summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorrunge <runge>2007-05-05 18:28:32 +0000
committerrunge <runge>2007-05-05 18:28:32 +0000
commit1d495291e434af3d8bb8d6ceaf5aa926dea065e9 (patch)
tree333a569b60985693fafd68782115cf6288e03a39
parent76d88e31114b5cc0f66f90e76eb9c734bbc9bf4b (diff)
downloadlibtdevnc-1d495291e434af3d8bb8d6ceaf5aa926dea065e9.tar.gz
libtdevnc-1d495291e434af3d8bb8d6ceaf5aa926dea065e9.zip
filexfer warnings and messages.
-rw-r--r--x11vnc/README81
-rw-r--r--x11vnc/connections.c2
-rw-r--r--x11vnc/help.c18
-rw-r--r--x11vnc/remote.c2
-rw-r--r--x11vnc/sslhelper.c2
-rw-r--r--x11vnc/unixpw.c4
-rw-r--r--x11vnc/x11vnc.118
-rw-r--r--x11vnc/x11vnc.c2
-rw-r--r--x11vnc/xevents.c3
9 files changed, 98 insertions, 34 deletions
diff --git a/x11vnc/README b/x11vnc/README
index 61b40f0..2899a78 100644
--- a/x11vnc/README
+++ b/x11vnc/README
@@ -1,5 +1,5 @@
-x11vnc README file Date: Sat May 5 10:47:52 EDT 2007
+x11vnc README file Date: Sat May 5 14:09:28 EDT 2007
The following information is taken from these URLs:
@@ -6827,6 +6827,12 @@ ateway and not a broadcaster?)
implemented, you cannot do Tightvnc file transfer in -unixpw mode.
UltraVNC file transfer does work, however.
+ IMPORTANT: please understand if -ultrafilexfer or -tightfilexfer is
+ specified and you run x11vnc as root for, say, inetd or display
+ manager (gdm, kdm, ...) access and you do not have it switch users via
+ the [778]-users option, then VNC Viewers that connect are able to do
+ filetransfer reads and writes as *root*.
+
The UltraVNC and TightVNC settings can be toggled on and off inside
the gui or by -R remote control. However for TightVNC the changed
setting only applies for NEW clients, current clients retain their
@@ -6843,7 +6849,7 @@ ateway and not a broadcaster?)
these extensions you will need to supply this option to x11vnc:
-rfbversion 3.6
- Or use [778]-ultrafilexfer which is an alias for the above option and
+ Or use [779]-ultrafilexfer which is an alias for the above option and
"-permitfiletransfer". UltraVNC evidently treats any other RFB version
number as non-UltraVNC.
@@ -6855,21 +6861,21 @@ ateway and not a broadcaster?)
* 1/n Server Scaling
* rfbEncodingUltra compression encoding
- To disable SingleWindow and ServerInput use [779]-noultraext (the
+ To disable SingleWindow and ServerInput use [780]-noultraext (the
others are managed by LibVNCServer). See this option too:
- [780]-noserverdpms.
+ [781]-noserverdpms.
Q-112: Can x11vnc emulate UltraVNC's Single Click helpdesk mode? I.e.
something very simple for a naive user to initiate a reverse vnc
connection from their desktop to a helpdesk operator's VNC Viewer.
- Yes, UltraVNC's [781]Single Click (SC) mode can be emulated reasonably
+ Yes, UltraVNC's [782]Single Click (SC) mode can be emulated reasonably
well on Unix.
We use the term "helpdesk" below, but it could be any sort of remote
assistance you want to set up, e.g. something for unix-using friends
- or family to use. This includes [782]Mac OS X.
+ or family to use. This includes [783]Mac OS X.
Assume you create a helpdesk directory "hd" on your website:
http://www.mysite.com/hd
@@ -6972,9 +6978,9 @@ fi
SSL Encrypted Helpdesk Connections: Currently x11vnc does not support
- reverse connections in SSL [783]-ssl mode. This may change in a future
+ reverse connections in SSL [784]-ssl mode. This may change in a future
release, until then you would need to cook up something with
- [784]STUNNEL.
+ [785]STUNNEL.
Update: as of Apr/2007 x11vnc supports reverse connections in SSL.
Recipe below will be updated (TBD), basically you just add "-ssl SAVE"
@@ -7130,7 +7136,7 @@ rypto.a -lwrap
You will have to use an external network redirection for this.
Filesystem mounting is not part of the VNC protocol.
- We show a simple [785]Samba example here.
+ We show a simple [786]Samba example here.
First you will need a tunnel to redirect the SMB requests from the
remote machine to the one you sitting at. We use an ssh tunnel:
@@ -7167,7 +7173,7 @@ d,ip=127.0.0.1,port=1139
far-away> smbumount /home/fred/smb-haystack-pub
At some point we hope to fold some automation for SMB ssh redir setup
- into the [786]Enhanced TightVNC Viewer (SSVNC) package we provide (as
+ into the [787]Enhanced TightVNC Viewer (SSVNC) package we provide (as
of Sep 2006 it is there for testing).
@@ -7177,7 +7183,7 @@ d,ip=127.0.0.1,port=1139
You will have to use an external network redirection for this.
Printing is not part of the VNC protocol.
- We show a simple Unix to Unix [787]CUPS example here. Non-CUPS port
+ We show a simple Unix to Unix [788]CUPS example here. Non-CUPS port
redirections (e.g. LPD) should also be possible, but may be a bit more
tricky. If you are viewing on Windows SMB and don't have a local cups
server it may be trickier still (see below).
@@ -7249,7 +7255,7 @@ d,ip=127.0.0.1,port=1139
"localhost".
At some point we hope to fold some automation for CUPS ssh redir setup
- into the [788]Enhanced TightVNC Viewer (SSVNC) package we provide (as
+ into the [789]Enhanced TightVNC Viewer (SSVNC) package we provide (as
of Sep 2006 it is there for testing).
@@ -7350,7 +7356,7 @@ or:
the applications will fail to run because LD_PRELOAD will point to
libraries of the wrong wordsize.
* At some point we hope to fold some automation for esd or artsd ssh
- redir setup into the [789]Enhanced TightVNC Viewer (SSVNC) package
+ redir setup into the [790]Enhanced TightVNC Viewer (SSVNC) package
we provide (as of Sep/2006 it is there for testing).
@@ -7362,9 +7368,9 @@ or:
in Solaris, see Xserver(1) for how to turn it on via +kb), and so you
won't hear them if the extension is not present.
- If you don't want to hear the beeps use the [790]-nobell option. If
+ If you don't want to hear the beeps use the [791]-nobell option. If
you want to hear the audio from the remote applications, consider
- trying a [791]redirector such as esd.
+ trying a [792]redirector such as esd.
@@ -8158,20 +8164,21 @@ References
775. http://www.unixuser.org/~euske/vnc2swf/
776. http://wolphination.com/linux/2006/06/30/how-to-record-videos-of-your-desktop/
777. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-nofilexfer
- 778. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-ultrafilexfer
- 779. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-noultraext
- 780. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-noserverdpms
- 781. http://www.uvnc.com/addons/singleclick.html
- 782. http://www.karlrunge.com/x11vnc/index.html#faq-macosx
- 783. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-ssl
- 784. http://stunnel.mirt.net/
- 785. http://www.samba.org/
- 786. http://www.karlrunge.com/x11vnc/ssvnc.html
- 787. http://www.cups.org/
- 788. http://www.karlrunge.com/x11vnc/ssvnc.html
+ 778. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-users
+ 779. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-ultrafilexfer
+ 780. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-noultraext
+ 781. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-noserverdpms
+ 782. http://www.uvnc.com/addons/singleclick.html
+ 783. http://www.karlrunge.com/x11vnc/index.html#faq-macosx
+ 784. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-ssl
+ 785. http://stunnel.mirt.net/
+ 786. http://www.samba.org/
+ 787. http://www.karlrunge.com/x11vnc/ssvnc.html
+ 788. http://www.cups.org/
789. http://www.karlrunge.com/x11vnc/ssvnc.html
- 790. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-nobell
- 791. http://www.karlrunge.com/x11vnc/index.html#faq-sound
+ 790. http://www.karlrunge.com/x11vnc/ssvnc.html
+ 791. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-nobell
+ 792. http://www.karlrunge.com/x11vnc/index.html#faq-sound
=======================================================================
http://www.karlrunge.com/x11vnc/chainingssh.html:
@@ -11203,11 +11210,27 @@ Options:
per-client viewonly state the filetransfer permissions
will NOT change.
+ IMPORTANT: please understand if -tightfilexfer is
+ specified and you run x11vnc as root for, say, inetd
+ or display manager (gdm, kdm, ...) access and you do
+ not have it switch users via the -users option, then
+ VNC Viewers that connect are able to do filetransfer
+ reads and writes as *root*.
+
+ Also, tightfilexfer is disabled in -unixpw mode.
+
-ultrafilexfer Note: to enable UltraVNC filetransfer and to get it to
work you probably need to supply these libvncserver
options: "-rfbversion 3.6 -permitfiletransfer"
"-ultrafilexfer" is an alias for this combination.
+ IMPORTANT: please understand if -ultrafilexfer is
+ specified and you run x11vnc as root for, say, inetd
+ or display manager (gdm, kdm, ...) access and you do
+ not have it switch users via the -users option, then
+ VNC Viewers that connect are able to do filetransfer
+ reads and writes as *root*.
+
Note that sadly you cannot do both -tightfilexfer and
-ultrafilexfer at the same time because the latter
requires setting the version to 3.6 and tightvnc will
@@ -12467,7 +12490,7 @@ Options:
character. E.g. "-users +bob" or "-users +nobody".
The latter (i.e. switching immediately to user
- "nobody") is probably the only use of this option
+ "nobody") is the only obvious use of the -users option
that increases security.
Use the following notation to associate a group with
diff --git a/x11vnc/connections.c b/x11vnc/connections.c
index 3a31f5f..b26c790 100644
--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@@ -676,6 +676,7 @@ void client_gone(rfbClientPtr client) {
screen->permitFileTransfer = unixpw_file_xfer_save;
if ((tightfilexfer = unixpw_tightvnc_xfer_save)) {
#ifdef LIBVNCSERVER_WITH_TIGHTVNC_FILETRANSFER
+ rfbLog("rfbRegisterTightVNCFileTransferExtension: 3\n");
rfbRegisterTightVNCFileTransferExtension();
#endif
}
@@ -2220,6 +2221,7 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
unixpw_tightvnc_xfer_save = tightfilexfer;
tightfilexfer = 0;
#ifdef LIBVNCSERVER_WITH_TIGHTVNC_FILETRANSFER
+ rfbLog("rfbUnregisterTightVNCFileTransferExtension: 1\n");
rfbUnregisterTightVNCFileTransferExtension();
#endif
diff --git a/x11vnc/help.c b/x11vnc/help.c
index b465773..77ea6de 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -360,11 +360,27 @@ void print_help(int mode) {
" per-client viewonly state the filetransfer permissions\n"
" will NOT change.\n"
"\n"
+" IMPORTANT: please understand if -tightfilexfer is\n"
+" specified and you run x11vnc as root for, say, inetd\n"
+" or display manager (gdm, kdm, ...) access and you do\n"
+" not have it switch users via the -users option, then\n"
+" VNC Viewers that connect are able to do filetransfer\n"
+" reads and writes as *root*.\n"
+"\n"
+" Also, tightfilexfer is disabled in -unixpw mode.\n"
+"\n"
"-ultrafilexfer Note: to enable UltraVNC filetransfer and to get it to\n"
" work you probably need to supply these libvncserver\n"
" options: \"-rfbversion 3.6 -permitfiletransfer\"\n"
" \"-ultrafilexfer\" is an alias for this combination.\n"
"\n"
+" IMPORTANT: please understand if -ultrafilexfer is\n"
+" specified and you run x11vnc as root for, say, inetd\n"
+" or display manager (gdm, kdm, ...) access and you do\n"
+" not have it switch users via the -users option, then\n"
+" VNC Viewers that connect are able to do filetransfer\n"
+" reads and writes as *root*.\n"
+"\n"
" Note that sadly you cannot do both -tightfilexfer and\n"
" -ultrafilexfer at the same time because the latter\n"
" requires setting the version to 3.6 and tightvnc will\n"
@@ -1643,7 +1659,7 @@ void print_help(int mode) {
" character. E.g. \"-users +bob\" or \"-users +nobody\".\n"
"\n"
" The latter (i.e. switching immediately to user\n"
-" \"nobody\") is probably the only use of this option\n"
+" \"nobody\") is the only obvious use of the -users option\n"
" that increases security.\n"
"\n"
" Use the following notation to associate a group with\n"
diff --git a/x11vnc/remote.c b/x11vnc/remote.c
index e2631a8..08455e4 100644
--- a/x11vnc/remote.c
+++ b/x11vnc/remote.c
@@ -1274,6 +1274,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
if (! tightfilexfer) {
rfbLog("remote_cmd: enabling -tightfilexfer for *NEW* clients.\n");
tightfilexfer = 1;
+ rfbLog("rfbRegisterTightVNCFileTransferExtension: 4\n");
rfbRegisterTightVNCFileTransferExtension();
}
#else
@@ -1289,6 +1290,7 @@ char *process_remote_cmd(char *cmd, int stringonly) {
if (tightfilexfer) {
rfbLog("remote_cmd: disabling -tightfilexfer for *NEW* clients.\n");
tightfilexfer = 0;
+ rfbLog("rfbUnregisterTightVNCFileTransferExtension: 2\n");
rfbUnregisterTightVNCFileTransferExtension();
}
#else
diff --git a/x11vnc/sslhelper.c b/x11vnc/sslhelper.c
index 36aeb8d..035c423 100644
--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
@@ -1852,7 +1852,7 @@ if (db) fprintf(stderr, "iface: %s\n", iface);
certret_str = NULL;
}
if (0 && certret_str) {
- fprintf(stderr, "certret_str[%d]:\n%s\n", sbuf.st_size, certret_str);
+ fprintf(stderr, "certret_str[%d]:\n%s\n", (int) sbuf.st_size, certret_str);
}
}
diff --git a/x11vnc/unixpw.c b/x11vnc/unixpw.c
index d28cba2..c4a08b9 100644
--- a/x11vnc/unixpw.c
+++ b/x11vnc/unixpw.c
@@ -1554,8 +1554,9 @@ void unixpw_accept(char *user) {
unixpw_in_progress = 0;
screen->permitFileTransfer = unixpw_file_xfer_save;
if ((tightfilexfer = unixpw_tightvnc_xfer_save)) {
- /* this doesn't work the current client is never registered */
+ /* this doesn't work: the current client is never registered! */
#ifdef LIBVNCSERVER_WITH_TIGHTVNC_FILETRANSFER
+ rfbLog("rfbRegisterTightVNCFileTransferExtension: 1\n");
rfbRegisterTightVNCFileTransferExtension();
#endif
}
@@ -1602,6 +1603,7 @@ void unixpw_deny(void) {
screen->permitFileTransfer = unixpw_file_xfer_save;
if ((tightfilexfer = unixpw_tightvnc_xfer_save)) {
#ifdef LIBVNCSERVER_WITH_TIGHTVNC_FILETRANSFER
+ rfbLog("rfbRegisterTightVNCFileTransferExtension: 2\n");
rfbRegisterTightVNCFileTransferExtension();
#endif
}
diff --git a/x11vnc/x11vnc.1 b/x11vnc/x11vnc.1
index 462a9a7..f0b09ef 100644
--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@@ -422,6 +422,15 @@ viewonly cannot transfer files. However, if the remote
control mechanism is used to change the global or
per-client viewonly state the filetransfer permissions
will NOT change.
+.IP
+IMPORTANT: please understand if \fB-tightfilexfer\fR is
+specified and you run x11vnc as root for, say, inetd
+or display manager (gdm, kdm, ...) access and you do
+not have it switch users via the \fB-users\fR option, then
+VNC Viewers that connect are able to do filetransfer
+reads and writes as *root*.
+.IP
+Also, tightfilexfer is disabled in \fB-unixpw\fR mode.
.PP
\fB-ultrafilexfer\fR
.IP
@@ -430,6 +439,13 @@ work you probably need to supply these libvncserver
options: "\fB-rfbversion\fR \fI3.6 \fB-permitfiletransfer\fR"\fR
"\fB-ultrafilexfer\fR" is an alias for this combination.
.IP
+IMPORTANT: please understand if \fB-ultrafilexfer\fR is
+specified and you run x11vnc as root for, say, inetd
+or display manager (gdm, kdm, ...) access and you do
+not have it switch users via the \fB-users\fR option, then
+VNC Viewers that connect are able to do filetransfer
+reads and writes as *root*.
+.IP
Note that sadly you cannot do both \fB-tightfilexfer\fR and
\fB-ultrafilexfer\fR at the same time because the latter
requires setting the version to 3.6 and tightvnc will
@@ -1866,7 +1882,7 @@ can be reopened prefix the username with the "+"
character. E.g. "\fB-users\fR \fI+bob\fR" or "\fB-users\fR \fI+nobody\fR".
.IP
The latter (i.e. switching immediately to user
-"nobody") is probably the only use of this option
+"nobody") is the only obvious use of the \fB-users\fR option
that increases security.
.IP
Use the following notation to associate a group with
diff --git a/x11vnc/x11vnc.c b/x11vnc/x11vnc.c
index b9abaf3..7c8f0ce 100644
--- a/x11vnc/x11vnc.c
+++ b/x11vnc/x11vnc.c
@@ -3227,8 +3227,10 @@ int main(int argc, char* argv[]) {
#ifdef LIBVNCSERVER_WITH_TIGHTVNC_FILETRANSFER
if (tightfilexfer) {
+ rfbLog("rfbRegisterTightVNCFileTransferExtension: 6\n");
rfbRegisterTightVNCFileTransferExtension();
} else {
+ rfbLog("rfbUnregisterTightVNCFileTransferExtension: 3\n");
rfbUnregisterTightVNCFileTransferExtension();
}
#endif
diff --git a/x11vnc/xevents.c b/x11vnc/xevents.c
index 3126a56..3948949 100644
--- a/x11vnc/xevents.c
+++ b/x11vnc/xevents.c
@@ -1422,7 +1422,8 @@ int get_keyboard_led_state_hook(rfbScreenInfoPtr s) {
int get_file_transfer_permitted(rfbClientPtr cl) {
allowed_input_t input;
if (unixpw_in_progress) {
- rfbLog("get_file_transfer_permitted: unixpw_in_progress, skipping.\n");
+ rfbLog("get_file_transfer_permitted: unixpw_in_progress, dropping client.\n");
+ rfbCloseClient(cl);
return FALSE;
}
if (0) fprintf(stderr, "get_file_transfer_permitted called\n");