Description of problem: ----------------------- It is desired to be able to control the VNC services in such a way to only have the native VNC server exposed. Options are incorporated into the standard startup scripts to allow control over the X11 and java-vnc HTTP services getting exposed to the external interface (The X11 service will always be exposed to at least the loopback interface). Version-Release number of selected component (if applicable): RHAS How reproducible: Apply attached patch, and decided what externally-facing daemons you want running for VNC services. Steps to Reproduce: N/A - normal operation of software Actual results: --------------- Specifying VNC arguments in /etc/sysconfig/vncservers one can decide to Case I: Supresses invokation of http vnc-java/5800-9 daemons/service VNCSERVERARGS[1]="-nohttpd" () Case II: Supress invocation of X11/6000-9 listeners and vnc-java/5800-9 VNCSERVERARGS[1]="-nohttpd -nolisten tcp" Expected results: ----------------- Once can confirm the server hardening is stricter when these options are used by searching for running VNC services on the first 10 screens via 'nmap -sT -p 5800-9,5900-9,6000-9' Additional info: Basically this patch does nothing but allow the user more flexibility to control the startup options to Xvnc in a better fasion that is currently done. The fix is for RHAS4/Fedora scripts. Patch: ---------CUT------------ --- etc/sysconfig/vncservers.orig 2005-03-28 02:15:49.000000000 -0800 +++ etc/sysconfig/vncservers 2005-06-21 10:55:41.148852591 -0700 @@ -11,3 +11,23 @@ # VNCSERVERS="1:myusername" # VNCSERVERARGS[1]="-geometry 800x600" + +# Supress invokation of the X11 listener in Xvnc +# via '-nolisten tcp'. This enforces no remote X connections attach +# to the Xvnc display window. (pass through arg to Xvnc) +# +# Supress invokation of the additional '-httpd' in Xvnc +# This prevents the use of web-based clients, +# but still allows use of native VNC clients.(arg to vncservers) +# +# VNCSERVERARGS[1]="-nohttpd -nolisten tcp" + +# Setup to allow receipt of screens, but drop vnc-http/5800-9 + +# VNCSERVERS="1:user1 2:user2 3:user3 4:user4 5:user5" +# VNCSERVERARGS[1]="-nohttpd" +# VNCSERVERARGS[2]="-nohttpd" +# VNCSERVERARGS[3]="-nohttpd" +# VNCSERVERARGS[4]="-nohttpd" +# VNCSERVERARGS[5]="-nohttpd" + --- usr/bin/vncserver.orig 2005-06-21 18:24:53.317270919 -0700 +++ usr/bin/vncserver 2005-06-21 18:24:50.155746724 -0700 @@ -58,6 +58,7 @@ # Check command line options &ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1, + "-nohttpd",0, "-help",0,"-h",0,"--help",0); &Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'}); @@ -78,6 +79,12 @@ if ($opt{'-pixelformat'}) { $pixelformat = $opt{'-pixelformat'}; } +if ($opt{'-nohttpd'}) { + $nohttpd = 1; + } +else { + $nohttpd = 0; +} &CheckGeometryAndDepth(); @@ -135,7 +142,7 @@ $cmd = "Xvnc :$displayNumber"; $cmd .= " -desktop " . "edString($desktopName); -$cmd .= " -httpd $vncJavaFiles" if ($vncJavaFiles); +$cmd .= " -httpd $vncJavaFiles" if ($vncJavaFiles && ! $nohttpd); $cmd .= " -auth $xauthorityFile"; $cmd .= " -geometry $geometry" if ($geometry); $cmd .= " -depth $depth" if ($depth); @@ -411,7 +418,7 @@ sub Usage { - die("\nusage: $prog [:<number>] [-name <desktop-name>] [-depth <depth>] \n". + die("\nusage: $prog [:<number>] [-nohttpd] [-name <desktop-name>] [-depth <depth>]\n". " [-geometry <width>x<height>]\n". " [-pixelformat rgbNNN|bgrNNN]\n". " <Xvnc-options>...\n\n". -----------------CUT-------------------
Created attachment 115791 [details] TGZ Patch file (diff -u) for altering VNC scripts. Complete fix for the RFE