE_LOCALHOST")) {
+			if (getenv("UNIXPW_DISABLE_SSL")) {
 				rfbLog("Skipping -ssl/-stunnel requirement"
 				    " due to\n");
-				rfbLog("UNIXPW_DISABLE_LOCALHOST setting.\n");
+				rfbLog("UNIXPW_DISABLE_SSL setting.\n");
 				if (!getenv("UNIXPW_DISABLE_LOCALHOST")) {
 					if (!got_localhost) {
 						rfbLog("Forcing -localhost mode.\n");
 					}
 					allow_list = strdup("127.0.0.1");
 					got_localhost = 1;
 				}
 			} else if (have_ssh_env()) {
 				char *s = getenv("SSH_CONNECTION");
 				if (! s) s = getenv("SSH_CLIENT");
@ -4605,13 +4619,18 @@ int main(int argc, char* argv[]) {
 				rfbLog("assuming your SSH encryption"
 				    " is:\n");
 				rfbLog("   %s\n", s);
-				rfbLog("Setting -localhost in SSH + -unixpw"
+
-				    " mode.\n");
+				if (!getenv("UNIXPW_DISABLE_LOCALHOST")) {
 					if (!got_localhost) {
 						rfbLog("Setting -localhost in SSH + -unixpw mode.\n");
 					}
 					allow_list = strdup("127.0.0.1");
 					got_localhost = 1;
 				}
 				rfbLog("If you *actually* want SSL, restart"
 				    " with -ssl on the cmdline\n");
 				fprintf(stderr, "\n");
 				allow_list = strdup("127.0.0.1");
 				got_localhost = 1;
 				if (! nopw) {
 					usleep(2000*1000);
 				}
--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@ -47,7 +47,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.9.9 lastmod: 2009-12-14";
+char lastmod[] = "0.9.9 lastmod: 2009-12-17";
 /* X display info */