From 8f09de712b53e54d15d2bd5367c10a61c57cda23 Mon Sep 17 00:00:00 2001

From: Jan Grulich <jgrulich@redhat.com>

Date: Wed, 6 May 2020 10:37:21 +0200

Subject: Foo

diff --git a/CMakeLists.txt b/CMakeLists.txt

index 2d19b72..78eb93d 100644

--- a/CMakeLists.txt

+++ b/CMakeLists.txt

@@ -7,6 +7,10 @@ if(POLICY CMP0022)

   cmake_policy(SET CMP0022 OLD)

 endif()

+if(${CMAKE_VERSION} VERSION_LESS "3.4.0")

+  message(WARNING "CMake 3.4.0 or newer is required to get correct default installation paths")

+endif()

+

 # Internal cmake modules

 set(CMAKE_MODULE_PATH ${CMAKE_SOURCE_DIR}/cmake/Modules)

@@ -27,17 +31,16 @@ set(VERSION 1.10.1)

 set(RCVERSION 1,10,1,0)

 # Installation paths

-set(BIN_DIR "${CMAKE_INSTALL_PREFIX}/bin")

-set(DATA_DIR "${CMAKE_INSTALL_PREFIX}/share")

-set(MAN_DIR "${DATA_DIR}/man")

-set(LOCALE_DIR "${DATA_DIR}/locale")

-set(DOC_DIR "${CMAKE_INSTALL_PREFIX}/share/doc/${CMAKE_PROJECT_NAME}-${VERSION}")

-

-if(WIN32)

-set(BIN_DIR "${CMAKE_INSTALL_PREFIX}")

-set(DOC_DIR "${CMAKE_INSTALL_PREFIX}")

+include(GNUInstallDirs)

+set(CMAKE_INSTALL_UNITDIR "lib/systemd/system" CACHE PATH "systemd unit files (lib/systemd/system)")

+if(IS_ABSOLUTE "${CMAKE_INSTALL_UNITDIR}")

+  set(CMAKE_INSTALL_FULL_UNITDIR "${CMAKE_INSTALL_UNITDIR}")

+else()

+  set(CMAKE_INSTALL_FULL_UNITDIR "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_UNITDIR}")

 endif()

+option(INSTALL_SYSTEMD_UNITS "Install TigerVNC systemd units" ON)

+

 if(MSVC)

   message(FATAL_ERROR "TigerVNC cannot be built with Visual Studio.  Please use MinGW")

 endif()

@@ -259,8 +262,7 @@ if(ENABLE_GNUTLS)

 endif()

 # Check for PAM library

-option(ENABLE_PAM "Enable PAM authentication support" ON)

-if(ENABLE_PAM)

+if(UNIX AND NOT APPLE)

   check_include_files(security/pam_appl.h HAVE_PAM_H)

   set(CMAKE_REQUIRED_LIBRARIES -lpam)

   check_function_exists(pam_start HAVE_PAM_START)

@@ -268,10 +270,9 @@ if(ENABLE_PAM)

   if(HAVE_PAM_H AND HAVE_PAM_START)

     set(PAM_LIBS pam)

   else()

-    set(ENABLE_PAM 0)

+    message(FATAL_ERROR "Could not find PAM development files")

   endif()

 endif()

-set(HAVE_PAM ${ENABLE_PAM})

 # Generate config.h and make sure the source finds it

 configure_file(config.h.in config.h)

diff --git a/cmake/BuildPackages.cmake b/cmake/BuildPackages.cmake

index ec96318..1f25192 100644

--- a/cmake/BuildPackages.cmake

+++ b/cmake/BuildPackages.cmake

@@ -86,5 +86,5 @@ endif() #UNIX

 # Common

 #

-install(FILES ${CMAKE_SOURCE_DIR}/LICENCE.TXT DESTINATION ${DOC_DIR})

-install(FILES ${CMAKE_SOURCE_DIR}/README.rst DESTINATION ${DOC_DIR})

+install(FILES ${CMAKE_SOURCE_DIR}/LICENCE.TXT DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})

+install(FILES ${CMAKE_SOURCE_DIR}/README.rst DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})

diff --git a/cmake/StaticBuild.cmake b/cmake/StaticBuild.cmake

index e539619..793b190 100644

--- a/cmake/StaticBuild.cmake

+++ b/cmake/StaticBuild.cmake

@@ -115,7 +115,7 @@ endif()

 if(BUILD_STATIC_GCC)

   # This ensures that we don't depend on libstdc++ or libgcc_s

   set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -nodefaultlibs")

-  set(STATIC_BASE_LIBRARIES "-Wl,-Bstatic -lstdc++ -Wl,-Bdynamic")

+  set(STATIC_BASE_LIBRARIES "")

   if(ENABLE_ASAN AND NOT WIN32 AND NOT APPLE)

     set(STATIC_BASE_LIBRARIES "${STATIC_BASE_LIBRARIES} -Wl,-Bstatic -lasan -Wl,-Bdynamic -ldl -lm -lpthread")

   endif()

@@ -135,5 +135,6 @@ if(BUILD_STATIC_GCC)

   else()

     set(STATIC_BASE_LIBRARIES "${STATIC_BASE_LIBRARIES} -lgcc -lgcc_eh -lc")

   endif()

-  set(CMAKE_CXX_LINK_EXECUTABLE "${CMAKE_CXX_LINK_EXECUTABLE} ${STATIC_BASE_LIBRARIES}")

+  set(CMAKE_C_LINK_EXECUTABLE "${CMAKE_C_LINK_EXECUTABLE} ${STATIC_BASE_LIBRARIES}")

+  set(CMAKE_CXX_LINK_EXECUTABLE "${CMAKE_CXX_LINK_EXECUTABLE} -Wl,-Bstatic -lstdc++ -Wl,-Bdynamic ${STATIC_BASE_LIBRARIES}")

 endif()

diff --git a/common/rfb/CMakeLists.txt b/common/rfb/CMakeLists.txt

index 8e532a2..689cdcc 100644

--- a/common/rfb/CMakeLists.txt

+++ b/common/rfb/CMakeLists.txt

@@ -75,7 +75,7 @@ endif(WIN32)

 set(RFB_LIBRARIES ${JPEG_LIBRARIES} os rdr Xregion)

-if(HAVE_PAM)

+if(UNIX AND NOT APPLE)

   set(RFB_SOURCES ${RFB_SOURCES} UnixPasswordValidator.cxx

     UnixPasswordValidator.h pam.c pam.h)

   set(RFB_LIBRARIES ${RFB_LIBRARIES} ${PAM_LIBS})

diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx

index 6f72432..f577c0d 100644

--- a/common/rfb/SSecurityPlain.cxx

+++ b/common/rfb/SSecurityPlain.cxx

@@ -25,10 +25,10 @@

 #include <rfb/SConnection.h>

 #include <rfb/Exception.h>

 #include <rdr/InStream.h>

-#ifdef HAVE_PAM

+#if !defined(WIN32) && !defined(__APPLE__)

 #include <rfb/UnixPasswordValidator.h>

 #endif

-#ifdef BUILD_WIN

+#ifdef WIN32

 #include <rfb/WinPasswdValidator.h>

 #endif

@@ -62,10 +62,10 @@ bool PasswordValidator::validUser(const char* username)

 SSecurityPlain::SSecurityPlain(SConnection* sc) : SSecurity(sc)

 {

-#ifdef HAVE_PAM

-  valid = new UnixPasswordValidator();

-#elif BUILD_WIN

+#ifdef WIN32

   valid = new WinPasswdValidator();

+#elif !defined(__APPLE__)

+  valid = new UnixPasswordValidator();

 #else

   valid = NULL;

 #endif

diff --git a/common/rfb/UnixPasswordValidator.cxx b/common/rfb/UnixPasswordValidator.cxx

index d096079..ee7bc0d 100644

--- a/common/rfb/UnixPasswordValidator.cxx

+++ b/common/rfb/UnixPasswordValidator.cxx

@@ -25,9 +25,7 @@

 #include <rfb/Configuration.h>

 #include <rfb/Exception.h>

 #include <rfb/UnixPasswordValidator.h>

-#ifdef HAVE_PAM

 #include <rfb/pam.h>

-#endif

 using namespace rfb;

@@ -43,10 +41,6 @@ bool UnixPasswordValidator::validateInternal(SConnection * sc,

 					     const char *username,

 					     const char *password)

 {

-#ifdef HAVE_PAM

   CharArray service(strDup(pamService.getData()));

   return do_pam_auth(service.buf, username, password);

-#else

-  throw AuthFailureException("PAM not supported");

-#endif

 }

diff --git a/common/rfb/pam.c b/common/rfb/pam.c

index cb067fd..acac0f4 100644

--- a/common/rfb/pam.c

+++ b/common/rfb/pam.c

@@ -22,9 +22,6 @@

 #include <config.h>

 #endif

-#ifndef HAVE_PAM

-#error "This source should not be compiled when PAM is unsupported"

-#endif

 #include <stdlib.h>

 #include <string.h>

diff --git a/common/rfb/pam.h b/common/rfb/pam.h

index 2688f21..d378d19 100644

--- a/common/rfb/pam.h

+++ b/common/rfb/pam.h

@@ -21,14 +21,6 @@

 #ifndef __RFB_PAM_H__

 #define __RFB_PAM_H__

-#ifdef HAVE_CONFIG_H

-#include <config.h>

-#endif

-

-#ifndef HAVE_PAM

-#error "This header should not be included when PAM is unsupported"

-#endif

-

 #ifdef __cplusplus

 extern "C" {

 #endif

diff --git a/config.h.in b/config.h.in

index 2d6db9c..2d7a741 100644

--- a/config.h.in

+++ b/config.h.in

@@ -4,10 +4,10 @@

 #cmakedefine HAVE_ACTIVE_DESKTOP_H

 #cmakedefine HAVE_ACTIVE_DESKTOP_L

 #cmakedefine ENABLE_NLS 1

-#cmakedefine HAVE_PAM

-#cmakedefine DATA_DIR "@DATA_DIR@"

-#cmakedefine LOCALE_DIR "@LOCALE_DIR@"

+#cmakedefine CMAKE_INSTALL_FULL_LIBEXECDIR "@CMAKE_INSTALL_FULL_LIBEXECDIR@"

+#cmakedefine CMAKE_INSTALL_FULL_DATADIR "@CMAKE_INSTALL_FULL_DATADIR@"

+#cmakedefine CMAKE_INSTALL_FULL_LOCALEDIR "@CMAKE_INSTALL_FULL_LOCALEDIR@"

 /* MS Visual Studio 2008 and newer doesn't know ssize_t */

 #if defined(HAVE_GNUTLS) && defined(WIN32) && !defined(__MINGW32__)

diff --git a/java/CMakeLists.txt b/java/CMakeLists.txt

index f61e355..77ec21b 100644

--- a/java/CMakeLists.txt

+++ b/java/CMakeLists.txt

@@ -7,8 +7,6 @@ endif()

 find_package(Java)

-set(DATA_DIR "${CMAKE_INSTALL_PREFIX}/share")

-

 set(DEFAULT_JAVACFLAGS "-source 8 -target 8 -encoding UTF-8 -Xlint:all,-serial,-cast,-unchecked,-fallthrough,-dep-ann,-deprecation,-rawtypes")

 set(JAVACFLAGS ${DEFAULT_JAVACFLAGS} CACHE STRING

   "Java compiler flags (Default: ${DEFAULT_JAVACFLAGS})")

diff --git a/media/CMakeLists.txt b/media/CMakeLists.txt

index 256d435..088c72f 100644

--- a/media/CMakeLists.txt

+++ b/media/CMakeLists.txt

@@ -13,11 +13,11 @@ if(CONVERT_EXECUTABLE)

   if(UNIX AND NOT APPLE)

     foreach(SIZE 16 22 24 32 48)

       install(FILES icons/tigervnc_${SIZE}.png

-        DESTINATION ${DATA_DIR}/icons/hicolor/${SIZE}x${SIZE}/apps

+        DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${SIZE}x${SIZE}/apps

         RENAME tigervnc.png)

     endforeach()

     install(FILES icons/tigervnc.svg

-      DESTINATION ${DATA_DIR}/icons/hicolor/scalable/apps)

+      DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/scalable/apps)

   endif()

 endif()

diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt

index 9c8ddef..2eb10e7 100644

--- a/po/CMakeLists.txt

+++ b/po/CMakeLists.txt

@@ -46,7 +46,7 @@ foreach(lang ${po_FILES})

   )

   install(FILES ${mo}

-    DESTINATION "${LOCALE_DIR}/${lang}/LC_MESSAGES"

+    DESTINATION "${CMAKE_INSTALL_FULL_LOCALEDIR}/${lang}/LC_MESSAGES"

     RENAME tigervnc.mo

   )

diff --git a/unix/CMakeLists.txt b/unix/CMakeLists.txt

index 7a1457d..5456e00 100644

--- a/unix/CMakeLists.txt

+++ b/unix/CMakeLists.txt

@@ -2,7 +2,5 @@ add_subdirectory(tx)

 add_subdirectory(common)

 add_subdirectory(vncconfig)

 add_subdirectory(vncpasswd)

+add_subdirectory(vncserver)

 add_subdirectory(x0vncserver)

-

-install(PROGRAMS vncserver DESTINATION ${BIN_DIR})

-install(FILES vncserver.man DESTINATION ${MAN_DIR}/man1 RENAME vncserver.1)

diff --git a/unix/vncconfig/CMakeLists.txt b/unix/vncconfig/CMakeLists.txt

index 959681f..c3823ab 100644

--- a/unix/vncconfig/CMakeLists.txt

+++ b/unix/vncconfig/CMakeLists.txt

@@ -11,5 +11,5 @@ add_executable(vncconfig

 target_link_libraries(vncconfig tx rfb network rdr ${X11_LIBRARIES})

-install(TARGETS vncconfig DESTINATION ${BIN_DIR})

-install(FILES vncconfig.man DESTINATION ${MAN_DIR}/man1 RENAME vncconfig.1)

+install(TARGETS vncconfig DESTINATION ${CMAKE_INSTALL_FULL_BINDIR})

+install(FILES vncconfig.man DESTINATION ${CMAKE_INSTALL_FULL_MANDIR}/man1 RENAME vncconfig.1)

diff --git a/unix/vncconfig/vncconfig.man b/unix/vncconfig/vncconfig.man

index b685a46..ed9ddda 100644

--- a/unix/vncconfig/vncconfig.man

+++ b/unix/vncconfig/vncconfig.man

@@ -111,8 +111,8 @@ When run as a "helper" app, make the window iconified at startup.

 .SH SEE ALSO

 .BR vncpasswd (1),

 .BR vncviewer (1),

-.BR vncserver (1),

-.BR Xvnc (1)

+.BR Xvnc (1),

+.BR vncsession (8)

 .br

 https://www.tigervnc.org

diff --git a/unix/vncpasswd/CMakeLists.txt b/unix/vncpasswd/CMakeLists.txt

index a04ed0b..9f716fa 100644

--- a/unix/vncpasswd/CMakeLists.txt

+++ b/unix/vncpasswd/CMakeLists.txt

@@ -5,5 +5,5 @@ add_executable(vncpasswd

 target_link_libraries(vncpasswd tx rfb os)

-install(TARGETS vncpasswd DESTINATION ${BIN_DIR})

-install(FILES vncpasswd.man DESTINATION ${MAN_DIR}/man1 RENAME vncpasswd.1)

+install(TARGETS vncpasswd DESTINATION ${CMAKE_INSTALL_FULL_BINDIR})

+install(FILES vncpasswd.man DESTINATION ${CMAKE_INSTALL_FULL_MANDIR}/man1 RENAME vncpasswd.1)

diff --git a/unix/vncpasswd/vncpasswd.man b/unix/vncpasswd/vncpasswd.man

index 9e68181..c70a425 100644

--- a/unix/vncpasswd/vncpasswd.man

+++ b/unix/vncpasswd/vncpasswd.man

@@ -43,9 +43,9 @@ Default location of the VNC password file.

 .SH SEE ALSO

 .BR vncviewer (1),

-.BR vncserver (1),

 .BR Xvnc (1)

 .BR vncconfig (1),

+.BR vncsession (8)

 .br

 https://www.tigervnc.org

diff --git a/unix/vncserver.man b/unix/vncserver.man

deleted file mode 100644

index 95f7960..0000000

--- a/unix/vncserver.man

+++ /dev/null

@@ -1,204 +0,0 @@

-.TH vncserver 1 "" "TigerVNC" "Virtual Network Computing"

-.SH NAME

-vncserver \- start or stop a VNC server

-.SH SYNOPSIS

-.B vncserver

-.RI [: display# ]

-.RB [ \-name

-.IR desktop-name ]

-.RB [ \-geometry

-.IR width x height ]

-.RB [ \-depth

-.IR depth ]

-.RB [ \-pixelformat

-.IR format ]

-.RB [ \-fp

-.IR font-path ]

-.RB [ \-fg ]

-.RB [ \-autokill ]

-.RB [ \-noxstartup ]

-.RB [ \-xstartup 

-.IR script ]

-.RI [ Xvnc-options... ]

-.br

-.BI "vncserver \-kill :" display#

-.br

-.BI "vncserver \-list"

-.SH DESCRIPTION

-.B vncserver

-is used to start a VNC (Virtual Network Computing) desktop.

-.B vncserver

-is a Perl script which simplifies the process of starting an Xvnc server.  It

-runs Xvnc with appropriate options and starts a window manager on the VNC

-desktop.

-

-.B vncserver

-can be run with no options at all. In this case it will choose the first

-available display number (usually :1), start Xvnc with that display number,

-and start the default window manager in the Xvnc session.  You can also

-specify the display number, in which case vncserver will attempt to start

-Xvnc with that display number and exit if the display number is not

-available.  For example:

-

-.RS

-vncserver :13

-.RE

-

-Editing the file $HOME/.vnc/xstartup allows you to change the applications run

-at startup (but note that this will not affect an existing VNC session.)

-

-.SH OPTIONS

-You can get a list of options by passing \fB\-h\fP as an option to vncserver.

-In addition to the options listed below, any unrecognised options will be

-passed to Xvnc - see the Xvnc man page, or "Xvnc \-help", for details.

-

-.TP

-.B \-name \fIdesktop-name\fP

-Each VNC desktop has a name which may be displayed by the viewer. The desktop

-name defaults to "\fIhost\fP:\fIdisplay#\fP (\fIusername\fP)", but you can

-change it with this option.  The desktop name option is passed to the xstartup

-script via the $VNCDESKTOP environment variable, which allows you to run a

-different set of applications depending on the name of the desktop.

-.

-.TP

-.B \-geometry \fIwidth\fPx\fIheight\fP

-Specify the size of the VNC desktop to be created. Default is 1024x768. 

-.

-.TP

-.B \-depth \fIdepth\fP

-Specify the pixel depth (in bits) of the VNC desktop to be created. Default is

-24.  Other possible values are 8, 15 and 16 - anything else is likely to cause

-strange behaviour by applications.

-.

-.TP

-.B \-pixelformat \fIformat\fP

-Specify pixel format for Xvnc to use (BGRnnn or RGBnnn).  The default for

-depth 8 is BGR233 (meaning the most significant two bits represent blue, the

-next three green, and the least significant three represent red), the default

-for depth 16 is RGB565, and the default for depth 24 is RGB888.

-.

-.TP

-.B \-cc 3

-As an alternative to the default TrueColor visual, this allows you to run an

-Xvnc server with a PseudoColor visual (i.e. one which uses a color map or

-palette), which can be useful for running some old X applications which only

-work on such a display.  Values other than 3 (PseudoColor) and 4 (TrueColor)

-for the \-cc option may result in strange behaviour, and PseudoColor desktops

-must have an 8-bit depth.

-.

-.TP

-.B \-kill :\fIdisplay#\fP

-This kills a VNC desktop previously started with vncserver.  It does this by

-killing the Xvnc process, whose process ID is stored in the file

-"$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid".  The

-.B \-kill

-option ignores anything preceding the first colon (":") in the display

-argument.  Thus, you can invoke "vncserver \-kill $DISPLAY", for example at the

-end of your xstartup file after a particular application exits.

-.

-.TP

-.B \-fp \fIfont-path\fP

-If the vncserver script detects that the X Font Server (XFS) is running, it

-will attempt to start Xvnc and configure Xvnc to use XFS for font handling.

-Otherwise, if XFS is not running, the vncserver script will attempt to start

-Xvnc and allow Xvnc to use its own preferred method of font handling (which may

-be a hard-coded font path or, on more recent systems, a font catalog.)  In

-any case, if Xvnc fails to start, the vncserver script will then attempt to

-determine an appropriate X font path for this system and start Xvnc using

-that font path.

-

-The

-.B \-fp

-argument allows you to override the above fallback logic and specify a font

-path for Xvnc to use.

-.

-.TP

-.B \-fg

-Runs Xvnc as a foreground process.  This has two effects: (1) The VNC server

-can be aborted with CTRL-C, and (2) the VNC server will exit as soon as the

-user logs out of the window manager in the VNC session.  This may be necessary

-when launching TigerVNC from within certain grid computing environments.

-.

-.TP

-.B \-autokill

-Automatically kill Xvnc whenever the xstartup script exits.  In most cases,

-this has the effect of terminating Xvnc when the user logs out of the window

-manager.

-.

-.TP

-.B \-noxstartup

-Do not run the %HOME/.vnc/xstartup script after launching Xvnc.  This

-option allows you to manually start a window manager in your TigerVNC session.

-.

-.TP

-.B \-xstartup \fIscript\fP

-Run a custom startup script, instead of %HOME/.vnc/xstartup, after launching

-Xvnc. This is useful to run full-screen applications.

-.

-.TP

-.B \-list

-Lists all VNC desktops started by vncserver.

-

-.SH FILES

-Several VNC-related files are found in the directory $HOME/.vnc:

-.TP

-$HOME/.vnc/xstartup

-A shell script specifying X applications to be run when a VNC desktop is

-started.  If this file does not exist, then vncserver will create a default

-xstartup script which attempts to launch your chosen window manager.

-.TP

-/etc/tigervnc/vncserver-config-defaults

-The optional system-wide equivalent of $HOME/.vnc/config. If this file exists

-and defines options to be passed to Xvnc, they will be used as defaults for

-users. The user's $HOME/.vnc/config overrides settings configured in this file.

-The overall configuration file load order is: this file, $HOME/.vnc/config,

-and then /etc/tigervnc/vncserver-config-mandatory. None are required to exist.

-.TP

-/etc/tigervnc/vncserver-config-mandatory

-The optional system-wide equivalent of $HOME/.vnc/config. If this file exists

-and defines options to be passed to Xvnc, they will override any of the same

-options defined in a user's $HOME/.vnc/config. This file offers a mechanism

-to establish some basic form of system-wide policy. WARNING! There is

-nothing stopping users from constructing their own vncserver-like script

-that calls Xvnc directly to bypass any options defined in

-/etc/tigervnc/vncserver-config-mandatory.  Likewise, any CLI arguments passed

-to vncserver will override ANY config file setting of the same name. The

-overall configuration file load order is:

-/etc/tigervnc/vncserver-config-defaults, $HOME/.vnc/config, and then this file.

-None are required to exist.

-.TP

-$HOME/.vnc/config

-An optional server config file wherein options to be passed to Xvnc are listed

-to avoid hard-coding them to the physical invocation. List options in this file

-one per line. For those requiring an argument, simply separate the option from

-the argument with an equal sign, for example: "geometry=2000x1200" or

-"securitytypes=vncauth,tlsvnc". Options without an argument are simply listed

-as a single word, for example: "localhost" or "alwaysshared".

-.TP

-$HOME/.vnc/passwd

-The VNC password file.

-.TP

-$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.log

-The log file for Xvnc and applications started in xstartup.

-.TP

-$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid

-Identifies the Xvnc process ID, used by the

-.B \-kill

-option.

-

-.SH SEE ALSO

-.BR vncviewer (1),

-.BR vncpasswd (1),

-.BR vncconfig (1),

-.BR Xvnc (1)

-.br

-https://www.tigervnc.org

-

-.SH AUTHOR

-Tristan Richardson, RealVNC Ltd., D. R. Commander and others.

-

-VNC was originally developed by the RealVNC team while at Olivetti

-Research Ltd / AT&T Laboratories Cambridge.  TightVNC additions were

-implemented by Constantin Kaplinsky. Many other people have since

-participated in development, testing and support. This manual is part

-of the TigerVNC software suite.

diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt

new file mode 100644

index 0000000..eeb4b7b

--- /dev/null

+++ b/unix/vncserver/CMakeLists.txt

@@ -0,0 +1,20 @@

+add_executable(vncsession vncsession.c)

+target_link_libraries(vncsession ${PAM_LIBS})

+

+configure_file(vncserver@.service.in vncserver@.service @ONLY)

+configure_file(vncsession-start.in vncsession-start @ONLY)

+configure_file(vncserver.in vncserver @ONLY)

+

+install(TARGETS vncsession DESTINATION ${CMAKE_INSTALL_FULL_SBINDIR})

+install(FILES tigervnc.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME tigervnc)

+install(FILES vncsession.man DESTINATION ${CMAKE_INSTALL_FULL_MANDIR}/man8 RENAME vncsession.8)

+install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncserver DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})

+install(FILES vncserver.man DESTINATION ${CMAKE_INSTALL_FULL_MANDIR}/man8 RENAME vncserver.8)

+install(FILES vncserver-config-defaults vncserver-config-mandatory DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/tigervnc)

+

+install(FILES vncserver.users DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/tigervnc)

+

+if(INSTALL_SYSTEMD_UNITS)

+  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})

+  install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})

+endif()

diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile

new file mode 100644

index 0000000..904a2d5

--- /dev/null

+++ b/unix/vncserver/selinux/Makefile

@@ -0,0 +1,24 @@

+# SELinux module for TigerVNC's vncsession

+#

+# This will install the policy module, but not load it. To apply

+# it you should also run:

+#

+#     sudo semodule -i /usr/share/selinux/packages/vncsession.pp

+#     sudo restorecon /usr/sbin/vncsession /usr/libexec/vncsession-start

+#

+

+PREFIX=/usr

+DATADIR=$(PREFIX)/share

+

+all: vncsession.pp

+

+%.pp: %.te

+	make -f $(DATADIR)/selinux/devel/Makefile $@

+

+clean:

+	rm -f *.pp

+	rm -rf tmp

+

+install: vncsession.pp

+	mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages

+	install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp 

diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc

new file mode 100644

index 0000000..121cdd2

--- /dev/null

+++ b/unix/vncserver/selinux/vncsession.fc

@@ -0,0 +1,26 @@

+#

+#  Copyright 2018 Pierre Ossman for Cendio AB

+#

+#  This is free software; you can redistribute it and/or modify

+#  it under the terms of the GNU General Public License as published by

+#  the Free Software Foundation; either version 2 of the License, or

+#  (at your option) any later version.

+#

+#  This software is distributed in the hope that it will be useful,

+#  but WITHOUT ANY WARRANTY; without even the implied warranty of

+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+#  GNU General Public License for more details.

+#

+#  You should have received a copy of the GNU General Public License

+#  along with this software; if not, write to the Free Software

+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

+#  USA.

+#

+

+HOME_DIR/\.vnc(/.*)?      gen_context(system_u:object_r:xdm_home_t,s0)

+HOME_ROOT/\.vnc(/.*)?      gen_context(system_u:object_r:xdm_home_t,s0)

+

+/usr/sbin/vncsession			--	gen_context(system_u:object_r:vnc_session_exec_t,s0)

+/usr/libexec/vncsession-start		--	gen_context(system_u:object_r:vnc_session_exec_t,s0)

+

+/var/run/vncsession-:[0-9]*\.pid	--      gen_context(system_u:object_r:vnc_session_var_run_t,s0)

diff --git a/unix/vncserver/selinux/vncsession.if b/unix/vncserver/selinux/vncsession.if

new file mode 100644

index 0000000..3eb6a30

--- /dev/null

+++ b/unix/vncserver/selinux/vncsession.if

@@ -0,0 +1 @@

+## <summary></summary>

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te

new file mode 100644

index 0000000..941f28d

--- /dev/null

+++ b/unix/vncserver/selinux/vncsession.te

@@ -0,0 +1,67 @@

+#

+#  Copyright 2018-2020 Pierre Ossman for Cendio AB

+#

+#  This is free software; you can redistribute it and/or modify

+#  it under the terms of the GNU General Public License as published by

+#  the Free Software Foundation; either version 2 of the License, or

+#  (at your option) any later version.

+#

+#  This software is distributed in the hope that it will be useful,

+#  but WITHOUT ANY WARRANTY; without even the implied warranty of

+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+#  GNU General Public License for more details.

+#

+#  You should have received a copy of the GNU General Public License

+#  along with this software; if not, write to the Free Software

+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

+#  USA.

+#

+

+policy_module(vncsession, 1.0.0);

+

+gen_require(`

+    type unconfined_t;

+    type xdm_home_t;

+')

+

+type vnc_session_exec_t;

+corecmd_executable_file(vnc_session_exec_t)

+type vnc_session_t;

+init_daemon_domain(vnc_session_t, vnc_session_exec_t)

+auth_login_pgm_domain(vnc_session_t)

+

+type vnc_session_var_run_t;

+files_pid_file(vnc_session_var_run_t)

+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;

+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)

+

+auth_write_login_records(vnc_session_t)

+

+can_exec(vnc_session_t, vnc_session_exec_t)

+

+userdom_spec_domtrans_all_users(vnc_session_t)

+userdom_signal_all_users(vnc_session_t)

+

+allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };

+allow vnc_session_t self:process { getcap setsched setexec setrlimit };

+allow vnc_session_t self:fifo_file rw_fifo_file_perms;

+

+manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)

+manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)

+manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)

+manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)

+

+userdom_user_home_dir_filetrans(unconfined_t, xdm_home_t, dir, ".vnc")

+userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")

+

+userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")

+userdom_admin_home_dir_filetrans(unconfined_t, xdm_home_t, dir, ".vnc")

+

+miscfiles_read_localization(vnc_session_t)

+

+kernel_read_kernel_sysctls(vnc_session_t)

+

+logging_append_all_logs(vnc_session_t)

+

+mcs_process_set_categories(vnc_session_t)

+mcs_killall(vnc_session_t)

diff --git a/unix/vncserver/tigervnc.pam b/unix/vncserver/tigervnc.pam

new file mode 100644

index 0000000..0f4cb3a

--- /dev/null

+++ b/unix/vncserver/tigervnc.pam

@@ -0,0 +1,11 @@

+#%PAM-1.0

+# pam_selinux.so close should be the first session rule