2233204 – Regression: PlainUsers can't be set to "$USER" in /etc/tigervnc/vncserver-config-defaults

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2233204 - Regression: PlainUsers can't be set to "$USER" in /etc/tigervnc/vncserver-config-defaults

Summary: Regression: PlainUsers can't be set to "$USER" in /etc/tigervnc/vncserver-con...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	tigervnc
Sub Component:
Version:	8.8
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Grulich
QA Contact:	Radek Duda
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-21 17:15 UTC by Carlos Santos
Modified:	2023-09-16 11:47 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-16 11:47:33 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)
Proposed patch to fix this issue (757 bytes, patch) 2023-08-29 09:11 UTC, Jan Grulich	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	TigerVNC tigervnc pull 1664	None	open	vncserver: recognize environment variables in configuration files	2023-08-31 02:05:42 UTC
Red Hat Issue Tracker	RHEL-4258	None	Migrated	None	2023-09-16 11:47:23 UTC
Red Hat Issue Tracker	RHELPLAN-166095	None	None	None	2023-08-21 17:21:12 UTC

Description Carlos Santos 2023-08-21 17:15:27 UTC

Description of problem:

On RHEL 7 and later, it is possible to use PAM authentication by following
the instructions in solution 7028399:

    How to use PAM authentication with Virtual Network Computing (VNC) on
    Red Hat Enterprise Linux
    https://access.redhat.com/solutions/7028399

On RHEL 7 (tigervnc 1.8.0), it is possible to enable PAM only for the user who
owns the Xvnc process by adding this to /etc/tigervnc/vncserver-config-defaults:

    SecurityTypes="TLSPlain"
    PlainUsers="$USER"

On RHEL 8 and later, however, this does not work.

Version-Release number of selected component (if applicable):

tigervnc-server-1.12.0-15.el8_8.x86_64

How reproducible:

Always

Steps to Reproduce:

1. Follow the instructions to configure the VNC service but skip the step to
   set a VNC password for the user:

   - For RHEL 7, refer to https://access.redhat.com/solutions/966063
   - For RHEL 8.3 and later, refer to section 5.3 of the Using the desktop
     environment in RHEL 8 guide.
   - For RHEL 9, refer to chapter 9 of the Getting started with the GNOME
     desktop environment guide.

2. Ensure that a vnc PAM service exists:

   # test -f /etc/pam.d/vnc || ln -s login /etc/pam.d/vnc

3. Enable PAM authentication only for the user who is running Xvnc by adding
   these lines to /etc/tigervnc/vncserver-config-defaults:

   SecurityTypes="TLSPlain"
   PlainUsers="$USER"

   Notice that on RHEL 7 it is necessary to create the /etc/tigervnc/
   directory first, since i does not exist by default:

   # mkdir -p /etc/tigervnc/

4. Start the VNC service:

   # systemctl start vncserver@:1.service

5. Check if the configuration worked:

   # ps aux| fgrep Xvnc | grep -v -e grep -e xinit

Actual results:

   vncuser1    7398  0.1  1.9 284652 72912 ?        S    13:56   0:00 /usr/bin/Xvnc :1 -plainusers "$USER" -securitytypes "TLSPlain" -auth /home/vncuser1/.Xauthority -desktop rhel-8-2.example.com:1 (vncuser1) -fp catalogue:/etc/X11/fontpath.d -pn -rfbauth /home/vncuser1/.vnc/passwd -rfbport 5901

Expected results:

Same result seen on RHEL 7:

vncuser1  7688  0.3  1.9 218336 36252 ?        Sl   13:57   0:00 /usr/bin/Xvnc :1 -plainusers vncuser1 -securitytypes TLSPlain -auth /home/vncuser1/.Xauthority -desktop rhel-7-2.example.com:1 (vncuser1) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/vncuser1/.vnc/passwd -rfbport 5901 -rfbwait 30000

Additional info:

The problem happens because on RHEL 7 the service uses the "vncserver" script,
which expands environment variables in the configuration files, while on RHEL 8
the service uses "vncsession", which does not recognize environment variables
in configuration files.

A simple workaround on RHEL 8 is to use

   PlainUsers=*

but this creates a security vulnerability, since it allows any user to have
access to the VNC session, not only the owner of the "Xvnc" process.

Another workaround is to create a ~/.vnc/config containing

   PlainUsers=<actual-user-name>

but this is inconvenient, since it requires the system administrator to log
in as each vnc user to create the configuration file.

Comment 2 Jan Grulich 2023-08-24 05:49:30 UTC

Thank you for the patch. I did not have time to look into this issue yet, but to me this doesn't look like a regression. The variable expansion is to my eyes an unintended behavior, it doesn't seem to be like a feature someone intentionally implemented, therefore the upstream didn't really do anything to implement such behavior when transitioning to the new systemd way of starting Tigervnc. Also, this will always expand to the same user starting the session, right? You already have to add this user to "/etc/tigervnc/vncserver.users" config file so you can also add this user to the list of "PlainUsers" in the main config file. Lastly, we didn't drop the "vncserver" script so you can keep using it as before.

Comment 3 Carlos Santos 2023-08-24 14:17:06 UTC

(In reply to Jan Grulich from comment #2)
> You already have to add this user to > "/etc/tigervnc/vncserver.users"
> config file so you can also add this user to > the list of "PlainUsers"
> in the main config file

Yes, but supposing that /etc/tigervnc/vncserver.users contains something
like this:

    :1=vncuser1
    :2=vncuser2

Then vncserver-config-defaults would need to contain this:

    SecurityTypes=TLSPlain
    PlainUsers=vncuser1,vncuser2

So all Xvnc instances would be invoked as

    /usr/bin/Xvnc :1 -plainusers vncuser1,vncuser2 ...
    /usr/bin/Xvnc :2 -plainusers vncuser1,vncuser2

thus permitting vncuser1 to access :2 and vncuser2 to access :1, which is
a security breach.

> Lastly, we didn't drop the "vncserver" script so you can keep using it
> as before.

Sure, but it requires a custom vncserver@.service and a vncserver wrapper like
those used on RHEL 7. This leads to a solution that is incompatible with the
documented setup.

Comment 4 Carlos Santos 2023-08-24 17:18:10 UTC

After additional reviewing I found that the actual cause of the problem is the
way /usr/bin/vncserver and /usr/libexec/vncserver (invoked by vncsession)
execute Xvnc:

    system("$cmd & echo \$! >$pidFile"); 

versus

    exec(@cmd);

In the former, expansion of environment variable, quoting and globbing will be
performed by the shell, while in the second they will not. So as an additional
disadvantage, setting a parameter in a config file as

    PlainUsers="vncuser1,vncuser2"

will pass this to Xvnc

    -plainusers "vncuser1,vncuser2"

This is the actual regression.

Comment 5 Jan Grulich 2023-08-29 09:11:06 UTC

Created attachment 1985799 [details]
Proposed patch to fix this issue

Hi, I tried to write a solution for your issue, however, I'm not really an expert in Perl so what I wrote might be most likely simplified. Anyway, can you try the attached patch and see if it fixes your issue?

Comment 6 Carlos Santos 2023-08-29 20:49:33 UTC

Created attachment 1985946 [details]
Patch to expand all environment variables when loading the configuration files

If you prefer to solve it in vncserver then I suggest you to use something
like this, instead, which is much simpler.

Comment 7 Jan Grulich 2023-08-30 05:36:26 UTC

(In reply to Carlos Santos from comment #6)
> Created attachment 1985946 [details]
> Patch to expand all environment variables when loading the configuration
> files
> 
> If you prefer to solve it in vncserver 

I feel like fixing it here is more versatile.

> then I suggest you to use something like this, instead, which is much simpler.

Won't this result into passing an empty option in case the env variable is not set? Not that I can think of a case where someone would do that, but I was trying not to break any other potential use-case. But you are right that doing this in LoadConfig() makes more sense.

Comment 8 Carlos Santos 2023-08-30 11:31:10 UTC

(In reply to Jan Grulich from comment #7)
> (In reply to Carlos Santos from comment #6)
> > Created attachment 1985946 [details]
> > Patch to expand all environment variables when loading the configuration
> > files
> > 
> > If you prefer to solve it in vncserver 
> 
> I feel like fixing it here is more versatile.
> 
> > then I suggest you to use something like this, instead, which is much simpler.
> 
> Won't this result into passing an empty option in case the env variable is
> not set? Not that I can think of a case where someone would do that, but I
> was trying not to break any other potential use-case. But you are right that
> doing this in LoadConfig() makes more sense.

We should not try to guess what the user wants to do, so I prefer to assume
that $FOO means "use the FOO environment variable, if any".

Comment 9 Jan Grulich 2023-08-30 12:29:53 UTC

Do you want to propose your suggested change to upstream or should I do it? Anyway, this is something we can for sure fix in RHEL 8.10 and RHEL 9.4.

Comment 10 Carlos Santos 2023-08-30 17:18:08 UTC

I will submit a PR upstream.

Comment 11 Carlos Santos 2023-08-31 02:05:42 UTC

Done: https://github.com/TigerVNC/tigervnc/pull/1664

Comment 12 Jan Grulich 2023-08-31 13:30:56 UTC

(In reply to Carlos Santos from comment #11)
> Done: https://github.com/TigerVNC/tigervnc/pull/1664

Thank you. I will wait for upstream response in case there are more things to add before backporting this to RHEL.

Comment 15 RHEL Program Management 2023-09-16 11:45:00 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 16 RHEL Program Management 2023-09-16 11:47:33 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.