Bug 2233204
| Summary: | Regression: PlainUsers can't be set to "$USER" in /etc/tigervnc/vncserver-config-defaults | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Carlos Santos <casantos> | ||||
| Component: | tigervnc | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED MIGRATED | QA Contact: | Radek Duda <rduda> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 8.8 | CC: | casantos, desktop-qa-list, jgrulich | ||||
| Target Milestone: | rc | Keywords: | MigratedToJIRA | ||||
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2023-09-16 11:47:33 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Thank you for the patch. I did not have time to look into this issue yet, but to me this doesn't look like a regression. The variable expansion is to my eyes an unintended behavior, it doesn't seem to be like a feature someone intentionally implemented, therefore the upstream didn't really do anything to implement such behavior when transitioning to the new systemd way of starting Tigervnc. Also, this will always expand to the same user starting the session, right? You already have to add this user to "/etc/tigervnc/vncserver.users" config file so you can also add this user to the list of "PlainUsers" in the main config file. Lastly, we didn't drop the "vncserver" script so you can keep using it as before. (In reply to Jan Grulich from comment #2) > You already have to add this user to > "/etc/tigervnc/vncserver.users" > config file so you can also add this user to > the list of "PlainUsers" > in the main config file Yes, but supposing that /etc/tigervnc/vncserver.users contains something like this: :1=vncuser1 :2=vncuser2 Then vncserver-config-defaults would need to contain this: SecurityTypes=TLSPlain PlainUsers=vncuser1,vncuser2 So all Xvnc instances would be invoked as /usr/bin/Xvnc :1 -plainusers vncuser1,vncuser2 ... /usr/bin/Xvnc :2 -plainusers vncuser1,vncuser2 thus permitting vncuser1 to access :2 and vncuser2 to access :1, which is a security breach. > Lastly, we didn't drop the "vncserver" script so you can keep using it > as before. Sure, but it requires a custom vncserver@.service and a vncserver wrapper like those used on RHEL 7. This leads to a solution that is incompatible with the documented setup. After additional reviewing I found that the actual cause of the problem is the
way /usr/bin/vncserver and /usr/libexec/vncserver (invoked by vncsession)
execute Xvnc:
system("$cmd & echo \$! >$pidFile");
versus
exec(@cmd);
In the former, expansion of environment variable, quoting and globbing will be
performed by the shell, while in the second they will not. So as an additional
disadvantage, setting a parameter in a config file as
PlainUsers="vncuser1,vncuser2"
will pass this to Xvnc
-plainusers "vncuser1,vncuser2"
This is the actual regression.
Created attachment 1985799 [details]
Proposed patch to fix this issue
Hi, I tried to write a solution for your issue, however, I'm not really an expert in Perl so what I wrote might be most likely simplified. Anyway, can you try the attached patch and see if it fixes your issue?
Created attachment 1985946 [details]
Patch to expand all environment variables when loading the configuration files
If you prefer to solve it in vncserver then I suggest you to use something
like this, instead, which is much simpler.
(In reply to Carlos Santos from comment #6) > Created attachment 1985946 [details] > Patch to expand all environment variables when loading the configuration > files > > If you prefer to solve it in vncserver I feel like fixing it here is more versatile. > then I suggest you to use something like this, instead, which is much simpler. Won't this result into passing an empty option in case the env variable is not set? Not that I can think of a case where someone would do that, but I was trying not to break any other potential use-case. But you are right that doing this in LoadConfig() makes more sense. (In reply to Jan Grulich from comment #7) > (In reply to Carlos Santos from comment #6) > > Created attachment 1985946 [details] > > Patch to expand all environment variables when loading the configuration > > files > > > > If you prefer to solve it in vncserver > > I feel like fixing it here is more versatile. > > > then I suggest you to use something like this, instead, which is much simpler. > > Won't this result into passing an empty option in case the env variable is > not set? Not that I can think of a case where someone would do that, but I > was trying not to break any other potential use-case. But you are right that > doing this in LoadConfig() makes more sense. We should not try to guess what the user wants to do, so I prefer to assume that $FOO means "use the FOO environment variable, if any". Do you want to propose your suggested change to upstream or should I do it? Anyway, this is something we can for sure fix in RHEL 8.10 and RHEL 9.4. I will submit a PR upstream. (In reply to Carlos Santos from comment #11) > Done: https://github.com/TigerVNC/tigervnc/pull/1664 Thank you. I will wait for upstream response in case there are more things to add before backporting this to RHEL. Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |
Description of problem: On RHEL 7 and later, it is possible to use PAM authentication by following the instructions in solution 7028399: How to use PAM authentication with Virtual Network Computing (VNC) on Red Hat Enterprise Linux https://access.redhat.com/solutions/7028399 On RHEL 7 (tigervnc 1.8.0), it is possible to enable PAM only for the user who owns the Xvnc process by adding this to /etc/tigervnc/vncserver-config-defaults: SecurityTypes="TLSPlain" PlainUsers="$USER" On RHEL 8 and later, however, this does not work. Version-Release number of selected component (if applicable): tigervnc-server-1.12.0-15.el8_8.x86_64 How reproducible: Always Steps to Reproduce: 1. Follow the instructions to configure the VNC service but skip the step to set a VNC password for the user: - For RHEL 7, refer to https://access.redhat.com/solutions/966063 - For RHEL 8.3 and later, refer to section 5.3 of the Using the desktop environment in RHEL 8 guide. - For RHEL 9, refer to chapter 9 of the Getting started with the GNOME desktop environment guide. 2. Ensure that a vnc PAM service exists: # test -f /etc/pam.d/vnc || ln -s login /etc/pam.d/vnc 3. Enable PAM authentication only for the user who is running Xvnc by adding these lines to /etc/tigervnc/vncserver-config-defaults: SecurityTypes="TLSPlain" PlainUsers="$USER" Notice that on RHEL 7 it is necessary to create the /etc/tigervnc/ directory first, since i does not exist by default: # mkdir -p /etc/tigervnc/ 4. Start the VNC service: # systemctl start vncserver@:1.service 5. Check if the configuration worked: # ps aux| fgrep Xvnc | grep -v -e grep -e xinit Actual results: vncuser1 7398 0.1 1.9 284652 72912 ? S 13:56 0:00 /usr/bin/Xvnc :1 -plainusers "$USER" -securitytypes "TLSPlain" -auth /home/vncuser1/.Xauthority -desktop rhel-8-2.example.com:1 (vncuser1) -fp catalogue:/etc/X11/fontpath.d -pn -rfbauth /home/vncuser1/.vnc/passwd -rfbport 5901 Expected results: Same result seen on RHEL 7: vncuser1 7688 0.3 1.9 218336 36252 ? Sl 13:57 0:00 /usr/bin/Xvnc :1 -plainusers vncuser1 -securitytypes TLSPlain -auth /home/vncuser1/.Xauthority -desktop rhel-7-2.example.com:1 (vncuser1) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/vncuser1/.vnc/passwd -rfbport 5901 -rfbwait 30000 Additional info: The problem happens because on RHEL 7 the service uses the "vncserver" script, which expands environment variables in the configuration files, while on RHEL 8 the service uses "vncsession", which does not recognize environment variables in configuration files. A simple workaround on RHEL 8 is to use PlainUsers=* but this creates a security vulnerability, since it allows any user to have access to the VNC session, not only the owner of the "Xvnc" process. Another workaround is to create a ~/.vnc/config containing PlainUsers=<actual-user-name> but this is inconvenient, since it requires the system administrator to log in as each vnc user to create the configuration file.