Bug 161288
| Summary: | init.d VNC startup Security Enhancement - Control over X11/6000-9 vnc-java/5800-9 network bindings | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | System V. Unix <sysv> | ||||
| Component: | vnc | Assignee: | Tim Waugh <twaugh> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | David Lawrence <dkl> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | rawhide | CC: | sysv | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 4.1.1-16 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-08-11 11:30:50 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 150221 | ||||||
| Attachments: |
|
||||||
Created attachment 115791 [details]
TGZ Patch file (diff -u) for altering VNC scripts. Complete fix for the RFE
|
Description of problem: ----------------------- It is desired to be able to control the VNC services in such a way to only have the native VNC server exposed. Options are incorporated into the standard startup scripts to allow control over the X11 and java-vnc HTTP services getting exposed to the external interface (The X11 service will always be exposed to at least the loopback interface). Version-Release number of selected component (if applicable): RHAS How reproducible: Apply attached patch, and decided what externally-facing daemons you want running for VNC services. Steps to Reproduce: N/A - normal operation of software Actual results: --------------- Specifying VNC arguments in /etc/sysconfig/vncservers one can decide to Case I: Supresses invokation of http vnc-java/5800-9 daemons/service VNCSERVERARGS[1]="-nohttpd" () Case II: Supress invocation of X11/6000-9 listeners and vnc-java/5800-9 VNCSERVERARGS[1]="-nohttpd -nolisten tcp" Expected results: ----------------- Once can confirm the server hardening is stricter when these options are used by searching for running VNC services on the first 10 screens via 'nmap -sT -p 5800-9,5900-9,6000-9' Additional info: Basically this patch does nothing but allow the user more flexibility to control the startup options to Xvnc in a better fasion that is currently done. The fix is for RHAS4/Fedora scripts. Patch: ---------CUT------------ --- etc/sysconfig/vncservers.orig 2005-03-28 02:15:49.000000000 -0800 +++ etc/sysconfig/vncservers 2005-06-21 10:55:41.148852591 -0700 @@ -11,3 +11,23 @@ # VNCSERVERS="1:myusername" # VNCSERVERARGS[1]="-geometry 800x600" + +# Supress invokation of the X11 listener in Xvnc +# via '-nolisten tcp'. This enforces no remote X connections attach +# to the Xvnc display window. (pass through arg to Xvnc) +# +# Supress invokation of the additional '-httpd' in Xvnc +# This prevents the use of web-based clients, +# but still allows use of native VNC clients.(arg to vncservers) +# +# VNCSERVERARGS[1]="-nohttpd -nolisten tcp" + +# Setup to allow receipt of screens, but drop vnc-http/5800-9 + +# VNCSERVERS="1:user1 2:user2 3:user3 4:user4 5:user5" +# VNCSERVERARGS[1]="-nohttpd" +# VNCSERVERARGS[2]="-nohttpd" +# VNCSERVERARGS[3]="-nohttpd" +# VNCSERVERARGS[4]="-nohttpd" +# VNCSERVERARGS[5]="-nohttpd" + --- usr/bin/vncserver.orig 2005-06-21 18:24:53.317270919 -0700 +++ usr/bin/vncserver 2005-06-21 18:24:50.155746724 -0700 @@ -58,6 +58,7 @@ # Check command line options &ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1, + "-nohttpd",0, "-help",0,"-h",0,"--help",0); &Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'}); @@ -78,6 +79,12 @@ if ($opt{'-pixelformat'}) { $pixelformat = $opt{'-pixelformat'}; } +if ($opt{'-nohttpd'}) { + $nohttpd = 1; + } +else { + $nohttpd = 0; +} &CheckGeometryAndDepth(); @@ -135,7 +142,7 @@ $cmd = "Xvnc :$displayNumber"; $cmd .= " -desktop " . "edString($desktopName); -$cmd .= " -httpd $vncJavaFiles" if ($vncJavaFiles); +$cmd .= " -httpd $vncJavaFiles" if ($vncJavaFiles && ! $nohttpd); $cmd .= " -auth $xauthorityFile"; $cmd .= " -geometry $geometry" if ($geometry); $cmd .= " -depth $depth" if ($depth); @@ -411,7 +418,7 @@ sub Usage { - die("\nusage: $prog [:<number>] [-name <desktop-name>] [-depth <depth>] \n". + die("\nusage: $prog [:<number>] [-nohttpd] [-name <desktop-name>] [-depth <depth>]\n". " [-geometry <width>x<height>]\n". " [-pixelformat rgbNNN|bgrNNN]\n". " <Xvnc-options>...\n\n". -----------------CUT-------------------