Bug 161288 - init.d VNC startup Security Enhancement - Control over X11/6000-9 vnc-java/5800-9 network bindings
init.d VNC startup Security Enhancement - Control over X11/6000-9 vnc-java/58...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: vnc (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
David Lawrence
:
Depends On:
Blocks: FC5Target
  Show dependency treegraph
 
Reported: 2005-06-21 22:31 EDT by System V. Unix
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 4.1.1-16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-11 07:30:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
TGZ Patch file (diff -u) for altering VNC scripts. Complete fix for the RFE (1.10 KB, patch)
2005-06-21 22:31 EDT, System V. Unix
no flags Details | Diff

  None (edit)
Description System V. Unix 2005-06-21 22:31:35 EDT
Description of problem:
-----------------------
It is desired to be able to control the VNC services in such a way to only 
have the native VNC server exposed. Options are incorporated into the standard 
startup scripts to allow control over the X11 and java-vnc HTTP services 
getting exposed to the external interface (The X11 service will always be 
exposed to at least the loopback interface).

Version-Release number of selected component (if applicable):
RHAS

How reproducible:
Apply attached patch, and decided what externally-facing daemons you want 
running for VNC services.

Steps to Reproduce:
N/A - normal operation of software
  
Actual results:
---------------
Specifying VNC arguments in /etc/sysconfig/vncservers one can decide to 

Case I: Supresses invokation of http vnc-java/5800-9 daemons/service
VNCSERVERARGS[1]="-nohttpd" ()

Case II: Supress invocation of X11/6000-9 listeners and vnc-java/5800-9
VNCSERVERARGS[1]="-nohttpd -nolisten tcp"

Expected results:
-----------------
Once can confirm the server hardening is stricter when these options are used 
by searching for running VNC services on the first 10 screens via

'nmap -sT -p 5800-9,5900-9,6000-9'


Additional info:
Basically this patch does nothing but allow the user more flexibility to 
control the startup options to Xvnc in a better fasion that is currently done. 
The fix is for RHAS4/Fedora scripts. 

Patch:
---------CUT------------
--- etc/sysconfig/vncservers.orig	2005-03-28 02:15:49.000000000 -0800
+++ etc/sysconfig/vncservers	2005-06-21 10:55:41.148852591 -0700
@@ -11,3 +11,23 @@
 
 # VNCSERVERS="1:myusername"
 # VNCSERVERARGS[1]="-geometry 800x600"
+
+# Supress invokation of the X11 listener in Xvnc
+# via '-nolisten tcp'. This enforces no remote X connections attach
+# to the Xvnc display window. (pass through arg to Xvnc)
+# 
+# Supress invokation of the additional '-httpd' in Xvnc
+# This prevents the use of web-based clients,
+# but still allows use of native VNC clients.(arg to vncservers)
+#
+# VNCSERVERARGS[1]="-nohttpd -nolisten tcp"
+
+# Setup to allow receipt of screens, but drop vnc-http/5800-9
+
+# VNCSERVERS="1:user1 2:user2 3:user3 4:user4 5:user5"
+# VNCSERVERARGS[1]="-nohttpd"
+# VNCSERVERARGS[2]="-nohttpd"
+# VNCSERVERARGS[3]="-nohttpd"
+# VNCSERVERARGS[4]="-nohttpd"
+# VNCSERVERARGS[5]="-nohttpd"
+
--- usr/bin/vncserver.orig	2005-06-21 18:24:53.317270919 -0700
+++ usr/bin/vncserver	2005-06-21 18:24:50.155746724 -0700
@@ -58,6 +58,7 @@
 # Check command line options
 
 &ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1,
+              "-nohttpd",0,
 	      "-help",0,"-h",0,"--help",0);
 
 &Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'});
@@ -78,6 +79,12 @@
 if ($opt{'-pixelformat'}) {
     $pixelformat = $opt{'-pixelformat'};
 }
+if ($opt{'-nohttpd'}) {
+    $nohttpd = 1;
+  }
+else {
+    $nohttpd = 0;
+}
 
 &CheckGeometryAndDepth();
 
@@ -135,7 +142,7 @@
 
 $cmd = "Xvnc :$displayNumber";
 $cmd .= " -desktop " . &quotedString($desktopName);
-$cmd .= " -httpd $vncJavaFiles" if ($vncJavaFiles);
+$cmd .= " -httpd $vncJavaFiles" if ($vncJavaFiles && ! $nohttpd);
 $cmd .= " -auth $xauthorityFile";
 $cmd .= " -geometry $geometry" if ($geometry);
 $cmd .= " -depth $depth" if ($depth);
@@ -411,7 +418,7 @@
 
 sub Usage
 {
-    die("\nusage: $prog [:<number>] [-name <desktop-name>] [-depth <depth>]
\n".
+    die("\nusage: $prog [:<number>] [-nohttpd] [-name <desktop-name>] [-depth 
<depth>]\n".
 	"                 [-geometry <width>x<height>]\n".
 	"                 [-pixelformat rgbNNN|bgrNNN]\n".
 	"                 <Xvnc-options>...\n\n".
-----------------CUT-------------------
Comment 1 System V. Unix 2005-06-21 22:31:36 EDT
Created attachment 115791 [details]
TGZ Patch file (diff -u) for altering VNC scripts. Complete fix for the RFE

Note You need to log in before you can comment on or make changes to this bug.